Multi-Node SAML with SSL - Isolate users to Engine nodes
Some details first:
We have a multi-node site on Qlik Sense September 2017 consisting of 1 central node and 1 engine node in shared persistence.
We are using auth0 SSO SAML for Authentication using a virtual proxy that's linked to the central node.
The Auth0 callback is pointing to https://<dns>:443/<proxy>/samlauthn/
The Virtual Proxy SAML Host URI and entity ID are both the DNS name.
We have our SSL certificate and DNS configured and pointed towards the central node.
The Central Node host is the DNS name (not the machine name or IP address).
Ideally we would send users to only the Engine node after authentication through the virtual proxy (not load balancing with the central), currently they are only using the Central node and nobody has ever hit the Engine.
When I link the virtual proxy to the Central node, and load balance with only the Engine, I get the auth0 login which is great. I then log in and get 'The service did not respond or could not process the request'. This error does NOT occur when I load balance with the Central node only.
I am pretty interested on how you set up Qlik with Auth0. I have been trying to do something similar, but I am getting a "SAML attribute not present, userID" error constantly. I guess that I am not mapping the userID value from Auth0 correctly. In the SAML configuration I have tried to do something like the following: