Qliksense SSO using Onelogin

Nitish · ‎2020-02-11

Hi All,

Hope you are doing good.

we are trying to implement SSO (single sign on) with Qliksense & onelogin uisng SAML.

we have followed steps mentioned on Qlik help page below are the link for same

https://help.qlik.com/en-US/sense/June2019/Subsystems/ManagementConsole/Content/Sense_QMC/SAML-confi...

After implementation when we had tried to test we are getting below mentioned error

400

Bad Request

Contact your system administrator. The user cannot be authenticated or logged out by the SAML response through the following virtual proxy: onelogin

Please find below SAML response for GET & POST and qliksense logs attached in post.

Any help would be appreciated.

SAML Get

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

ID="_218a2d54-a0a8-4644-8e22-ce276262d9b3"

Version="2.0"

IssueInstant="2020-02-11T08:45:32.274Z"

Destination="https://axtria-qs-dev.onelogin.com/trust/saml2/http-redirect/sso/3b2008a0-532f-4d68-9831-e1fcad864ba..."

ForceAuthn="false"

IsPassive="false"

AssertionConsumerServiceIndex="2"

AttributeConsumingServiceIndex="1"

>

<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">onelogin</saml:Issuer>

</samlp:AuthnRequest>

SAML Post

<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

ID="pfxe01b47cc-ca9b-d3c9-8b19-b024b9ba969a"

Version="2.0"

IssueInstant="2020-02-11T08:45:31Z"

Destination="https://horeports-nvs.axtria.com:443/onelogin/samlauthn/"

InResponseTo="_218a2d54-a0a8-4644-8e22-ce276262d9b3"

>

<saml:Issuer>https://app.onelogin.com/saml/metadata/3b2008a0-532f-4d68-9831-e1fcad864baf</saml:Issuer>

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo>

<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

<ds:Reference URI="#pfxe01b47cc-ca9b-d3c9-8b19-b024b9ba969a">

<ds:Transforms>

<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

</ds:Transforms>

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

<ds:DigestValue>lZUvSM2gaVCrrddTTRdG193+gkc=</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>QGAsTkvkGum6luJLqPT+QAy82ISoQMppevJdQXtlGoLmX31DVILzCgBepuSrJCrkkPPxjjWGbj5J9dvMvO7v01Y7qnp8O6TsKcMBvg69yrdTz38cF8wWJb9PNYpmCGC9CiwO2WPYGnUjpEmo4pT4bNtAclwCVipvwkRaOnmsq9N8CvwNsj4b4c8U5/PokIyM5mQUnCPCdIvWopzv2Ft77ZKwBmhm+EFBYVl2JYUCPjy5Ufdw9mbl3c1y1qL7UObkuzYxOhfRhy6MtJa2QjswSn4QoVYTS6LDfopQ0b2+iozw//8FsZlgfA81QH/fBFXUAjxSYF+5eRcavnn2JB6LRA==</ds:SignatureValue>

<ds:KeyInfo>

<ds:X509Data>

<ds:X509Certificate>MIID2DCCAsCgAwIBAgIUKrrSXziJXW1b91s3ViGaKeWqjWAwDQYJKoZIhvcNAQEFBQAwRDEPMA0GA1UECgwGQXh0cmlhMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxGjAYBgNVBAMMEU9uZUxvZ2luIEFjY291bnQgMB4XDTIwMDIxMDE0MzYyNloXDTI1MDIxMDE0MzYyNlowRDEPMA0GA1UECgwGQXh0cmlhMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxGjAYBgNVBAMMEU9uZUxvZ2luIEFjY291bnQgMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAod1bnvBFrm/FbVweKR0giXHr5pZWgx8UWFMb+UstasbOdRfyRCs172q8IelK2Yp7oZL32wF9DCr7HnftHu5jrX822rfwi0HJoezJXZJqanK9MNmT6zzCe56wUsIy3HaRP/LeMm4Nddnc08730eyd7jSNU6GeANDiNVMiw1LtcGT6paAw6UWL25Jn6p8EyuJYSNtE4NGCxeK+FjHY8E+/YJmB1/NJ5boBqWVKDF8gk2dQobRfwWiOuriugXgiykYAJwVlUw6lxKmb+wnqpAABTrdhkCgLrECbVuX9nTD9OVU9HQ5nG7tYv82uIryWgJoIrfDTy9VR/kbBuvqkyLw1lwIDAQABo4HBMIG+MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFLqUKnH6E5Ceedkf5rGiZ06O/Cs8MH8GA1UdIwR4MHaAFLqUKnH6E5Ceedkf5rGiZ06O/Cs8oUikRjBEMQ8wDQYDVQQKDAZBeHRyaWExFTATBgNVBAsMDE9uZUxvZ2luIElkUDEaMBgGA1UEAwwRT25lTG9naW4gQWNjb3VudCCCFCq60l84iV1tW/dbN1Yhminlqo1gMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAf3/uDDWn3Mox6EX/RSxZQ0wqfXXi5q9LpuNW/CCAz/fTqG/JFBZqmh5mGNUFGK6uAgqE+wixS7+xmm5EzNbe0XeejZtu4lfFK0iXr4CBC2fdcchA6JBSaEJ7g2TJqbwRPtfni2DFtJq+CaGua+5Mxzqc8Rcy28Tb2hG6QsMYGYkFjquHiFl9pSaSz8fur2/rnunFfwoQ8TYMaPO+7OA3HDbRqfRqbDzAMIXo/jVcqQ6qtJs39Cu1FcOxdY2I/McSD2Acg3bUdYnNzsoMzjRFqb0lx35VlZDm0RJjyhotMDe5sQP3rrp51FOtHhvdWejqrUaDQuvddXEpzFIciDoD+A==</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

</ds:Signature>

<samlp:Status>

<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />

</samlp:Status>

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

xmlns:xs="http://www.w3.org/2001/XMLSchema"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

Version="2.0"

ID="Ac770a07e7931504367f2852139f4208fade65f31"

IssueInstant="2020-02-11T08:45:31Z"

>

<saml:Issuer>https://app.onelogin.com/saml/metadata/3b2008a0-532f-4d68-9831-e1fcad864baf</saml:Issuer>

<saml:Subject>

<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">SSO_User</saml:NameID>

<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

<saml:SubjectConfirmationData NotOnOrAfter="2020-02-11T08:48:31Z"

Recipient="https://horeports-nvs.axtria.com:443/onelogin/samlauthn/"

InResponseTo="_218a2d54-a0a8-4644-8e22-ce276262d9b3"

/>

</saml:SubjectConfirmation>

</saml:Subject>

<saml:Conditions NotBefore="2020-02-11T08:42:31Z"

NotOnOrAfter="2020-02-11T08:48:31Z"

>

<saml:AudienceRestriction>

<saml:Audience>onelogin</saml:Audience>

</saml:AudienceRestriction>

</saml:Conditions>

<saml:AuthnStatement AuthnInstant="2020-02-11T08:45:30Z"

SessionNotOnOrAfter="2020-02-12T08:45:31Z"

SessionIndex="_c934fdb0-2ed8-0138-b4ac-09ddd88e3188"

>

<saml:AuthnContext>

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>

</saml:AuthnContext>

</saml:AuthnStatement>

<saml:AttributeStatement>

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"

Name="userid"

>

<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:type="xs:string"

>SSO_User</saml:AttributeValue>

</saml:Attribute>

</saml:AttributeStatement>

</saml:Assertion>

</samlp:Response>

Regards

Nitish

Advanced Authoring