Skip to main content
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Showing results for 
Search instead for 
Did you mean: 
AshutoshB
Contributor II
Contributor II

SAML Authentication with AWS ALB and Qliksense EC2 Instance

Service Provider(Qliksense) initiated Authentication Process

The following process is about how to setup SAML authentication for users in AWS environment if there is no no trust available between enterprise active directory(Idp) and AWS MAD(managed active directory).

for SAML:

  • Idp=Identity Provider=Enterprise active directory
  • Service Provider=Qliksense=Hosted in EC2 instance

Requirements for SAML setup:

  • Identity Provider metadata from enterprise active directory 
  • Service provider metadata exported from virtual proxy of qliksense
  • SSL certificate in .pfx format

Steps for SAML Config:

  1. First get the Idp metadata in XML format
  2. Stop all the Qliksense services
  3. Install the SSL certificate in .pfx format in personal>certificates in mmc
    1. CSP value of the SSL certificate should be Microsoft Enhanced RSA and AES Cryptographic Provider for SHA-256
    2. Change the value of CSP using openssl if CSP value is different. No issues or risk in doing that.
  4. Update the thumbprint of the certificate in Proxy>Security
  5. Create a new virtual proxy in QMC by following steps mentioned by Qlik
  6. Name of the proxy and prefix could anything as it is only used for identification from default proxy
  7. Header of the cookie session again could be anything. example you can add the prefix here as a suffix such as -prefix.
  8. SAML host URI is the name that you would like users to use while accessing the qliksense over url. It is not mandatory to be same as the actual EC2 DNS/host/FQDN name. Lets say if you are using ALB then you may put the friendly DNS/CNAME name of ALB.
  9. Entity ID could be any random user defined value
  10. Upload the Idp metadata
  11. User Attribute would be the identity claim name in SAML response that you would like to use such as Employee ID, Employee Email etc. Please check with the Idp on what identity claims they could provide in SAML response.
  12. User Directory again could be the identity claim field name that holds Domain/Employee ID. Here field name should be mentioned without square brackets[]. If [] brackets are used then whatever value mentioned inside the [] will become a static value for all users.
  13. Link to central node or the node you want in the SAML Virtual Proxy>Load balancing
  14. Add the SAML Host URI name to the whitelist host list of SAML Virtual Proxy>Advanced
  15. Encryption to be SHA-256
  16. Add the SAML attributes mapping per the fields available in SAML response. SAML field name should be same as the attribute name in SAML resposne and Qliksense field name could be as you like.
  17. Click on Apply
  18. Link the proxy through SAML Virtual Proxy>Proxies
  19. Download the service provider metadata by Virtual Proxy>SAML Virtual Proxy
  20. Upload the SP metadata to Idp if possible
    1. Otherwise manually open the SP metadata
    2. Copy the entity id and put the same value in identifier field in Idp
    3. Copy the ACS(AssertionConsumerService) URL value and put it in the Assertion endpoints fields in Idp
    4. NAME ID claim should be transient in Idp
    5. Copy the x509 certificate value and upload in Idp
    6. Configure the identity claims, role claims etc. in Idp based on the information of an user you need in SAML response
    7. Signature encryption to SHA-256

Note-

If using ALB in AWS then all traffic from Idp will be forwarded to ALB first and then ALB will forward the traffic to the target EC2s. If the ALB's listening port is different to Qliksense proxy's listening port, then update the ACS URL endpoint in Idp with the port that ALB is listening. Please don't use the same port as Qliksense proxy is listening which was available in SP metadata. Example-

Incase of using ALB-ACS URL=https://<saml host uri name>:<ALB listening port>/<virtual proxy prefix>/samlauthn/

Incase of only using EC2/windows host=ACS URL=https://<saml host uri name>:<Qliksense proxy listening port(i.e. default value is 443)>/<virtual proxy prefix>/samlauthn/

Labels (2)
2 Solutions

Accepted Solutions
AshutoshB
Contributor II
Contributor II
Author

Procedure to create CSR with SAN: One can do it in both Windows and Linux OS

  1. Login into server where you have OpenSSL installed
  2. Go to /tmp or create any directory
  3. Create a file named san.cnf using vi (if on Unix) with the following information
[ req ]
default_bits			= 2048
distinguished_name		= req_distinguished_name
req_extensions			= req_ext
[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
stateOrProvinceName		= State or Province Name (full name)
localityName			= Locality Name (eg, city)
organizationName		= Organization Name (eg, company)
commonName			= Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName			= @alt_names
[alt_names]
 
EXAMPLE:
DNS.1   = bestflare.com
DNS.2   = usefulread.com
DNS.3   = chandank.com
 

Note: alt_names section is the one you have to change for additional DNS.

  1. Save the file and execute following OpenSSL command, which will generate CSR and KEY file

openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cnf

  • This will create sslcert.csr and private.key in the present working directory.
  • You have to send sslcert.csr to internal certificate authority so they can provide you a certificate with SAN.

