Service Provider(Qliksense) initiated Authentication Process

The following process is about how to setup SAML authentication for users in AWS environment if there is no no trust available between enterprise active directory(Idp) and AWS MAD(managed active directory).

for SAML:

• Idp=Identity Provider=Enterprise active directory
• Service Provider=Qliksense=Hosted in EC2 instance

Requirements for SAML setup:

• Identity Provider metadata from enterprise active directory 
• Service provider metadata exported from virtual proxy of qliksense
• SSL certificate in .pfx format

Steps for SAML Config:

1. First get the Idp metadata in XML format
2. Stop all the Qliksense services
3. Install the SSL certificate in .pfx format in personal>certificates in mmc
   1. CSP value of the SSL certificate should be Microsoft Enhanced RSA and AES Cryptographic Provider for SHA-256
   2. Change the value of CSP using openssl if CSP value is different. No issues or risk in doing that.
4. Update the thumbprint of the certificate in Proxy>Security
5. Create a new virtual proxy in QMC by following steps mentioned by Qlik
6. Name of the proxy and prefix could anything as it is only used for identification from default proxy
7. Header of the cookie session again could be anything. example you can add the prefix here as a suffix such as -prefix.
8. SAML host URI is the name that you would like users to use while accessing the qliksense over url. It is not mandatory to be same as the actual EC2 DNS/host/FQDN name. Lets say if you are using ALB then you may put the friendly DNS/CNAME name of ALB.
9. Entity ID could be any random user defined value
10. Upload the Idp metadata
11. User Attribute would be the identity claim name in SAML response that you would like to use such as Employee ID, Employee Email etc. Please check with the Idp on what identity claims they could provide in SAML response.
12. User Directory again could be the identity claim field name that holds Domain/Employee ID. Here field name should be mentioned without square brackets[]. If [] brackets are used then whatever value mentioned inside the [] will become a static value for all users.
13. Link to central node or the node you want in the SAML Virtual Proxy>Load balancing
14. Add the SAML Host URI name to the whitelist host list of SAML Virtual Proxy>Advanced
15. Encryption to be SHA-256
16. Add the SAML attributes mapping per the fields available in SAML response. SAML field name should be same as the attribute name in SAML resposne and Qliksense field name could be as you like.
17. Click on Apply
18. Link the proxy through SAML Virtual Proxy>Proxies
19. Download the service provider metadata by Virtual Proxy>SAML Virtual Proxy
20. Upload the SP metadata to Idp if possible
    1. Otherwise manually open the SP metadata
    2. Copy the entity id and put the same value in identifier field in Idp
    3. Copy the ACS(AssertionConsumerService) URL value and put it in the Assertion endpoints fields in Idp
    4. NAME ID claim should be transient in Idp
    5. Copy the x509 certificate value and upload in Idp
    6. Configure the identity claims, role claims etc. in Idp based on the information of an user you need in SAML response
    7. Signature encryption to SHA-256

Note-

If using ALB in AWS then all traffic from Idp will be forwarded to ALB first and then ALB will forward the traffic to the target EC2s. If the ALB's listening port is different to Qliksense proxy's listening port, then update the ACS URL endpoint in Idp with the port that ALB is listening. Please don't use the same port as Qliksense proxy is listening which was available in SP metadata. Example-

Incase of using ALB-ACS URL=https://<saml host uri name>:<ALB listening port>/<virtual proxy prefix>/samlauthn/

Incase of only using EC2/windows host=ACS URL=https://<saml host uri name>:<Qliksense proxy listening port(i.e. default value is 443)>/<virtual proxy prefix>/samlauthn/