This example is under the assumption there's an understanding of your environment and having the proper permissions to perform the actions shown. Accounts used are all Local Administrators and the servers are open, with nothing blocked, and no other programs are installed on them.?
Prerequisites: 3rd Party SSL OR Self-Signed exported Certificate from the QMC for the ADFS server Access to Sense installed on a server that can connect to the ADFS environment Access to a server to install and configure ADFS
Note: Read the entire documentation to verify access and understanding of all actions stated within prior to starting the install and configuration.
Example Environment: AD FS: DC1.domain.local Qlik Sense: QlikServer1.domain.local
Note: This documentation is only to used to validate and test SAML and ADFS. Use this at your own discretion
Step 1: Install/import a valid certificate for the ADFS server with a Trusted Root from a Certificate Authority. This will be used to make sure both the SSL certificate bound to the Qlik Sense Proxy and ADFS trusts each other.
Example:TinyCerts.org – You can create your own CA and then certificates against that CA for any server name requested. Note: This option requires less steps in the long run, but would need to have access to the Certificate Authority and/or the certificate is prepared prior to save on time.
Example: Using the Qlik Sense self-signed certificates that are exported from the QMC for the ADFS server name.
Step 2: Install the DC1.domain.local certificate chain
Note: The example shown is from TinyCerts.org and is a complete PFX file with the SSL certificate AND the Trusted Root Certificate combined. When installed it imports both certificates to their correct locations on the ADFS server. Self-Signed certificates import/install information is below.
Confirm the certificate is installed correctly:
Note: The same main steps are performed with the Self-Signed certificates exported by the QMC.
Import the certificate
Launch Microsoft Management Console (mmc.exe) on the ADFS server
In the MMC, go to File > Add / Remove Snap-in...
Select Certificates and click Add
Select Computer account, click Next, select Local computer and click Finish
In the MMC, go to Certificates (Local Computer)/Personal
In the MMC, go to Actions > All Tasks > Import...
Browse to the certificate file provided to you from your CA / Export from the QMC
Follow the instructions on the screen to import the certificate, including the private key
Verify the new certificate has been imported into Certificates (Local Computer) > Personal > Certificates and that it contains a private key
Viewing the certificate when installed should have this entry:
Follow the same steps to for the Trusted Root, but place it in Certificates (Local Computer) > Trusted Root Certification > Certificates
The “server.pfx” is going to be installed in the Certificates (Local Computer) > Personal > Certificates
Server name of the ADFS server you created (Example: dc1.domain.local)
The “root.cer” is going to be installed in the Certificates (Local Computer) > Trusted Root Certificates > Certificates
Server name of the Central node of the Sense site once installed (Example: QlikServer1.domain.local)
Step 3: Install ADFS on to DC1.domain.local through the Add/Remove features and selecting the check box for Active Directory Federation Services
There’s no configurations steps to Add the Feature for the demonstration (all default values)
Step 4: Configure AD FS - Click Manage in the Server Manager and finish the ADFS setup
Note: Notice that dc1.domain.local is available in the drop down. If this is a clean install of server and then ADFS is installed, there will be NO certificates there other than ones you install (or are on the default image of the server). This is why we are using the one we created and makes it easier to ensure that all the certificates will trust everyone without extra configurations.
Example of the View Script
Click Configure to start the installation process
You can ignore this message in a single ADFS test environment.
IFyou’re going to use a 3rd party SSL certificate and do NOT want to change the encryptioncertificaterevocationcheck and signingcertificaterevocationcheck settings (Step 12 below) for the Relaying Trust, review Step 5-A at the end of the document, then proceed.
Step 6: Download the SP metadata for the ADFS virtual proxy in the QMC and move it to the ADFS server (or a shared folder) Note: You mus link the Virtual Proxy to a Proxy or this will not be possible and the button will be grayed out.
Step 7: Configure the Relaying Party Trust using the SP metadata from Sense
Note: Once completed, go back into the Properties for this Relaying Party Trust and change it rom SHA-256 to SHA-1 for this demonstration.
Step 8: Add the Claim information for the Relaying Party Trust
Note: You can pass many different AD attributes, but for this we are just sending the Windows Account Name information as the UserID (as set in the virtual proxy)
Step 10: Once you get the metadata in a file, you will need to remove any and all sections containing RoleDescriptor. Note: This step may not be needed depending on the version of Sense and AD FS. If you're in current builds (any 2018 or later), it will most likely be fine just using the full IdP metadata XML. You will get an error in the QMC when applying, if it's not valid.
Default Notepad: Click at the start of the file and Find RoleDescriptor and the first entry.
Make a few returns / spaces so when you select from the bottom to the top you’ll know where to stop.
Scroll to the bottom of the file and click to move the cursor to the end of the file
Change the direction from Down to Up and Find Next
Once found, select the entire section between those two points and delete it. This will lower the size of the XML by more than half its original.
Note: You can use other text editors, but this one is default on Windows and just takes a few quick searches.
Step 11: Import the ADFS IdP into the virtual proxy for ADFS
Note: At this point Sense and ADFS are configured. Follow Step 12 if you did not do 5-A.
Step 12: Removing the signingcertificaterevocationcheck and encryptioncertificaterevocationcheck on the ADFS server for the Relaying Trust in an elevated (run as Administrator) Windows PowerShell:
You need to make ADFS not do any certificate check on that Relaying Party Trust
Reason: This is because ADFS and Sense do not have all the certificates trusted. This removes the need to have to deal with it.
Step 5-A: This step is to be performed before getting the SP metadata for the virtual proxy in Qlik Sense. The reason for this is that the SP metadata has the certificate information for the Proxy that’s linked to it. By default it will use the self-signed certificate that’s created when Sense is installed. However, ADFS does not trust this chain and to make it easier, we will just use a 3rd party certificate that’s from the same CA as the one that’s used for ADFS.
Below is an example of a certificate from the same CA as the DC1.domain.local and is made for qlikserver1.domain.local. The thumbprint is placed in the proxy that the virtual proxy for ADFS is linked to, and will now use this certificate for trust.