Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi All,
Need some advice as the Qlik documentation seems to pretty much cover single installs for ADFS, which we have got sorted on our Dev and UAT machines.
We are running Qlik February 2021 Patch 3 on all environment and currently have the windows authentication sso working on production, but are trying to move to adfs for better security.
We have six machines in total :
1 x Central Node
2 x Proxy / Consumer - where users come in with ssl (third party cert)
2 x Reload Task boxes / 1 acting as Failover
1 x NPrinting Node - with QlikSense and NPrinting on - Yes we know it shouldn't have both on, but was part of the original design from our deployment partners 3 plus years back.
Now have set up the virtual proxy as per the documentation :
See the attached file and as per our UAT and Dev environments SAML Attribute for user connection is our AD Connection.
We have cleared the role description from the Federated File we have loaded and also the ADFS machine is aware of the Third party SSL cert.
Load Balancing we have currently set as Consumer 1 and Consumer 2, which is what the end user come in on and where the ssl cert is set in the nodes.
On the Proxies, we have put the two consumers also.
In a multi node - do you have to set to adfs entries one for consumer 1 and one for consumer 2 and have a unique saml entity ID for each. As, we found the document missed this when we had set up our dev and uat, so had to put an adfs-dev and adfs-uat for these, so did the same as you can see on the attached with adfs - prod, but would this need to be adfs-prodconsumer1 and adfs-prodconsumer2 to cover the two virtual proxy entries.
Why Qlik doesn't provide some better documentation around this for Multi nodes, when its a common presence I do not know.
Also, when we check the logs currently on both of the consumer nodes, there is no presence of SAML errors just an Error 400 screen when we try the adfs link.
The screen states Qlik Icon - 400 - Bad Request - The HTTP Header is Incorrect.
We use a Netscaller to balance the traffic in on the address https://myexample.analytics.com and has both the proxies listed in the pool to be balanced out too.
Any ideas or advice or even documentation that those in this scenario would be great.
We are using this link :
So no use of Oktb or other variants etc.
Kind Regards,
David
Hi All,
After working through a support ticket with Qlik. The resolution was a simple one of making sure to include the site address also with the https in front of it. So, mysite.analytics.com and mysite.analytics/adfs. Once these were added to the adfs virtual proxy and the consumer 1 and consumer 2 entries for good measure the issue was solved. The issue was identified in the proxy logs when the mysite.analytics.com was spotted as being blocked by Qlik Support.
For anyone setting up a multi node environment then these are the steps we followed.
1. Create in your qmc a new virtual proxy called adfs
2. In the description you want to put adfs and in the prefix adfs
3. Now session timer is up to you we set it to 60 from the default of 30 mins
4. Next on Session Cookie Headers name : put X-QlikSense-adfs or X-QlikSense-adfsprod to help you differentiate as in the documentation it just says adfs, but we found before making it the default having adfsuat or adfsdev was useful on the session cookie header name for when setting up on the adfs side.
5. Now annoymous access mode set to 'No annoymous users'
6. Authentication Method : SAML
7. SAML single logout 'tick the box' - this clears your sessions in the backend and will regenerate a new session each time you login as a logout uri is gnerated in the Idp Metadata.
8. SAML host put your address for what user come in on before hub and qmc so https://mysite.analytics.com/
9. SAML entity id - this is where have a unique entry to differentiate your adfs entries on the adfs server side, so id suggest what we did here and go for adfs-env - so prod for prod, uat for uat and dev for dev etc.
10. SAML attribute for user ID now we went for : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name and this was mapped to allow for a user to login as the following format : ADUserDirectoryName and making sure to use [ ] around the name. Now you can find the user directory by checking what you set up your user syncs as under User Sync in the QMC.
11. Now we went with the default SAML signing algorithm : SHA -1 - now you can use SHA-256, but in this scenario make user your self signed or id recommend for prod third party ssl cert includes the sha-256 ms support cyrptos and listed elsewhere in knowledge articles and outside of this guide.
