Skip to main content
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Showing results for 
Search instead for 
Did you mean: 
justin_wood
Contributor
Contributor

QlikSense redirect via IIS, SAML virtual proxy

Good morning folks,

We're in the process of implementing a multi layered Qlik Sense environment. We have a load balancer F5 BIGIP out front that then directs traffic to one of two rim/proxy nodes in a DMZ that then talk to a Central Node behind a protected network. I've completed implementing the SAML piece on virtual proxies attached to the two proxy nodes. I have also tested Qlik Sense using the windows auth default node successfully but we do not want users to land on the windows authentication piece, we only want users to hit the virtual proxy with the SAML authentication enabled.


If I input our VIP from the F5 with /saml/ on the end, it works properly but we do not want to have to provide a URL for users past the initial VIP for simplicity's sake. I was attempting to use IIS to perform an HTTP redirect but it doesn't appear to capture the traffic, the default node grabs it instead. Does anyone know if it is possible to use IIS to redirect from the incoming request (the Nodes are using a certificate that I put in place) to the virtual proxy? My http redirect is very simple, just gives the server and path locally for the SAML node as if I use the VIP/saml/ from there, the DNS entry will force it to go back out to the beginning of the loop so it redirects to https://servername/saml/ and is set to send all traffic there, but upon testing, I go straight to the default windows auth node.

I've looked at the fact that people are using NGINX but I have had no experience with that software and the examples other people are using are more for http and re-wrapping the ports into one, which might be useful to us, but I'm not certain how to make all the necessary pieces work and not having that familiarity, I'm not certain it would be the smartest move to put something I can't easily troubleshoot into production play.

Thank you for any advice, help or tips, if I can provide more info, please let me know:

Qlik Sense 2.2

2 proxy nodes on DMZ - Server 2012 R2

1 central node on protected network - Server 2012 R2

Using basic HTTP redirection on the server level, when i tested setting up the redirect at the site level, it clashed with the base setup for 443 already being in use.

thanks again,

Justin Wood

University of Virginia

Enterprise Systems & Computing Platforms

3 Replies
Anonymous
Not applicable

Hi Justin,

Our load balancing team has appended the URL with /saml which works fine. I have another question though.

We have integrated SAML with 1 proxy node. Now we have added a new proxy node and we would like to to configure SAML authentication for this. It works fine with https://localhost/hub but it doesn't work with https://localhost/saml/hub.

All I did was, I linked the new proxy node in SAML virtual proxy, Do I need to do anything on top of this?

Thanks,

Nithesh

gregortvw
Contributor III
Contributor III

Hi,

in your use case you have to (install and) configure IIS ARR as reverse proxy. Also you have to whitelist the URL (DNS alias) you use for F5 in the Virtual Proxy configuration (Qlik Sense).

Also you can check you SAML confs. Qlik Sense SAML – A standardized approach to authentication

Regards,

Gregor

ahmedadmin
Contributor III
Contributor III

Hi,

Do you know how I can configure the F5 load balancer to the Qlik Sense. It says it should balance on both the ports (443 and 4244) for hub.

However, the LBR team says that they can balance on only one Port.