Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Do More with Qlik - Qlik Cloud Analytics Recap and Getting Started, June 19: REGISTER
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
LorisLombardo87
Partner - Contributor III
Partner - Contributor III
4 weeks ago

Keycloak and SAML - Validation error

Hi everybody,

after unsuccessfully tried to implement JWT for authorization we are now trying with SAML and Keycloak.

we have followed this article but when we try to validate it gives back the following error 

LorisLombardo87_0-1716307284500.png

if i look at the SAML assertion i can see the attributes are there:

LorisLombardo87_1-1716307466267.png

is there anything I can check to verify if the SAML request is in the correct format?

 

Thanks,
Loris

Labels (2)
Labels
332 Views
7 Replies
Marc
Employee
Employee
3 weeks ago

Can you compare your configuration in Keycloak and Qlik Cloud against the details in the following article?
https://community.qlik.com/t5/Official-Support-Articles/Qlik-Cloud-How-to-set-up-Keycloak-as-a-SAML-...

of course if you are using Keycloak you could use OIDC 

285 Views
0 Likes
LorisLombardo87
Partner - Contributor III
Partner - Contributor III
3 weeks ago
Author

In response to Marc

Hi Marc, that is exactly how we have done the settings in Keycloak. 
we have tried OIDC as well, in that case it gives a First certificate issue, which i'm not sure what it is referring to.

please consider that our Keycloak in publicly available and it's certificate is a valid one.

 

thanks,
Loris

264 Views
0 Likes
Damien_Villaret
Support
Support
3 weeks ago

@LorisLombardo87 

Here is a full SAML response that is working (also keycloak), can you check if there is any obvious difference with yours?