12. Now under SAML attributes mapping put :
http://schemas.xmlsoap.org/claims/Group
and in QlikSense attribute put :
Group
And untick Mandatory
13. Load Balance now this is important you need to put the two consumer / proxy or whatever you call the machine nodes in the qmc for the boxes that have your ssl cert listed under proxy and that users come in on.
We have both of these machines listed in a Netscaller front end, so our https://mysite.analytics.com will hit a netscaller ip and then in the netscaller pool we have the two consumers proxies in it and these then get sent the traffic to either consumer 1 or consumer 2. So, if you have 4 proxy / consumer / web tier or whatever you call them add them here and only those that users get balanced onto. Very important this to listen to !!!
14. Now under Proxies you want to again only select the Proxies / Web - tier / end - user point / proxies that you have set up with the ssl certs on in the proxies section on the QMC as these will be the ones that will be used by adfs to pass the users in on and only these once again....!!!
15. Select secure attribute (https) as you want to be using https and I believe it maybe set as default when you select SAML, but tick it anyway.
16. We left sam site as 'Lax', but set to your setting iof choice if your normal nodes have this set differently in the virtual proxy.
17. Same site attribute (http) : No attribute
18. Host White List : Now listen carefully this has to be done exactly covering the paths that your adfs link will come in on and include ip's of traffic for the two consumer nodes (or how many your have).
We put our ip's :
* for our two consumer nodes
* central node
* fileshare
also :
mysite.analytics.com - MAKE SURE THIS IS DEFINATELY PRESENT OR YOU WILL FACE THE ERROR 400 i discussed earlier.
mysite.analytics.com/adfs
mysite.analytics.com/hub
machinename of central node
machine name of failure over node or nodes
machine name of consumer 1 and 2 or others you have
This should cover all variations of SAML site . ip addresses being passed behind the scenes.
Now i state this clearly make sure the mysite.analytics.com (put your company site address) in both https and without. We had the without missing ADFS would not work and no big signs unless you dig the logs will tell you this !!!!!
19. Now click apply and send over the adfs_spmetadata.xml after clicking 'Download SP' in the virtual proxy main window. This will appear once your virtual proxy for adfs has saved and be warned with proxy link and load balance and applying changes it will restart the proxy service and kick you and your users out, so downtime to set this up is crucial and in most cases a full restart of the services across your multi node estate usually is a good idea too (as you have that powershell script saved and documented right ?).
19a, Please follow the Section Configure ADFS and Powershell Settings on the link below, but feel free to select your version at the side on the left menu bar:
You may also find this link useful a knowledge base article :
https://community.qlik.com/t5/Knowledge/Quick-Guide-to-installing-ADFS-for-testing-SAML/ta-p/1710427
I found Step 5a useful for chatting through with your ADFS admins to ensure that your SSL wildcard cert is trusted and set up as such on the ADFS side.
20. Now when you get the Federated Metadata file back to add into your SAML Idp metadata section, first open it in word pad or note pad ++ and find references to <role descriptor> and </roledescriptor> you will find a few entries in a block you want to make your cut from the first point to the </roledescriptor> end bracket , so no role descriptor is left in the xml. Now even on QlikSense Feb 2021, we did this as a set as it says you should be ok, but I find if earlier version had issues then do as they did and it one less issue to worry about.
21. Now with that added and uploaded you will want to click Apply again and wait for the green successfully saved line and then log back in as once again the proxy services will be restarted on the nodes.
22. On the ADFS front your want to check with the ADFS admin or yourself that you have run the powershell section of the normal ADFS SAML guide for your version of QlikSense to set up the trust or as in our case make sure your SSL third party cert is trusted by the ADFS side of things.
23. Now is time to Test your ADFS install:
I would suggest going to a seperate browser that you don't have open like Firefox or Edge or Chrome, but if in a session allready like Chrome go to incognito mode and then type in your new link :
https ://mywork.analytics.com/adfs
Now it should pop up an entry box where you can put your username and password like you would for logining to your work's machine.
