Qlik Community

Ask a Question

Knowledge Base

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
Join us at the Cloud Data and Analytics Tour! REGISTER TODAY

Quick Guide to installing ADFS for testing SAML

pbr
Employee
Employee

Quick Guide to installing ADFS for testing SAML

This example is under the assumption there's an understanding of your environment and having the proper permissions to perform the actions shown. Accounts used are all Local Administrators and the servers are open, with nothing blocked, and no other programs are installed on them.?

Prerequisites:
3rd Party SSL OR Self-Signed exported Certificate from the QMC for the ADFS server
Access to Sense installed on a server that can connect to the ADFS environment
Access to a server to install and configure ADFS

Note: Read the entire documentation to verify access and understanding of all actions stated within prior to starting the install and configuration.

Example Environment:
AD FS: DC1.domain.local
Qlik Sense: QlikServer1.domain.local 

Note: This documentation is only to used to validate and test SAML and ADFS. Use this at your own discretion


Step 1:
Install/import a valid certificate for the ADFS server with a Trusted Root from a Certificate Authority. This will be used to make sure both the SSL certificate bound to the Qlik Sense Proxy and ADFS trusts each other.


Example: TinyCerts.org – You can create your own CA and then certificates against that CA for any server name requested. Note: This option requires less steps in the long run, but would need to have access to the Certificate Authority and/or the certificate is prepared prior to save on time.

User-added image
 
Example: Using the Qlik Sense self-signed certificates that are exported from the QMC for the ADFS server name.

User-added image
User-added image


User-added image


Step 2:
Install the DC1.domain.local certificate chain


Note: The example shown is from TinyCerts.org and is a complete PFX file with the SSL certificate AND the Trusted Root Certificate combined. When installed it imports both certificates to their correct locations on the ADFS server. Self-Signed certificates import/install information is below.

User-added image
User-added image
User-added image
User-added image

Confirm the certificate is installed correctly:

User-added image

User-added image
 
Note: The same main steps are performed with the Self-Signed certificates exported by the QMC.

Import the certificate

  1. Launch Microsoft Management Console (mmc.exe) on the ADFS server
  2. In the MMC, go to File Add / Remove Snap-in...
  3. Select Certificates and click Add
  4. Select Computer account, click Next, select Local computer and click Finish
  5. In the MMC, go to Certificates (Local Computer)/Personal
  6. In the MMC, go to Actions > All Tasks > Import...
  7. Browse to the certificate file provided to you from your CA / Export from the QMC
  8. Follow the instructions on the screen to import the certificate, including the private key
  9. Verify the new certificate has been imported into Certificates (Local Computer) > Personal > Certificates and that it contains a private key
    1. Viewing the certificate when installed should have this entry: User-added image
  10. Follow the same steps to for the Trusted Root, but place it in Certificates (Local Computer) > Trusted Root Certification > Certificates 

 
Information:

  • The “server.pfx” is going to be installed in the Certificates (Local Computer) > Personal > Certificates
    •  Server name of the ADFS server you created (Example: dc1.domain.local)
  • The “root.cer” is going to be installed in the Certificates (Local Computer) > Trusted Root Certificates  > Certificates
    • Server name of the Central node of the Sense site once installed (Example: QlikServer1.domain.local)



Step 3:
Install ADFS on to DC1.domain.local through the Add/Remove features and selecting the check box for Active Directory Federation Services

  • There’s no configurations steps to Add the Feature for the demonstration (all default values)

 

Step 4:
Configure AD FS - Click Manage in the Server Manager and finish the ADFS setup


User-added image
User-added image
 
Note: Notice that dc1.domain.local is available in the drop down. If this is a clean install of server and then ADFS is installed, there will be NO certificates there other than ones you install (or are on the default image of the server). This is why we are using the one we created and makes it easier to ensure that all the certificates will trust everyone without extra configurations.

User-added image
User-added image
User-added image
User-added image

Example of the View Script

User-added image

Click Configure to start the installation process

User-added image
User-added image

You can ignore this message in a single ADFS test environment.