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                Destination="https://xxxx.ap.qlikcloud.com/login/saml"
                ID="ID_9f3319ec-744e-47ba-b375-d817ed377e58"
                InResponseTo="Qlik_d8e89790-0499-4088-a707-28bd5b550f62"
                IssueInstant="2024-03-10T14:21:33.658Z"
                Version="2.0"
                >
    <saml:Issuer>https://qlikserver2.domain.local:8443/realms/master</saml:Issuer>
    <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        <dsig:SignedInfo>
            <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <dsig:Reference URI="#ID_9f3319ec-744e-47ba-b375-d817ed377e58">
                <dsig:Transforms>
                    <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </dsig:Transforms>
                <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <dsig:DigestValue>2L3+Qnr4G5TLM+pSIPGH3J1Fdo/lCXK/ZIUn2TWDzOw=</dsig:DigestValue>
            </dsig:Reference>
        </dsig:SignedInfo>
        <dsig:SignatureValue>yvrhk1D2HUpvDRPu0eF2EZkpHN+Neh2ee7Wg8qaf+IFVtgyXc5PFjVnOUgljIJ5BriKCVNk49l34sx4sbtR28bbo3m3n+4BFpX5bQOwZumODLDZoPL01jXo4xQZzYtVwsNgpSkaryYnYctAsjAweMSSeyFWOlRkGyUepu+pELUOPgDkRsdvvPmdCTAL6tpxExTGPSQvbdOrTH8gSxZTGiIRMfhDUlY7cFY+ccwkwx7yFmk+uP+HX+Ps9kESF3sNto2rHBuUf4oawG27YorwZDaQAGKjQIDqld0JiBTePnLe97zJ+zxXk3q6hOuMgzumogTsMIMd1qH8Zo841LllN7g==</dsig:SignatureValue>
        <dsig:KeyInfo>
            <dsig:X509Data>
                <dsig:X509Certificate>MIICmzCCAYMCBgGOJwIcfTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjQwMzEwMDYxNTMzWhcNMzQwMzEwMDYxNzEzWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDxUlDlvWTSHaBiDS6A0msG95YwAHl1Yx9fn1htwhKiI9prop4piaAnqrCqtXfLdvIWKfeToYhvT2Lmu6t63bYGDfRvrYoEMTBkxdvlYbTQSKEALbFgrsqcRzZCP7cjszIN4uDBNHjWCMGkyoYqOlJbDZVnG3ZNHYiyNTfjLBMOL7FAgcL8w+/G5CfNiDdh3QXUauNIh8QsZkNNS2FEjGKEQcvYhDFXTwozAFVbrnXrbUZai2HMUX9+LlKR33vJAbNkyPW10vNZy31bSas/054iN7Fch00w2Sd+HNCRhlZvwcc8pKKMwDXCrPIbZC4qfxDtDEra6ACVwlWgrk8eVF01AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAOBHGsNGz3p7Os1ANso03JBDcjrlAqMDKW1+WC1lSg6kIYDNGJAtCCLfN/kG2kdUyBb27khO2uCKEWFnAofIcD4zL5g8n0V6WXwnr0MDa3cTnyquVWAhcRh32eVeP8ewijER3wJdMAc/OyC9VzJZlDGVAHEtlfr6mTCoPNIa5NlfwiGHFcIJz+OsgokAhYMEMzF00qC3AGBY7bIHwc8bgp1jCSffTwl3y47BRxNYb2LmlJ33jYrvANeLVrAPteV1uhvDhZckzaUXDEOakG4skFxpZPuZnLxEgmdS9+EKhS5Ivc+fVlFWS5AyT0sENqO2EYRaT8BMG0BZqOWBOWycKBs=</dsig:X509Certificate>
            </dsig:X509Data>
        </dsig:KeyInfo>
    </dsig:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="ID_539dfb0a-703c-4c5d-9e54-a040167c7167"
                    IssueInstant="2024-03-10T14:21:33.658Z"
                    Version="2.0"
                    >
        <saml:Issuer>https://qlikserver2.domain.local:8443/realms/master</saml:Issuer>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">G-5dbff66b-31d5-4060-8307-4267d731c370</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData InResponseTo="Qlik_d8e89790-0499-4088-a707-28bd5b550f62"
                                              NotOnOrAfter="2024-03-10T14:22:31.658Z"
                                              Recipient="https://xxxx.ap.qlikcloud.com/login/saml"
                                              />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2024-03-10T14:21:31.658Z"
                         NotOnOrAfter="2024-03-10T14:22:31.658Z"
                         >
            <saml:AudienceRestriction>
                <saml:Audience>https://xxxx.ap.qlikcloud.com</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2024-03-10T14:21:33.658Z"
                             SessionIndex="26996a77-ed62-43b3-a301-7bee4f33ca12::8e0bf523-4f9e-4970-a0a9-099046787a6e"
                             SessionNotOnOrAfter="2024-03-11T00:21:33.658Z"
                             >
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute FriendlyName="groups"
                            Name="groups"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >Group1</saml:AttributeValue>
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >Group2</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute FriendlyName="email"
                            Name="email"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >user1@test.com</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>
If the issue is solved please mark the answer with Accept as Solution.
261 Views
0 Likes
LorisLombardo87
Partner - Contributor III
Partner - Contributor III
2 weeks ago
Author

In response to Damien_Villaret

Hi Damien, thanks for you support!

I've loaded the two SAML assertions into https://samltool.io/ 

here is the one you shared

LorisLombardo87_0-1716986757445.png

here is mine:

LorisLombardo87_2-1716987063452.png

 

I cannot see any major difference

can you see anything strange?

please consider that our Keycloak is publicly available and the SSL certificate is a valid wildcard certificated emitted by a valid trusted authority

Thanks,
Loris

 

211 Views
0 Likes
Marc
Employee
Employee
2 weeks ago

can you please confirm how you have configured the settings in Qlik Cloud

as your saml does not appear to have groups, but roles

Marc_0-1717041666337.png

 

196 Views
0 Likes
LorisLombardo87
Partner - Contributor III
Partner - Contributor III
2 weeks ago
Author

In response to Marc

Hi Marc, 

it is configured like this.

LorisLombardo87_0-1717072592998.png

BTW i'm not interested in groups or picture at the moment.

shall I leave that mapping blank?

also the error doesn't seem so refer to the group attribute but in general to the fact it cannot find the Attributes in the SAML assertion.

 

Thanks,
Loris

176 Views
0 Likes
Damien_Villaret
Support
Support
Monday

Hi @LorisLombardo87 

Since you mentioned you're not interested in groups, did you make sure that you have the "Group creation" option set to OFF in your tenant settings ?

If the issue is solved please mark the answer with Accept as Solution.
69 Views
0 Likes