The steps below are for an example test setup of SAML authentication using auth0 as Identity Provider with Qlik Sense Enterprise on Windows.
This customization is provided as is. Qlik Support cannot provide continued support of the solution. For assistance, reach out to our Professional Services or engage in our active Integrations forum.
Note: These steps assume an auth0 "Developer" account has already been created
On Auth0 site:
- Logon to the auth0 Dashboard and click on + NEW APPLICATION.
- Give it an appropriate name (e.g. "QS_interactive_logon")
- Chose an application type: Single Page Web Applications
- Click on Create and ignore any tutorials
- Go to Connections > Database
- Click on + CREATE DB CONNECTION
- Give it an appropriate name (e.g: "QS_interactive_Users"), and click on Create
- Then go to the Applications tab and enable the connection only for the new application created above.
- Go to Users & Roles > Users and click on + CREATE USER
- Auth0 will send out an email message to the user to verify the account.
- On the new user's Details page, scroll down to the Metadata > user_metadata section
- Add the following in the JSON formatted text box in order to associate the "Everyone" group to this user:
user_metadata:
{
"groups": [
"Everyone"
]
}
- Go back to Applications and select your new application
- Under the Connections make sure no other Database connections are enabled
- Go to Rules and click on + CREATE RULE
- Select the </> Empty rule options under Empty
- Give it the name "Add groups to claim"
- Add the following to the Script box:
Script:
function (user, context, callback) {
if((user.user_metadata || {} ).groups){
context.idToken['https://qlik.com/groups'] = user.user_metadata.groups;
}
callback(null, user, context);
}
- Go to Rules and click on + CREATE RULE
- Select the </> Empty rule options under Empty
- Give it the name "Add sub as email"
- Add the following to the Script box:
function (user, context, callback) {
context.idToken['https://qlik.com/sub'] = user.email;
callback(null, user, context);
}
- Under Connections > Database select the connection created.
- Click on the Try Connection tab and a authentication page will open on a new browser tab.
- If the setup is correct a page displaying "It Works!" should be displayed with user profile metadata information further down the page.
- Go to Applications and click on the newly created application.
- Then go to the Addons tab and click on SAML2 WEB APP.
- Under the Settings > Application Callback URL configure the URL with the following format:
Application Callback URL: https://<Qlik Sense FQDN>/<Virtual Proxy prefix>/samlauthn/
Where:
<Qlik Sense FQDN> is the fully qualified name of the server as it is reachable by the user.
<Virtual Proxy prefix> will be the prefix configured in the new Qlik Sense Virtual Proxy to be created on the next Qlik Sense steps below.
- e.g: https://qlikserver1.domain.local/auth0/samlauthn/
Note1: Make sure the last slash in the URL is present as it may lead to errors otherwise!
Note2: This also adds a new URL to the Application > Setting > Allowed Callback URLs field every time the above is changed.
- Now under Addons: SAML2 Web App > Usage > Identity Provider Metadata: click download and store the IdP metadata xml file which will be used in the next Qlik Sense steps below.
On Qlik Sense Management Console (QMC):
- Under START > CONFIGURE SYSTEM > Virtual Proxies, click on Create new
- Configure the following values under IDENTIFICATION and AUTHENTICATION areas.
| Description |
SAML_auth0 |
An appropriate description |
| Prefix |
auth0 |
This will be the prefix used when accessing Qlik Sense via URL |
| Session cookie header name |
X-Qlik-Session-auth0 |
Needs to differ for every Virtual Proxy |
| Authentication method |
SAML |
The authentication enabled via auth0 |
| SAML host URI |
https:// |
The Qlik Sense Server |
| SAML entity ID |
https://.auth0.com |
This can be found in the metadata file downloaded from auth0 under entityID |
| SAML IdP metadata |
Choose File: This is the xml file downloaded from Auth0 |
The IdP metadata file downloaded from auth0 |
| SAML attribute for user ID |
See Claim Types (learn.microsoft) |
This is also found in the metadata file from auth0 |
| SAML attribute for user directory |
[Auth0] |
Directory name |
| SAML signing algorithm |
SHA-1 |
Used by auth0 |
- Under the Virtual Proxy's LOAD BALANCING configuration, map the appropriate Server node or the proxy will not be usable.
- Click on Apply, then go back into it and click on View Content link under the SAML IdP metadata. This is the auth0 IdP metadata that was uploaded to this Virtual Proxy settings.
- Go back to START > CONFIGURE SYSTEM > Virtual Proxies, highlight the auth0 Virtual Proxy created and click on Download SP metadata. This is the Qlik Sense SP metadata.
- Open the Qlik Sense SP metadata with a browser (e.g: IE) and view it. Notice that the Location= URL under AssertionConsumerService should match what was included in the Auth0's setting Application Callback URL. This can be confirmed in the Auth0's site under Applications > the created application > Settings > Application URIs > Allowed Callbacks URLs.
- Test the authentication via the new SAML Virtual Proxy by going to https://<Qlik Sense FQDN>/<prefix>/qmc. (e.g: https//qlikserver2.domain.local/auth0/qmc)
Related Content:
