Does Qlik Sense support "Cryptographic API: Next Generation" for signing SAML requests?

vegard_bakke — Sat, 16 Nov 2024 20:44:37 GMT

In a previous thread, I got help from @Bastien_Laugiero sorting out the "provider" of my certificate for signing SAML 2.0 using SHA-256. (Ref: https://community.qlik.com/t5/Qlik-Sense-Deployment-Management/quot-500-Internal-server-error-quot-when-using-SHA-256-in-SAML/m-p/1527146)

I received a new certificate but it was having the provider:

Microsoft Software Key Storage Provider, uses Cryptographic API: Next Generation (CNG), MS-link

And not:

Microsoft Enhanced RSA and AES Cryptographic Provider, uses CryptoAPI, MS-link

CNG is taking over for CryptoAPI, which apparently is deprecated. (Although, I have not found the source of this information.) Both support SHA-256, and AES signing.

My security colleague is hesitant to use CryptoAPI (named 'Legacy key' in his system), and not 'CNG key'.

I guess my questions are:

- Does Qlik support any CNG type providers for signing SAML 2.0 messages with SHA-256?

If not, why is the CryptoAPI provider needed? (I might ned some help with the wording on this one, to hightligh if there are any security issues, or in particular, why there might not be any issues using the Microsoft Enhanced RSA and AES Cryptographic Provider.

If someone could enlighten me, it would very much be appreciated. 🙂

Cheers,

Vegard

Re: Does Qlik Sense support "Cryptographic API: Next Generation" for signing SAML requests

Yang_Jiao — Tue, 11 Jun 2019 12:56:54 GMT

Hi Veggard,

Thanks for your questions. Quite several in this post. 😄 Let's try to address them one by one.

Firstly I have found the page here where it stated those deprecated CryptoAPI functions, but that's all I can find for the topic. I couldn't find any announcement, not even a date etc.. Seems like those functions are 'silently' deprecated to me.

Secondly, "Why is the CryptoAPI provider needed?". The Cryptographic Service Providers (CSPs) from Microsoft typically implement cryptographic algorithms and provide key storage. So my understanding is that it provides the instructions to both encrypting and decrypting parties about what algorithms it support to hash, sign, and encrypt content in the certificate. You may find a full list of CSPs based on CryptoAPI from this page, with more details of each CSP and the algorithms it supports.

Qlik Sense Enterprise requires the CSP from the certificate to be Microsoft Enhanced RSA and AES Cryptographic Provider if you need to use the certificate for SAML authentication, because that is the only one support SHA-256, SHA-384 and SHA-512 XML signature algorithms. Here is also an article where you can find more information, and how to work with your certificate if you have issues to use it in Qlik Sense. (https://support.qlik.com/articles/000033752)

Now, back to your main question "Does Qlik support any CNG type providers for signing SAML 2.0 messages with SHA-256?". The answer is unfortunately 'no' at the moment. However, there is already a request for assessment raised to Qlik RD for this mater. We might hear something more in the future.

Hope this answers your questions. If it does, please mark the thread as resolved. Thank you!

topic Re: Does Qlik Sense support "Cryptographic API: Next Generation" for signing SAML requests in Integration, Extension & APIs

Does Qlik Sense support "Cryptographic API: Next Generation" for signing SAML requests?

Re: Does Qlik Sense support "Cryptographic API: Next Generation" for signing SAML requests