Re: Multi-factor authentication - Qlik Community

avastani · ‎2017-01-19

Does anyone have pointers on setting up MFA, two-step authentication for Qlik Sense?

Links appreciated

aldo-tgh · ‎2017-02-13

Hi there,

Have you find any way to implement MFA - Multi Factor Authentication wit Qlik Sense?

Thanks!

Aldo.

luciano_garcia · ‎2018-02-13

Hi Amirali/Aldo,

To implement Azure MFA with QSense, you can follow the Tutorial: Azure Active Directory integration with Qlik Sense Enterprise | Microsoft Docs.

In my case, it worked correctly in the company where I job, when Azure was previously configured.

Best regards,

L G

Lauri · ‎2018-02-14

I've set up Okta. I can provide some details if you are interested.

nargesbrz · ‎2018-03-08

Hi Lauri,

I am interested in details configuration of multi-factor auth Okta and Qlik Sens.

Would you please share it?

Thanks!

Lauri · ‎2018-03-08

Hi Narges,

If you haven't yet seen it, this video is very helpful:

https://www.youtube.com/watch?v=PoseXCN0-o0&t=202s

Here are the steps I took to set up Okta to allow users to authenticate to Sense Enterprise (initially version 3.1, now June 2017).

Our users are mostly external to our organization, but we create their accounts in our local Windows Active Directory. We assign them to a security group called 'qlik.'
On Sense: Create a virtual proxy that will listen for Okta SAML assertions. Follow the steps in the video.
Also make sure you have another virtual proxy that uses WIndows authentication -- your monitoring apps will need it to run properly. And it's good to have so you can log into Qlik locally if/when you have problems with Okta.
In Okta: Set up a connection to your user directory under "Directory Integrations" (I installed the Okta agent on our AD server to sync automatically.)
In Okta: Set up the SAML to Qlik under "Applications." This part is tricky and needs to be just right. Follow steps in the video. In my case, the values in the General section are like these:
1. Single Sign On URL, Recipient URL, Destination URL are all: https://yoururl.com:443/okta/samlauthn/
2. Default Relay State: https://yoururl.com/okta/hub/
3. Signature Algorithm: RSA_SHA256
4. Digest Algorithm: SHA256

And here's a screenshot of the rest:

Under the Sign On section, I set up a Policy with a rule requiring multifactor at every sign on. This was because Sense didn't support Single Sign Out (until a very recent version, I forget which, but after Sept 2017), so if a user logs out but keeps the browser open, he can just click the browser "back" button and be logged in again.

Side Note: Our Sense server is not a member of our AD domain.

There is plenty more to describe but hopefully the video gets you there. The Okta app works very well as the 2nd factor. I'm happy to answer any questions you have.

-Lauri

nargesbrz · ‎2018-03-09

Hi Lauri,

Many thanks for your well explanation. I followed the video and it went very well.

I will give it try with two-factor authentication and let you know how it goes.

Thanks

NaziraLala73 · ‎2020-01-30

Did you try with two-factor authentication? Please let us know if you can provide any tips.