It should then default to the hub site, if you want the qmc after you simple put :
https://mywork.analytics.com/adfs/qmc/
this will open up the qmc.
If you have a please consult your admin error when you try this then something has been misconfigured.
Id advised logging into your consumer nodes and going to the proxy log files and trace and checking security and other files and search for SAML error, it will hopefully highlight thing like missing attribute etc and what that is and feed back to your ADFS admin or tweak the adfs settings to include the relevant missing setting.
Further issues raise a ticket with Qlik Support and detail the issues, i found screenshot of the viretual proxy, setup you have, license details and xml files for meta and adfs_sp is useful plus the proxy logs and your good friend log collector. I would run this on one of the consumer nodes to be of most use to you and supports assistance.
NPrinting Only :
24. Now if you have NPrinting configured, be it API or just tasks set up on NPrinting to run between your Sense site and it. You will need to keep a windows virtual proxy configured as Sense and NPrinting up to Feb 2021 do no support adfs on the backend and your get an error on the metadata refresh. What you need to do is if you have Qliksense installed on the same node as your NPrinting (not advised by Qlik i know), but set that virtual proxy with an alias like nprintinglogin. Now save that virtual proxy and again restart the services across the estate if needed like the proxies not attached on the main Virtual Proxy window to reattach or just wait 5 minutes and open another incognito session and go to the QMC and confirm its yes for both option on virtual proxy main window.
25. Now in the Web front end of your NPrinting environment your want to login with your NPrinting credentials or your Windows Login button.
Now go to the connections and on each connection on the proxy section up with :
https://machinename/nprintinglogin
or /whatveryouhavenamedyouralias
do this for each app connection and click on the button to check it can connect first and you should have all green ticks then click save. Id advise taking your time with this as it can lock up if you do more than 3 connections at once at least in our case with 16gb mem and quad core intel xeon setup.
26. With all the connections done and save now your NPrinting and Sense environment will continue to work.
27. You can configure your NPrinting Front End (Login) to be set up for SAML ADFS and I have attached the Qlik Support article on how to do this.
Qlik Sense making ADFS default :
1). Now you have adfs set up and also NPrinting working if you have that option too, you will want to make it the default option for your users to come in on after testing all is fine with the two running side by side for users.
2). You will want to arrange downtime to do this to allow you time to test and as it takes down the proxies and may need services restarted across the estate.
3). Now with downtime started you will want to go into the QMC and go to your virtual proxies and set the non-adfs proxies to have an alias or winlogin or logon or an alias of your choice make sure to change the session cookie header name to to something like X-Qlik-Session-logon etc.
Now apply the changes and it will restart the proxy and restart the services if you need to.
4. Now with the environment backup go to your new non adfs linke :
https://mywork.analytics.com/logon
Id suggest a new browser or incognito or equivalent mode it should prompt you to add your windows credentials and when it logs you in your see something like
https://mywork.analytics.com/logon/hub/qlikticku78u808989908
with it defaulting to the hub as default you can test the qmc by replacing hub with qmc and your see similar to above with a qlikticket / after qmc.
This means your non-adfs link is now working, but you want to make ADFS default.
5. Your want to contact your ADFS admin or go onto the ADFS box and in Qlik remove the adfs prefix and adfs from your session cookie.
You may find your need to send over the download sp metadata and re-add your federate-roledescriptor files again as it now has the non- prefix variants, but you should be hopefully able to change the adfs side to pick up the change in session cookie and prefix.
6. Once you have made the relevant tweaks or heard from the ADFS admin these changes have been made your be able to test your new default adfs link.
https://mywork.analytics.com/ and it will be default to the hub, but log you in via adfs as it redirects to via your now default adfs virtual proxy.
