Qlik Sense for Windows: How to set up Keycloak as SAML Identity Provider

Damien_V — Thu, 29 Dec 2022 10:02:24 GMT

This is a quick guide on how to set up SAML authentication in Qlik Sense for Windows using Keycloak as the Identity Provider.

Environment:

February 2020 and later

In Keycloak, navigate to General and Realm Settings and download the IdP metadata
In Qlik Sense Enterprise on Windows, set up a new virtual proxy:

SAML Host URI: The Qlik Sense server DNS name accessed by end users
SAML Entity ID: Any string, but should match the Client ID in the Keycloak configuration.
SAML attribute for user ID: this should be the attribute containing the value that will be used as the user ID in Qlik Sense. Those attributes are set in “Mappers” in the Keycloak configuration.
In Keycloak, set up a test user:
Click Save and go to Credentials to set the password
In Keycloak, add a new Client.

Note: Client ID needs to be the Entity ID set in Qlik Sense in step 2.
In the Client settings locate Signature and encryption and make sure that Sign Assertions is enabled. Sign Documents should be disabled (if it remains enabled, the implementation will still function, but Qlik Sense does not use Sign Documents and will ignore it).
Switch to the Keys tab and disable Client Signature Required. In order to enable this feature, some extra steps are needed, see at the end of this article (Optional Steps - Client Signature) if you wish to enable the feature.
Switch to the Advanced tab and set the Assertion Consumer Service POST Binding URL.

It should be https://{SAML Host URI}/{virtual proxy prefix}/samlauthn/

Make sure not to forget the ending slash after samlauthn, otherwise the authentication will fail.

The last step is to add the X500 email User Property as we are using the attribute "email" as the User ID in the Qlik Sense virtual proxy settings.

Under "Client Scopes", click on the name of client scope that has the description "Dedicated scope and mappers for this client", in the below screenshot the name is QSKeycloak-dedicted.
Choose Add predefined mapper and choose X500 email then click Add
Everything is now set up and operational.

Optional steps

Client Signature

In order to enable Client Signature Required, which means that Keycloak will check the signature on the SAMLAuthnRequest sent from Qlik Sense, the Qlik Sense certificate needs to be added in the Keycloak client configuration.

The certificate can be copied directly from the SP Metadata downloaded from the Qlik Sense Management Console.

Open the Management Console and navigate to Virtual Proxies
Open your Virtual proxy set up for Keycloak
Click Download SP metadata
It will look like this:
Copy it to a new file, and add:

-----BEGIN CERTIFICATE-----
[content]
-----END CERTIFICATE-----

then save it as a .pem file.
Import the certificate as PEM in Keycloak by clicking Client signature required under Keys

SAML Assertion Encryption

The SAML assertion can be encrypted by checking the option in Keycloak in Keys in the same way as for Client Signature required.

The certificate can be extracted in the same way that it is done when enabling Client signature required.

Re: Qlik Sense for Windows: How to set up Keycloak as SAML Identity Provider

edhuangry — Fri, 09 Dec 2022 09:15:03 GMT

Possible to do an update for this? New Keycloak UI and fields are different from these screenshots.

Re: Qlik Sense for Windows: How to set up Keycloak as SAML Identity Provider

Damien_V — Fri, 23 Dec 2022 07:20:15 GMT

@edhuangry Thank you for your feedback.

The article has now been updated with screenshots from the current latest Keycloak (version 20)

article Qlik Sense for Windows: How to set up Keycloak as SAML Identity Provider in Official Support Articles

Qlik Sense for Windows: How to set up Keycloak as SAML Identity Provider

Environment:

Optional steps

Client Signature

SAML Assertion Encryption

Re: Qlik Sense for Windows: How to set up Keycloak as SAML Identity Provider

Re: Qlik Sense for Windows: How to set up Keycloak as SAML Identity Provider