Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
vegard_bakke
Partner - Creator III
Partner - Creator III
‎2019-01-07 10:10 AM

"500 - Internal server error" when using SHA-256 in SAML authentication

Hi all,

 

I get a 500 Internal Server Error from Qlik Sense, September 2018 version, when using SHA-256, instead of the default SHA-1 as signing algorithm.

 

The error message in 'Proxy\TESTPUB02_Audit_Proxy.txt' is:

WARN testpub02 Audit.Proxy.Proxy.Core.RequestListener 152 973a2763-e18c-4e5a-8a23-210989e0e9d8 TESTPUB02\user Unanticipated ComponentSpace.SAML2.Exceptions.SAMLSignatureException occurred for connection

 

My settings are:

SOTEST Virtual Proxy.png

 

When I go to https://my.public.url/sotest, I get a redirect to https://my.public.url/sotest/hub/.

The hub returns a 500 Internal server error after just 5 ms.

If I choose SHA-1, I get redirected to the Google login.

 

 

 

According to this post, the certificate used for the Qlik Proxy needs to support SHA-256 XML signatures.

Our certificate says it's signing algorithm is 'sha256RSA'.  Is that not good enough?

SOTEST Certificate.png

 

Any tip is appreciated,

 

Cheers,

Vegard

Labels (4)
Labels
7,550 Views
0 Likes
2 Solutions

Accepted Solutions
Bastien_Laugiero
Support
Support
‎2019-01-07 10:37 AM

Hello,

Looking at the error from the Audit logs it seems that the certificate does not have the correct Cryptographic Provider set.

In order to use SHA-256 in Qlik Sense with SAML, the cryptographic provider for the certificate applied on the Qlik Sense proxy must be "Microsoft Enhanced RSA and AES Cryptographic Provider".

Here is an article referring to the error message.

And here is an article providing the steps to check and change the cryptographic provider

Hope this helps! 

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.

View solution in original post

7,547 Views
Bastien_Laugiero
Support
Support
‎2019-01-10 10:13 AM

In response to vegard_bakke

Hello,

Thank you for applying the article. So the error has now changed.

In the beginning, it was: Unanticipated ComponentSpace.SAML2.Exceptions.SAMLSignatureException

And now: Unanticipated ComponentSpace.SAML2.Exceptions.SAMLBindingException

This new error is related to the fact that your Idp metadata has been created with the binding method HTTP POST instead of HTTP REDIRECT.
Every information is documented here.

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.

View solution in original post

7,503 Views
8 Replies
Bastien_Laugiero
Support
Support
‎2019-01-07 10:37 AM

Hello,

Looking at the error from the Audit logs it seems that the certificate does not have the correct Cryptographic Provider set.

In order to use SHA-256 in Qlik Sense with SAML, the cryptographic provider for the certificate applied on the Qlik Sense proxy must be "Microsoft Enhanced RSA and AES Cryptographic Provider".

Here is an article referring to the error message.

And here is an article providing the steps to check and change the cryptographic provider

Hope this helps! 

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.
7,548 Views
vegard_bakke
Partner - Creator III
Partner - Creator III
‎2019-01-08 09:05 AM
Author

In response to Bastien_Laugiero

Thank you so much for you quick reply. I will check out this, and give you some feedback. 🙂

7,526 Views
0 Likes
Bastien_Laugiero
Support
Support
‎2019-01-08 01:01 PM

In response to vegard_bakke
Thank you!! Looking forward to hear the result 🙂
Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.
7,521 Views
0 Likes
vegard_bakke
Partner - Creator III
Partner - Creator III
‎2019-01-10 08:57 AM
Author

In response to Bastien_Laugiero

I've tried a few different things now.  All give the same results, unfortunately.

 

I have one self-signed certificate for the testpub02.company.com, and one for *.company.com.

I have added the "Microsoft Enhanced RSA and AES Cryptographic Provider" using openssl as described in your second link.  (cert

I have set up one Qlik virtual proxy with our local IdP-metadata, and one virtual proxy using IdP-metadata for Google Accounts. (The certutil.exe -dump now reports Provider = Microsoft Enhanced RSA and AES Cryptographic Provider.)

 

Going to the "Google IdP prefix", I get immediately redirected to the Google login page.
But using the #local IdP prefix" still gives 500 Internal server error. 

And the error message is still:

WARN testpub02 Audit.Proxy.Proxy.Core.RequestListener TESTPUB02\user Unanticipated ComponentSpace.SAML2.Exceptions.SAMLBindingException occurred for connection

 

Is there anywhere I can get a more detailed error message?  Or any logging I can turn on?

How can I find out what is actually going wrong? I looks like it might be something wrong with our metadata. But how to identify what it is, beats me... 😕

 

 

Vegard

7,509 Views
0 Likes
Bastien_Laugiero
Support
Support
‎2019-01-10 10:13 AM

In response to vegard_bakke

Hello,

Thank you for applying the article. So the error has now changed.

In the beginning, it was: Unanticipated ComponentSpace.SAML2.Exceptions.SAMLSignatureException

And now: Unanticipated ComponentSpace.SAML2.Exceptions.SAMLBindingException

This new error is related to the fact that your Idp metadata has been created with the binding method HTTP POST instead of HTTP REDIRECT.
Every information is documented here.

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.
7,504 Views
vegard_bakke
Partner - Creator III
Partner - Creator III
‎2019-01-10 04:12 PM
Author

In response to Bastien_Laugiero

Thank you! I didn't notice that the exception was indeed different. And thank you for the link.

I will look into this on Monday.

cheers 🙂

7,492 Views
0 Likes
vegard_bakke
Partner - Creator III
Partner - Creator III
‎2019-01-14 09:57 AM
Author

In response to vegard_bakke
Thank you so much Bastien! Our test IdP was not enabled for HTTP-Redirect.

Maybe not the easiest error messages to decode. But now at least the community forum contains the error messages and links to the Qlik Support Knowledge articles, for others at a later stage.

A little more can be found here:
https://qliksupport.force.com/QS_CoveoSearch#q=ComponentSpace.SAML2&t=All&sort=relevancy


Again, thank you so much! 🙂
7,479 Views
0 Likes
Bastien_Laugiero
Support
Support
‎2019-01-14 10:16 AM

In response to vegard_bakke
Thank you!
Glad it could be resolved 🙂
Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.
7,475 Views
0 Likes