If you get bad - 400 error check the proxy logs once again and see what error is being produced and work with your ADFS admin to resolve or raise the call with Qlik Support or your third party provider to assist you and log and collect the details listed earlier.
7. If all has gone to plan you now has a default ADFS link, a viable windows link to your NPrinting and an old winlogin link incase you need to fall back from adfs.
Notes :
To date you still have to have the default proxies you had come with your original set up and your adfs link will not be shown as default. But, will work in the way that it is your default.
Off record :
This is not supported or advised by Qlik in any way and risk is yours, but you can find the virtual proxy settings in your Postgres database via PGAdmin and change the virtual proxy settings, if for some reason you cannot get into your environment and need to make the windows login default once again with no prefix and also set the ADFS link as default and the other show as not default, but whilst it is possible I believe it adds no benefit to the overall final solution as your link if following these and the qlik steps referenced will work as the defualt anyway and is just a setting shown in your qmc in reality.
I hope you find this useful, as there doesn't seem to be a definitive article posted to the forums or qlik knowledge base like this for multi node, so feel free to use and save as you feel.
Hi All,
After working through a support ticket with Qlik. The resolution was a simple one of making sure to include the site address also with the https in front of it. So, mysite.analytics.com and mysite.analytics/adfs. Once these were added to the adfs virtual proxy and the consumer 1 and consumer 2 entries for good measure the issue was solved. The issue was identified in the proxy logs when the mysite.analytics.com was spotted as being blocked by Qlik Support.
For anyone setting up a multi node environment then these are the steps we followed.
1. Create in your qmc a new virtual proxy called adfs
2. In the description you want to put adfs and in the prefix adfs
3. Now session timer is up to you we set it to 60 from the default of 30 mins
4. Next on Session Cookie Headers name : put X-QlikSense-adfs or X-QlikSense-adfsprod to help you differentiate as in the documentation it just says adfs, but we found before making it the default having adfsuat or adfsdev was useful on the session cookie header name for when setting up on the adfs side.
5. Now annoymous access mode set to 'No annoymous users'
6. Authentication Method : SAML
7. SAML single logout 'tick the box' - this clears your sessions in the backend and will regenerate a new session each time you login as a logout uri is gnerated in the Idp Metadata.
8. SAML host put your address for what user come in on before hub and qmc so https://mysite.analytics.com/
9. SAML entity id - this is where have a unique entry to differentiate your adfs entries on the adfs server side, so id suggest what we did here and go for adfs-env - so prod for prod, uat for uat and dev for dev etc.
10. SAML attribute for user ID now we went for : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name and this was mapped to allow for a user to login as the following format : ADUserDirectoryName and making sure to use [ ] around the name. Now you can find the user directory by checking what you set up your user syncs as under User Sync in the QMC.
11. Now we went with the default SAML signing algorithm : SHA -1 - now you can use SHA-256, but in this scenario make user your self signed or id recommend for prod third party ssl cert includes the sha-256 ms support cyrptos and listed elsewhere in knowledge articles and outside of this guide.
12. Now under SAML attributes mapping put :
http://schemas.xmlsoap.org/claims/Group
and in QlikSense attribute put :
Group
And untick Mandatory
13. Load Balance now this is important you need to put the two consumer / proxy or whatever you call the machine nodes in the qmc for the boxes that have your ssl cert listed under proxy and that users come in on.
We have both of these machines listed in a Netscaller front end, so our https://mysite.analytics.com will hit a netscaller ip and then in the netscaller pool we have the two consumers proxies in it and these then get sent the traffic to either consumer 1 or consumer 2. So, if you have 4 proxy / consumer / web tier or whatever you call them add them here and only those that users get balanced onto. Very important this to listen to !!!
14. Now under Proxies you want to again only select the Proxies / Web - tier / end - user point / proxies that you have set up with the ssl certs on in the proxies section on the QMC as these will be the ones that will be used by adfs to pass the users in on and only these once again....!!!