Step 5:
Configure the virtual proxy for ADFS


User-added image

SAML attribute for user ID: http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
Note: The brackets around the SAML attribute for user directory. This will be needed for all directory names, even if linking to an established User Directory Connector. 


IF you’re going to use a 3rd party SSL certificate and do NOT want to change the encryptioncertificaterevocationcheck and signingcertificaterevocationcheck settings (Step 12 below) for the Relaying Trust, review Step 5-A at the end of the document, then proceed.


Step 6:
Download the SP metadata for the ADFS virtual proxy in the QMC and move it to the ADFS server (or a shared folder)
Note: You mus link the Virtual Proxy to a Proxy or this will not be possible and the button will be grayed out.



User-added image 


Step 7:
Configure the Relaying Party Trust using the SP metadata from Sense


User-added image
User-added image
User-added image
User-added image
User-added image
User-added image

Note: Once completed, go back into the Properties for this Relaying Party Trust and change it rom SHA-256 to SHA-1 for this demonstration.


Step 8:
Add the Claim information for the Relaying Party Trust


User-added image
User-added image
User-added image
User-added image

Note: You can pass many different AD attributes, but for this we are just sending the Windows Account Name information as the UserID (as set in the virtual proxy)


Step 9:
Download the ADFS IdP Metadata


User-added image
User-added image

ADFS Metadata URL: https://<ADFS_server_name>/FederationMetadata/2007-06/FederationMetadata.xml
Note: Putting the link into Chrome/Firefox will download the .xml file, but you can copy and paste it into Notepad and save it as .xml


Step 10:
Once you get the metadata in a file, you will need to remove any and all sections containing RoleDescriptor.
Note: This step may not be needed depending on the version of Sense and AD FS. If you're in current builds (any 2018 or later), it will most likely be fine just using the full IdP metadata XML. You will get an error in the QMC when applying, if it's not valid. 


Default Notepad:
Click at the start of the file and Find RoleDescriptor and the first entry.

User-added image

Make a few returns / spaces so when you select from the bottom to the top you’ll know where to stop.

User-added image

Scroll to the bottom of the file and click to move the cursor to the end of the file

User-added image

Change the direction from Down to Up and Find Next

User-added image

Once found, select the entire section between those two points and delete it. This will lower the size of the XML by more than half its original.

User-added image

Note: You can use other text editors, but this one is default on Windows and just takes a few quick searches.


Step 11:
Import the ADFS IdP into the virtual proxy for ADFS


User-added image

Note: At this point Sense and ADFS are configured.  Follow Step 12 if you did not do 5-A.


Step 12: Removing the signingcertificaterevocationcheck and encryptioncertificaterevocationcheck on the ADFS server for the Relaying Trust in an elevated (run as Administrator)  Windows PowerShell:
User-added image

  • You need to make ADFS not do any certificate check on that Relaying Party Trust
    • Set-ADFSrelyingpartytrust –targetName “Qlik Sense” –signingcertificaterevocationcheck “none”
    • Set-ADFSrelyingpartytrust –targetName “Qlik Sense” –encryptioncertificaterevocationcheck “none”

Reason: This is because ADFS and Sense do not have all the certificates trusted. This removes the need to have to deal with it.


Step 5-A:
This step is to be performed before getting the SP metadata for the virtual proxy in Qlik Sense. The reason for this is that the SP metadata has the certificate information for the Proxy that’s linked to it. By default it will use the self-signed certificate that’s created when Sense is installed. However, ADFS does not trust this chain and to make it easier, we will just use a 3rd party certificate that’s from the same CA as the one that’s used for ADFS.

Below is an example of a certificate from the same CA as the DC1.domain.local and is made for qlikserver1.domain.local. The thumbprint is placed in the proxy that the virtual proxy for ADFS is linked to, and will now use this certificate for trust.

User-added image

User-added image


 

Labels (2)
Version history
Revision #:
4 of 4
Last update:
‎2021-02-23 04:13 AM
Updated by:
 
Contributors