View solution in original post

AshutoshB
Contributor II
Contributor II
Author

Possible errors:

Error:500

  1. SSL certificate used is incorrect
  2. Stop all the qliksense services
  3. Install the .pfx with the CSP=Microsoft Enhanced RSA and AES Cryptographic Provider
  4. Restart the services
  5. Download the SP metadata of the virtual proxy
  6. upload the x509 certificate from the SP metadata to the Idp

https://community.qlik.com/t5/Official-Support-Articles/Error-500-Internal-server-error-in-the-Hub-Q... 

Error:400

  1. Saml attribute for user id is configured in virtual proxy is incorrect
  2. check the proxy audit log

https://help.qlik.com/en-US/sense-admin/February2023/Subsystems/DeployAdministerQSE/Content/Sense_De... 

View solution in original post

3 Replies
AshutoshB
Contributor II
Contributor II
Author

Procedure to create CSR with SAN: One can do it in both Windows and Linux OS

  1. Login into server where you have OpenSSL installed
  2. Go to /tmp or create any directory
  3. Create a file named san.cnf using vi (if on Unix) with the following information
[ req ]
default_bits			= 2048
distinguished_name		= req_distinguished_name
req_extensions			= req_ext
[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
stateOrProvinceName		= State or Province Name (full name)
localityName			= Locality Name (eg, city)
organizationName		= Organization Name (eg, company)
commonName			= Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName			= @alt_names
[alt_names]
 
EXAMPLE:
DNS.1   = bestflare.com
DNS.2   = usefulread.com
DNS.3   = chandank.com
 

Note: alt_names section is the one you have to change for additional DNS.

  1. Save the file and execute following OpenSSL command, which will generate CSR and KEY file

openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cnf

  • This will create sslcert.csr and private.key in the present working directory.
  • You have to send sslcert.csr to internal certificate authority so they can provide you a certificate with SAN.
AshutoshB
Contributor II
Contributor II
Author

Create the pfx file with .cer and private key(.key) file

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.cer

extract the private key from .pfx file

openssl pkcs12 -in certificate.pfx -nocerts -nodes -out privateKey.key

Extract the .cer from .pfx file

openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.cer

Check if .cer contains private key

openssl x509 -in certificate.cer -text -noout

Exporting the certificate from the .pfx file

Exporting the certificate is pretty easy, just use the following command:
openssl pkcs12 -in pfxkeystore.pfx -out certificate.pem -nokeys -nodes

Convert to x509 format

The exported certificate is not a x509 certificate. To convert it use the following command:
openssl x509 -outform der -in certificate.pem -out certificate.cer

to check the CSP

certutil -dump c:\temp\idp.pfx

Steps to convert the CSP are as follows

Firstly, it must be converted from PKCS12 to PEM format. From the example below, you will see how to convert a single .pfx file containing both certificate and private key into a .pem format. When it was asked, be ready to provide the password used for protecting the private key.

openssl pkcs12 -in c:\temp\idp.pfx -out c:\temp\idp.pem
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

2. Then it must be converted back to PKCS12 specifying the Microsoft Enhanced RSA and AES Cryptographic Provider.

openssl pkcs12 -export -in c:\temp\idp.pem -out c:\temp\new-idp.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -macalg sha1
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Enter pass phrase for c:\temp\idp.pem:
Enter Export Password:
Verifying - Enter Export Password:

3. Now you can verify the CSP in the new PFX file with the CertUtil command again.

certutil -dump c:\temp\new-idp.pfx
Enter PFX password:
================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: 09ec562aa92ffa0ed554f5135afa3ccb
Issuer: CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
NotBefore: 2/7/2013 2:00 AM
NotAfter: 4/4/2016 2:00 PM
Subject: CN=*.qlik.com, O=QlikTech International AB, L=Lund, S=Skane, C=SE
Non-root Certificate
Cert Hash(sha1): d7 fe a0 8d c7 f5 e5 e4 ff e9 14 91 00 d9 95 5f 61 51 00 68
---------------- End Nesting Level 1 ----------------
Provider =
Microsoft Enhanced RSA and AES Cryptographic Provider
Encryption test passed
CertUtil: -dump command completed successfully.
The new PFX file is now ready for generating SHA-256, SHA-384 and SHA-512 XML signatures.

Conversion is Done!

OPTIONAL: If you have your certificate and private key stored in the .pem format already but separate files, the following command will help you to combine them and generate the .pfx file with the correct CSP.
openssl pkcs12 -export -inkey key.pem -in cert.pem -out new-idp.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -macalg sha1

AshutoshB
Contributor II
Contributor II
Author

Possible errors:

Error:500

  1. SSL certificate used is incorrect
  2. Stop all the qliksense services
  3. Install the .pfx with the CSP=Microsoft Enhanced RSA and AES Cryptographic Provider
  4. Restart the services
  5. Download the SP metadata of the virtual proxy
  6. upload the x509 certificate from the SP metadata to the Idp

https://community.qlik.com/t5/Official-Support-Articles/Error-500-Internal-server-error-in-the-Hub-Q... 

Error:400

  1. Saml attribute for user id is configured in virtual proxy is incorrect
  2. check the proxy audit log

https://help.qlik.com/en-US/sense-admin/February2023/Subsystems/DeployAdministerQSE/Content/Sense_De...