Example auth0 SAML setup with Qlik Sense Enterprise on Windows

Andre_Sostizzo — Thu, 25 Jan 2024 09:30:34 GMT

The steps below are for an example test setup of SAML authentication using auth0 as Identity Provider with Qlik Sense Enterprise on Windows.

This customization is provided as is. Qlik Support cannot provide continued support of the solution. For assistance, reach out to our Professional Services or engage in our active Integrations forum.

Note: These steps assume an auth0 "Developer" account has already been created

On Auth0 site:

Logon to the auth0 Dashboard and click on + NEW APPLICATION.
Give it an appropriate name (e.g. "QS_interactive_logon")
Chose an application type: Single Page Web Applications
Click on Create and ignore any tutorials
Go to Connections > Database
Click on + CREATE DB CONNECTION
Give it an appropriate name (e.g: "QS_interactive_Users"), and click on Create
Then go to the Applications tab and enable the connection only for the new application created above.
Go to Users & Roles > Users and click on + CREATE USER
Auth0 will send out an email message to the user to verify the account.
On the new user's Details page, scroll down to the Metadata > user_metadata section
Add the following in the JSON formatted text box in order to associate the "Everyone" group to this user:

user_metadata:
{ "groups": [ "Everyone" ] }
Go back to Applications and select your new application
Under the Connections make sure no other Database connections are enabled
Go to Rules and click on + CREATE RULE
Select the </> Empty rule options under Empty
Give it the name "Add groups to claim"
Add the following to the Script box:

Script:
function (user, context, callback) { if((user.user_metadata || {} ).groups){ context.idToken['https://qlik.com/groups'] = user.user_metadata.groups; } callback(null, user, context); }
Go to Rules and click on + CREATE RULE
Select the </> Empty rule options under Empty
Give it the name "Add sub as email"
Add the following to the Script box:
function (user, context, callback) { context.idToken['https://qlik.com/sub'] = user.email; callback(null, user, context); }
Under Connections > Database select the connection created.
Click on the Try Connection tab and a authentication page will open on a new browser tab.
If the setup is correct a page displaying "It Works!" should be displayed with user profile metadata information further down the page.
Go to Applications and click on the newly created application.
Then go to the Addons tab and click on SAML2 WEB APP.
Under the Settings > Application Callback URL configure the URL with the following format:

Application Callback URL: https://<Qlik Sense FQDN>/<Virtual Proxy prefix>/samlauthn/

Where:

<Qlik Sense FQDN> is the fully qualified name of the server as it is reachable by the user.
<Virtual Proxy prefix> will be the prefix configured in the new Qlik Sense Virtual Proxy to be created on the next Qlik Sense steps below.
- e.g: https://qlikserver1.domain.local/auth0/samlauthn/

Note1: Make sure the last slash in the URL is present as it may lead to errors otherwise!
Note2: This also adds a new URL to the Application > Setting > Allowed Callback URLs field every time the above is changed.
Now under Addons: SAML2 Web App > Usage > Identity Provider Metadata: click download and store the IdP metadata xml file which will be used in the next Qlik Sense steps below.

On Qlik Sense Management Console (QMC):

Under START > CONFIGURE SYSTEM > Virtual Proxies, click on Create new
Configure the following values under IDENTIFICATION and AUTHENTICATION areas.

Description	SAML_auth0	An appropriate description
Prefix	auth0	This will be the prefix used when accessing Qlik Sense via URL
Session cookie header name	X-Qlik-Session-auth0	Needs to differ for every Virtual Proxy
Authentication method	SAML	The authentication enabled via auth0
SAML host URI	https://	The Qlik Sense Server
SAML entity ID	https://.auth0.com	This can be found in the metadata file downloaded from auth0 under entityID
SAML IdP metadata	Choose File: This is the xml file downloaded from Auth0	The IdP metadata file downloaded from auth0
SAML attribute for user ID	See Claim Types (learn.microsoft)	This is also found in the metadata file from auth0
SAML attribute for user directory	[Auth0]	Directory name
SAML signing algorithm	SHA-1	Used by auth0

