Example auth0 SAML setup with Qlik Sense Enterprise on Windows
The steps below are for an example test setup of SAML authentication using auth0 as Identity Provider with Qlik Sense Enterprise on Windows (QSEoW).
Qlik Sense Enterprise on Windows (QSEoW), February 2020
! The information in this article is provided as-is and to be used at own discretion. Ongoing support on the solution is not provided by Qlik Support.
Note: These steps assume an auth0 "Developer" account has already been created
On Auth0 site:
1. Logon to the auth0 Dashboard and click on + NEW APPLICATION. 2. Give it an appropriate name (e.g. "QS_interactive_logon") 3. Chose an application type: Single Page Web Applications 4. Click on Create and ignore any tutorials 5. Go to Connections > Database 6. Click on + CREATE DB CONNECTION 7. Give it an appropriate name (e.g: "QS_interactive_Users"), and click on Create 8. Then go to the Applications tab and enable the connection only for the new application created above. 9. Go to Users & Roles > Users and click on + CREATE USER 10. Auth0 will send out an email message to the user to verify the account. 11. On the new user's Details page, scroll down to the Metadata > user_metadata section 12. Add the following in the JSON formatted text box in order to associate the "Everyone" group to this user:
Script:13. Go back to Applications and select your new application 14. Under the Connections make sure no other Database connections are enabled 15. Go toRules and click on + CREATE RULE 16. Select the </> Empty rule options under Empty 17. Give it the name "Add groups to claim" 18. Add the following to the Script box:
23. Under Connections > Database select the connection created. 24. Click on the Try Connection tab and a authentication page will open on a new browser tab. 25. If the setup is correct a page displaying "It Works!" should be displayed with user profile metadata information further down the page. 26. Go to Applications and click on the newly created application. 27. Then go to the Addons tab and click on SAML2 WEB APP. 28. Under the Settings > Application Callback URL configure the URL with the following format:
Application Callback URL: https://<Qlik Sense FQDN>/<Virtual Proxy prefix>/samlauthn/
Where: - <Qlik Sense FQDN> is the fully qualified name of the server as it is reachable by the user. - <Virtual Proxy prefix> will be the prefix configured in the new Qlik Sense Virtual Proxy to be created on the next Qlik Sense steps below. - e.g: https://qlikserver1.domain.local/auth0/samlauthn/
Note1: Make sure the last slash in the URL is present as it may lead to errors otherwise! Note2: This also adds a new URL to the Application > Setting > Allowed Callback URLs field every time the above is changed.
29. Now under Addons: SAML2 Web App > Usage > Identity Provider Metadata: click download and store the IdP metadata xml file which will be used in the next Qlik Sense steps below.
On Qlik Sense Management Console (QMC):
30. Under START > CONFIGURE SYSTEM > Virtual Proxies, click on Create new 31. Configure the following values under IDENTIFICATION and AUTHENTICATION areas.
IDENTIFICATION and AUTHENTICATION
An appropriate description
This will be the prefix used when accessing Qlik Sense via URL
This is also found in the metadata file from auth0
SAML attribute for user directory:
SAML signing algorithm:
Used by auth0
32. Under the Virtual Proxy's LOAD BALANCING configuration, map the appropriate Server node or the proxy will not be usable. 33. Click on Apply, then go back into it and click on View Content link under the SAML IdP metadata. This is the auth0 IdP metadata that was uploaded to this Virtual Proxy settings. 34. Go back to START > CONFIGURE SYSTEM > Virtual Proxies, highlight the auth0 Virtual Proxy created and click on Download SP metadata. This is the Qlik Sense SP metadata. 35. Open the Qlik Sense SP metadata with a browser (e.g: IE) and view it. Notice that the Location= URL under AssertionConsumerService should match what was included in the Auth0's setting Application Callback URL. This can be confirmed in the Auth0's site under Applications > the created application > Settings > Application URIs > Allowed Callbacks URLs. 36. Test the authentication via the new SAML Virtual Proxy by going to https://<Qlik Sense FQDN>/<prefix>/qmc. (e.g: https//qlikserver2.domain.local/auth0/qmc)