topic Re: How can I implement SAML AD FS 2FA with Qlik Sense without redirecting to IDP? in Integration, Extension & APIs

How can I implement SAML AD FS 2FA with Qlik Sense without redirecting to IDP?

M_B — Mon, 09 Sep 2024 08:34:49 GMT

Hello,

I have been asked to implement 2FA to our external Qlik Sense link (running May 2024 Patch 4 if it matters). While I have finished this task with the help of the company responsible for the 2FA software, an issue remains where the Qlik Sense link redirects to the 2FA machine. Of course since that machine is not made public, it is impossible to log in. It does work internally.

I am trying to find out if there is a way to keep the log in dialog box to be provided by the Qlik Sense server, while it communicates in the back-end with the 2FA server. I have not worked with API's before but if I can get some pointers on who to ask or who is to implement this then I can get the ball moving again. Everyone who is involved in this chain (network, security, etc) says it is not from their side.

Thanks in advance.

Re: How can I implement SAML AD FS 2FA with Qlik Sense without redirecting to IDP?

Ray_Strother — Mon, 09 Sep 2024 19:21:11 GMT

Hello ,

Have you reviewed any of the documentation for implementing MFA?

1. https://community.qlik.com/t5/Official-Support-Articles/Is-it-possible-to-set-up-multi-factor-authentication-and-max/ta-p/1712179leme

2. https://community.qlik.com/t5/App-Development/Multi-factor-authentication/td-p/1280545

Re: How can I implement SAML AD FS 2FA with Qlik Sense without redirecting to IDP?

M_B — Tue, 10 Sep 2024 06:16:16 GMT

Hello @Ray_Strother,

I have used the following links to already set up MFA:

SAML configuration with AD FS | Qlik Sense for administrators Help (for general configuration).
https://help.qlik.com/en-US/cloud-services/Subsystems/Hub/Content/Sense_Hub/Admin/configuring-idp-adfs.htm (for the correct mappings).
https://community.qlik.com/t5/Official-Support-Articles/Quick-Guide-to-installing-ADFS-for-testing-SAML/ta-p/1710427
https://support.qlik.com/articles/000053723 (to use SAMAccountName instead of UPN to match already imported users through an LDAP connection).

The problem is not how to set up MFA, I already did it through SAML AD FS. The problem I am facing (if you could carefully read the post) is about the behavior of the authentication method.

If I enter https://qliksense.companysite.com in the address bar I am redirected to https://SAMLMachineName.companysite.com . Internally, this works without a problem. Externally, <------(this here is the issue) it does not work because the SAML server is not made public with a DNS name. I am asking: Is there a way to not redirect and pass the log in box from and within Qlik Sense to the user. I do not want the login page to change. I want the users to remain at https://qliksense.companysite.com and be served the login request from https://SAMLMachineName.companysite.com through the back-end. If possible. If not, maybe I can switch to OIDC if it can serve this purpose.

Re: How can I implement SAML AD FS 2FA with Qlik Sense without redirecting to IDP?

M_B — Sun, 15 Sep 2024 13:10:00 GMT

I have been searching for quite a while now and it seems the only way to add an OTP or authenticator is through SAML for the time being (if there are other methods, I am not aware of them). Qlik support recommended contacting professional services so they might have a way. Our IT guys said they'll put the finishing touches to the solution since it is 90% ready.

I hope Qlik can add native support for authenticators with Client-Managed installations.