Qlik Community

Ask a Question

Knowledge Base

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
May 18th, Changes to the way you login: using email vs. username. READ DETAILS/WATCH VIDEO

Example auth0 SAML setup with Qlik Sense Enterprise on Windows

Andre_Sostizzo
Digital Support
Digital Support

Example auth0 SAML setup with Qlik Sense Enterprise on Windows

The steps below are for an example test setup of SAML authentication using auth0 as Identity Provider with Qlik Sense Enterprise on Windows (QSEoW).

Environment:
  • Qlik Sense Enterprise on Windows (QSEoW), February 2020
  • Auth0

 

Resolution:



! The information in this article is provided as-is and to be used at own discretion. Ongoing support on the solution is not provided by Qlik Support.

Note: These steps assume an auth0 "Developer" account has already been created

On Auth0 site:

1. Logon to the auth0 Dashboard and click on + NEW APPLICATION.
2. Give it an appropriate name (e.g. "QS_interactive_logon")
3. Chose an application type: Single Page Web Applications
4. Click on Create and ignore any tutorials
5. Go to Connections > Database
6. Click on + CREATE DB CONNECTION
7. Give it an appropriate name (e.g: "QS_interactive_Users"), and click on Create
8. Then go to the Applications tab and enable the connection only for the new application created above.
9. Go to Users & Roles > Users and click on + CREATE USER
10. Auth0 will send out an email message to the user to verify the account.
11. On the new user's Details page, scroll down to the Metadata > user_metadata section
12. Add the following in the JSON formatted text box in order to associate the "Everyone" group to this user:

user_metadata:

 

 

{
 "groups": [
   "Everyone"
 ]
}

 

 

 


Script:
13. Go back to Applications and select your new application
14. Under the Connections make sure no other Database connections are enabled
15. Go to Rules and click on + CREATE RULE
16. Select the </> Empty rule options under Empty
17. Give it the name "Add groups to claim"
18. Add the following to the Script box:


Script:

 

 

function (user, context, callback) {
if((user.user_metadata || {} ).groups){
context.idToken['https://qlik.com/groups'] = user.user_metadata.groups;
}
callback(null, user, context);
}

 

 

 



19. Go to Rules and click on + CREATE RULE
20. Select the </> Empty rule options under Empty
21. Give it the name "Add sub as email"
22. Add the following to the Script box:

 

 

 

function (user, context, callback) {
 context.idToken['https://qlik.com/sub'] = user.email;
 callback(null, user, context);
}

 

 

 

23. Under Connections > Database select the connection created.
24. Click on the Try Connection tab and a authentication page will open on a new browser tab.
25. If the setup is correct a page displaying "It Works!" should be displayed with user profile metadata information further down the page.
26. Go to Applications and click on the newly created application.
27. Then go to the Addons tab and click on SAML2 WEB APP.
28. Under the Settings > Application Callback URL configure the URL with the following format:

Application Callback URL: https://<Qlik Sense FQDN>/<Virtual Proxy prefix>/samlauthn/

Where:
- <Qlik Sense FQDN> is the fully qualified name of the server as it is reachable by the user.
- <Virtual Proxy prefix> will be the prefix configured in the new Qlik Sense Virtual Proxy to be created on the next Qlik Sense steps below.
- e.g: https://qlikserver1.domain.local/auth0/samlauthn/

Note1: Make sure the last slash in the URL is present as it may lead to errors otherwise!
Note2: This also adds a new URL to the Application > Setting > Allowed Callback URLs field every time the above is changed.

29. Now under Addons: SAML2 Web App > Usage > Identity Provider Metadata: click download and store the IdP metadata xml file which will be used in the next Qlik Sense steps below.


On Qlik Sense Management Console (QMC):

30. Under START > CONFIGURE SYSTEM > Virtual Proxies, click on Create new
31. Configure the following values under IDENTIFICATION and AUTHENTICATION areas.

IDENTIFICATION and AUTHENTICATION

Description: SAML_auth0 An appropriate description
Prefix: auth0 This will be the prefix used when accessing Qlik Sense via URL
Session cookie header name: X-Qlik-Session-auth0 Needs to differ for every Virtual Proxy
Authentication method: SAML The authentication enabled via auth0
SAML host URI: https://<Qlik Sense FQDN> This is the QS server itself
SAML entity ID: https://<Tenant domain>.auth0.com This can be found in the metadata file downloaded from auth0 under entityID
SAML IdP metadata: Choose File: This is the xml file downloaded from Auth0 The IdP metadata file downloaded from auth0
SAML attribute for user ID: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress This is also found in the metadata file from auth0
SAML attribute for user directory: [Auth0] Directory name
SAML signing algorithm: SHA-1 Used by auth0

32. Under the Virtual Proxy's LOAD BALANCING configuration, map the appropriate Server node or the proxy will not be usable.
33. Click on Apply, then go back into it and click on View Content link under the SAML IdP metadata. This is the auth0 IdP metadata that was uploaded to this Virtual Proxy settings.
34. Go back to START > CONFIGURE SYSTEM > Virtual Proxies, highlight the auth0 Virtual Proxy created and click on Download SP metadata. This is the Qlik Sense SP metadata.
35. Open the Qlik Sense SP metadata with a browser (e.g: IE) and view it. Notice that the Location= URL under AssertionConsumerService should match what was included in the Auth0's setting Application Callback URL. This can be confirmed in the Auth0's site under Applications > the created application > Settings > Application URIs > Allowed Callbacks URLs.
36. Test the authentication via the new SAML Virtual Proxy by going to https://<Qlik Sense FQDN>/<prefix>/qmc. (e.g: https//qlikserver2.domain.local/auth0/qmc)
 

Related Content:

Labels (1)
Version history
Revision #:
5 of 5
Last update:
‎2020-08-25 03:03 AM
Updated by:
 
Contributors