15. Select secure attribute (https) as you want to be using https and I believe it maybe set as default when you select SAML, but tick it anyway.
16. We left sam site as 'Lax', but set to your setting iof choice if your normal nodes have this set differently in the virtual proxy.
17. Same site attribute (http) : No attribute
18. Host White List : Now listen carefully this has to be done exactly covering the paths that your adfs link will come in on and include ip's of traffic for the two consumer nodes (or how many your have).
We put our ip's :
* for our two consumer nodes
* central node
* fileshare
also :
mysite.analytics.com - MAKE SURE THIS IS DEFINATELY PRESENT OR YOU WILL FACE THE ERROR 400 i discussed earlier.
mysite.analytics.com/adfs
mysite.analytics.com/hub
machinename of central node
machine name of failure over node or nodes
machine name of consumer 1 and 2 or others you have
This should cover all variations of SAML site . ip addresses being passed behind the scenes.
Now i state this clearly make sure the mysite.analytics.com (put your company site address) in both https and without. We had the without missing ADFS would not work and no big signs unless you dig the logs will tell you this !!!!!
19. Now click apply and send over the adfs_spmetadata.xml after clicking 'Download SP' in the virtual proxy main window. This will appear once your virtual proxy for adfs has saved and be warned with proxy link and load balance and applying changes it will restart the proxy service and kick you and your users out, so downtime to set this up is crucial and in most cases a full restart of the services across your multi node estate usually is a good idea too (as you have that powershell script saved and documented right ?).
19a, Please follow the Section Configure ADFS and Powershell Settings on the link below, but feel free to select your version at the side on the left menu bar:
You may also find this link useful a knowledge base article :
https://community.qlik.com/t5/Knowledge/Quick-Guide-to-installing-ADFS-for-testing-SAML/ta-p/1710427
I found Step 5a useful for chatting through with your ADFS admins to ensure that your SSL wildcard cert is trusted and set up as such on the ADFS side.
20. Now when you get the Federated Metadata file back to add into your SAML Idp metadata section, first open it in word pad or note pad ++ and find references to <role descriptor> and </roledescriptor> you will find a few entries in a block you want to make your cut from the first point to the </roledescriptor> end bracket , so no role descriptor is left in the xml. Now even on QlikSense Feb 2021, we did this as a set as it says you should be ok, but I find if earlier version had issues then do as they did and it one less issue to worry about.
21. Now with that added and uploaded you will want to click Apply again and wait for the green successfully saved line and then log back in as once again the proxy services will be restarted on the nodes.
22. On the ADFS front your want to check with the ADFS admin or yourself that you have run the powershell section of the normal ADFS SAML guide for your version of QlikSense to set up the trust or as in our case make sure your SSL third party cert is trusted by the ADFS side of things.
23. Now is time to Test your ADFS install:
I would suggest going to a seperate browser that you don't have open like Firefox or Edge or Chrome, but if in a session allready like Chrome go to incognito mode and then type in your new link :
https ://mywork.analytics.com/adfs
Now it should pop up an entry box where you can put your username and password like you would for logining to your work's machine.
It should then default to the hub site, if you want the qmc after you simple put :
https://mywork.analytics.com/adfs/qmc/
this will open up the qmc.
If you have a please consult your admin error when you try this then something has been misconfigured.
Id advised logging into your consumer nodes and going to the proxy log files and trace and checking security and other files and search for SAML error, it will hopefully highlight thing like missing attribute etc and what that is and feed back to your ADFS admin or tweak the adfs settings to include the relevant missing setting.
Further issues raise a ticket with Qlik Support and detail the issues, i found screenshot of the viretual proxy, setup you have, license details and xml files for meta and adfs_sp is useful plus the proxy logs and your good friend log collector. I would run this on one of the consumer nodes to be of most use to you and supports assistance.