Under the Virtual Proxy's LOAD BALANCING configuration, map the appropriate Server node or the proxy will not be usable.
Click on Apply, then go back into it and click on View Content link under the SAML IdP metadata. This is the auth0 IdP metadata that was uploaded to this Virtual Proxy settings.
Go back to START > CONFIGURE SYSTEM > Virtual Proxies, highlight the auth0 Virtual Proxy created and click on Download SP metadata. This is the Qlik Sense SP metadata.
Open the Qlik Sense SP metadata with a browser (e.g: IE) and view it. Notice that the Location= URL under AssertionConsumerService should match what was included in the Auth0's setting Application Callback URL. This can be confirmed in the Auth0's site under Applications > the created application > Settings > Application URIs > Allowed Callbacks URLs.
Test the authentication via the new SAML Virtual Proxy by going to https://<Qlik Sense FQDN>/<prefix>/qmc. (e.g: https//qlikserver2.domain.local/auth0/qmc)

Re: Example auth0 SAML setup with Qlik Sense Enterprise on Windows

marcos_herrera — Fri, 21 Jul 2023 16:02:40 GMT

Wonder full, i have a question, when user makes logout, is not redirected to login page again, we wants this option

Re: Example auth0 SAML setup with Qlik Sense Enterprise on Windows

Sonja_Bauernfeind — Tue, 25 Jul 2023 09:00:46 GMT

Hello @marcos_herrera

If SAML single logout is turned on, then the expected behaviour would be:

User clicks "log out"
They get to the Qlik Sense page saying "You have been logged out" with a "Login" button
If they click on the "Login" button then they should be redirected to the Auth0 authentication page if single logout was turned on
If not, then the logout did not kill the Auth0 session, so they will just seamlessly get logged in again to Qlik Sense

For more information about this feature, see SAML single logout.

If you need further assistance on how to implement the above, then our professional services can be engaged for direct assistance with this customization. See Professional Services. Alternatively, you can reach out to our larger userbase with your customization requirement in the Integrations forum.

All the best,
Sonja

Re: Example auth0 SAML setup with Qlik Sense Enterprise on Windows

paulselousyoriz — Wed, 10 Jan 2024 12:34:14 GMT

auth0 no longer uses Rules for new implementations - instead Actions are used. There is information on the auth0 website about how to migrate from Rules to Actions. Has anyone done this?

Regards,

Paul Selous

Re: Example auth0 SAML setup with Qlik Sense Enterprise on Windows

jfitz_chicago — Fri, 19 Jan 2024 13:38:35 GMT

Agreed, Paul!

I'd love to see this updated to get groups from Auth0 with Flows and Actions instead of Rules.

My claim is presenting as a source but it's not getting mapped in. I put it in as ~1https:~1~1qlik.com/groups. I see it in api/v1/diagnose-claims but I don't see it when I look at us.auth0.com/.well-known/openid-configuration. So I'm not sure where things are going wrong.

Re: Example auth0 SAML setup with Qlik Sense Enterprise on Windows

Sonja_Bauernfeind — Mon, 22 Jan 2024 12:12:26 GMT

Hello @jfitz_chicago and @paulselousyoriz I'm looking into having this article reviewed. Thank you for expressing your interest.

All the best,
Sonja

Re: Example auth0 SAML setup with Qlik Sense Enterprise on Windows

Wolfgang_K — Mon, 22 Jul 2024 13:43:32 GMT

Hello, is there any update on the Auth0 actions?

article Example auth0 SAML setup with Qlik Sense Enterprise on Windows in Official Support Articles

Example auth0 SAML setup with Qlik Sense Enterprise on Windows

On Auth0 site:

On Qlik Sense Management Console (QMC):

Related Content:

Re: Example auth0 SAML setup with Qlik Sense Enterprise on Windows

Re: Example auth0 SAML setup with Qlik Sense Enterprise on Windows

Re: Example auth0 SAML setup with Qlik Sense Enterprise on Windows

Re: Example auth0 SAML setup with Qlik Sense Enterprise on Windows

Re: Example auth0 SAML setup with Qlik Sense Enterprise on Windows

Re: Example auth0 SAML setup with Qlik Sense Enterprise on Windows