How to configure Qlik Sense Enterprise on-prem with Azure Entra ID as an Identity Provider (IdP)

Jack_Guo — Tue, 31 Mar 2026 11:00:05 GMT

This article documents the basic steps to configure the SAML integration between Qlik Sense Enterprise on Windows (Client-Managed) and Microsoft Entra ID. By connecting these two platforms, administrators can control which users are allowed to access Qlik Sense directly from Entra ID, provide users with seamless single sign-on using their Microsoft accounts, and manage identities from a centralized location.

If you are looking for instructions for Qlik Cloud Analytics, see How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP.

Content

Prerequisites

To get started, you need the following items:

A Microsoft Entra subscription.
A valid Qlik Sense Enterprise on Windows license.
Along with Cloud Application Administrator, an Application Administrator can also add or manage applications in Microsoft Entra ID. For more information, see Azure built-in roles.

Step One: Adding the Qlik Sense Enterprise on Windows app to your ENTRA ID.

Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
Go to Entra ID.
Select Enterprise Applications under the Manage part.
Click New Application.
In the search box, type Qlik Sense Enterprise Client-Managed and select the result.
Click Create and wait for the app to be successfully added to your application list.

Step Two: Assigning users to your Qlik Sense Enterprise Client-Managed app in ENTRA ID.

Open the created Qlik Sense Enterprise Client-Managed app, click on Users and groups on the left side.
Click + Add user/group.
Click None Selected under the Users.
Select the user or multiple users you want to permit to access Qlik Sense, then click Select.
Click Assign.
Click Refresh and verify that the target user is added with the Role assigned.

Step Three: Configuring Microsoft Entra SSO

Open the created Qlik Sense Enterprise Client-Managed app, and click Single sign-on on the left side.
On the Select a Single Sign-on method page, select SAML.
On the Set up Single Sign-On with SAML page, select the pencil icon for Basic SAML Configuration to edit the settings.
In the Identifier (Entity ID) textbox, type a URL using the pattern: https://<Fully Qualified Domain Name>.qliksense.com”

This example uses the Qlik Sense Fully Qualified Domain Name https://qlikserver1.domain.local
In the Reply URL textbox, type a URL using the pattern: https://<Fully Qualified Domain Name>:443{/virtualproxyprefix}/samlauthn/

This example uses https://qlikserver1.domain.local:443/entrasaml/samlauthn/
In the Sign on URL textbox, type a URL using the pattern: https://<Fully Qualified Domain Name>:443{/virtualproxyprefix}/hub

This example uses https://qlikserver1.domain.local:443/entrasaml/hub
Click Save.
Go to the Set up Single Sign-On with SAML page.
In the SAML Certificate section, find Federation Metadata XML, click Download, and save the file on your computer.

Step Four: Configuring SSO Qlik Sense Enterprise client-managed virtual proxy

All the following steps are taken in Qlik Sense Enterprise on Windows.

Open the Qlik Sense Management Console (QMC) as a root admin user or a user who has permission to create a virtual proxy.
Go to Virtual Proxies and click Create new (See Creating a virtual proxy for details).
If not already visible, activate the following Properties in the right-side menu: Identification, Authentication, Load Balancing, and Advanced.
Configure IDENTIFICATION as follows:
- Description: Describe the purpose of the virtual proxy.
- Prefix: Enter a unique name not yet used by any other virtual proxies; this value will be a part of the login URL for Qlik Sense.
- Session inactivity timeout (minutes): Set how long a session can remain idle before it expires; once this limit is reached, the session becomes invalid and the user is automatically signed out.
- Session cookie header name: Set a unique cookie name storing the session identifier after successful authentication.
Configure AUTHENTICATION as follows:
- Anonymous access mode: This controls whether unauthenticated users can access Qlik Sense through this virtual proxy. The default setting is No anonymous user, which restricts access to authenticated users only. Leave it at the default.
- Authentication method: Select SAML from the dropdown list, which will surface additional settings.
- SAML host URI field: Enter the hostname that users will use to access Qlik Sense through this SAML proxy. This value should match the public URI of your Qlik Sense server.
- SAML entity ID: Use the same value configured in the SAML host URI field.
- SAML IdP metadata: Upload the identity provider metadata file previously downloaded from Microsoft Entra ID. Click Choose File and select the XML metadata file.
- SAML attribute user ID: Enter the attribute name or schema reference for the SAML attribute representing the UserID Microsoft Entra ID sends to the Qlik Sense server. Schema reference information is available in the Azure app screens post configuration. To use the name attribute, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name.
- SAML attribute for user directory: Enter the value for the user directory that's attached to users when they authenticate to Qlik Sense server through Microsoft Entra ID. Hardcoded values must be surrounded by square brackets []. To use an attribute sent in the Microsoft Entra SAML assertion, enter the name of the attribute in this text box without square brackets. In this example, we are using [domain].
- SAML signing algorithm: Defines the certificate signing algorithm used by the service provider (Qlik Sense server). If your server uses a trusted certificate generated with Microsoft Enhanced RSA and AES Cryptographic Provider, consider changing the algorithm to SHA-256. In this example, SHA-1 is used.
- SAML attribute mapping: Allows additional attributes (such as groups) to be passed to Qlik Sense for use in security rules. In this example, no additional attribute mapping is configured.
Configure LOAD BALANCING as follows:
1. Click Add new server node.
2. Then select the engine node (or nodes) that Qlik Sense should route user sessions to for load balancing and click Add to confirm your selection.
Configure ADVANCED as follows:
- Host allow list: Define all hostnames that are permitted when connecting to the Qlik Sense server. Enter the hostname users will use to access the server.
  
  This value should match the SAML host URI, but without the https:// prefix.
- Leave the other settings at their default values
Click Apply.

The Proxy will be restarted. Click OK to confirm.
After the restart, locate the Associated items section in the menu and click Proxies.
Select the proxy node that will handle this virtual proxy connection in Qlik Sense, then click Link. Once the connection is established, the proxy node will appear in the list of associated proxies.
A Refresh QMC prompt appears. Click to confirm. Once the page reloads, open the Virtual proxies section and locate the newly created SAML virtual proxy in the list.
Select the entry, and the Download SP metadata button at the bottom of the screen will become active. Click this button to download and save the service provider metadata file for Qlik Sense.
Open the SP metadata file and review the entityID and AssertionConsumerService entries. These correspond to the Identifier and Reply URL fields in the Microsoft Entra ID application configuration. If the values in Entra ID do not match those in the metadata file, update the Domain and URLs section of the application configuration so they are aligned with the settings from Qlik Sense.

Step Five: Testing SSO.

You can test the single sign-on setup either from the Microsoft Entra ID portal by selecting Test, or by navigating directly to the Qlik Sense sign-on URL and starting the login process from there.