NPrinting Only :
24. Now if you have NPrinting configured, be it API or just tasks set up on NPrinting to run between your Sense site and it. You will need to keep a windows virtual proxy configured as Sense and NPrinting up to Feb 2021 do no support adfs on the backend and your get an error on the metadata refresh. What you need to do is if you have Qliksense installed on the same node as your NPrinting (not advised by Qlik i know), but set that virtual proxy with an alias like nprintinglogin. Now save that virtual proxy and again restart the services across the estate if needed like the proxies not attached on the main Virtual Proxy window to reattach or just wait 5 minutes and open another incognito session and go to the QMC and confirm its yes for both option on virtual proxy main window.
25. Now in the Web front end of your NPrinting environment your want to login with your NPrinting credentials or your Windows Login button.
Now go to the connections and on each connection on the proxy section up with :
https://machinename/nprintinglogin
or /whatveryouhavenamedyouralias
do this for each app connection and click on the button to check it can connect first and you should have all green ticks then click save. Id advise taking your time with this as it can lock up if you do more than 3 connections at once at least in our case with 16gb mem and quad core intel xeon setup.
26. With all the connections done and save now your NPrinting and Sense environment will continue to work.
27. You can configure your NPrinting Front End (Login) to be set up for SAML ADFS and I have attached the Qlik Support article on how to do this.
Qlik Sense making ADFS default :
1). Now you have adfs set up and also NPrinting working if you have that option too, you will want to make it the default option for your users to come in on after testing all is fine with the two running side by side for users.
2). You will want to arrange downtime to do this to allow you time to test and as it takes down the proxies and may need services restarted across the estate.
3). Now with downtime started you will want to go into the QMC and go to your virtual proxies and set the non-adfs proxies to have an alias or winlogin or logon or an alias of your choice make sure to change the session cookie header name to to something like X-Qlik-Session-logon etc.
Now apply the changes and it will restart the proxy and restart the services if you need to.
4. Now with the environment backup go to your new non adfs linke :
https://mywork.analytics.com/logon
Id suggest a new browser or incognito or equivalent mode it should prompt you to add your windows credentials and when it logs you in your see something like
https://mywork.analytics.com/logon/hub/qlikticku78u808989908
with it defaulting to the hub as default you can test the qmc by replacing hub with qmc and your see similar to above with a qlikticket / after qmc.
This means your non-adfs link is now working, but you want to make ADFS default.
5. Your want to contact your ADFS admin or go onto the ADFS box and in Qlik remove the adfs prefix and adfs from your session cookie.
You may find your need to send over the download sp metadata and re-add your federate-roledescriptor files again as it now has the non- prefix variants, but you should be hopefully able to change the adfs side to pick up the change in session cookie and prefix.
6. Once you have made the relevant tweaks or heard from the ADFS admin these changes have been made your be able to test your new default adfs link.
https://mywork.analytics.com/ and it will be default to the hub, but log you in via adfs as it redirects to via your now default adfs virtual proxy.
If you get bad - 400 error check the proxy logs once again and see what error is being produced and work with your ADFS admin to resolve or raise the call with Qlik Support or your third party provider to assist you and log and collect the details listed earlier.
7. If all has gone to plan you now has a default ADFS link, a viable windows link to your NPrinting and an old winlogin link incase you need to fall back from adfs.
Notes :
To date you still have to have the default proxies you had come with your original set up and your adfs link will not be shown as default. But, will work in the way that it is your default.
Off record :
This is not supported or advised by Qlik in any way and risk is yours, but you can find the virtual proxy settings in your Postgres database via PGAdmin and change the virtual proxy settings, if for some reason you cannot get into your environment and need to make the windows login default once again with no prefix and also set the ADFS link as default and the other show as not default, but whilst it is possible I believe it adds no benefit to the overall final solution as your link if following these and the qlik steps referenced will work as the defualt anyway and is just a setting shown in your qmc in reality.
I hope you find this useful, as there doesn't seem to be a definitive article posted to the forums or qlik knowledge base like this for multi node, so feel free to use and save as you feel.