Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
We've been using Windows/LDAP authentication for several years but are wanting to transition to Azure AD authentication using the approach outlined in this tutorial.
We've proved out this approach in a dev environment, but we're disappointed that in the process, new users are created, which means we'll lose all the security rules and license allocations for our existing users.
See the attached screenshot showing my original user entry (Name: Ken Daniels; directory: CONTOSO) and the new user entry that was created after the first time I logged in using Azure AD (Name: ken.daniels@contoso.com; directory: AZURE). I had to manually assign my new user a role and a license allocation.
Is there a straightforward way to retain our existing users, allocations, and security rules, or do we have to start all over from scratch?
That's our primary concern. A secondary concern is that when setting up the Azure AD SSO/SAML authentication, we were required to define a prefix (we chose "sso"), which necessitated a change in url: whereas our previous url was https://qlik.contoso.com, it's now https://qlik.contoso.com/sso. This means all our direct links and bookmarks pointing to various sheets will be broken--not a pleasant experience. Is there any way to retain the original url after transitioning to Azure AD SSO?
Accepted Solutions
Primary question:
Ultimately you will want to match the userDirectory and userIds between the two authentication providers.
userDirectory is easy: QMC > Virtual Proxies > Edit Authentication > SAML Attribute for user directory. If you have a single AD, then just wrap the NETBIOS name of the domain (in this example CONTOSO) in brackets ([CONTOSO]). If you have varying ADs then use the same approach as the userId.
userId is a bit more complicated. At the outset, you should first review the attributes which are being sent. I regularly use this extension for Chrome, but there are similar ones for other browsers. After looking over the attribute statement, find if just plain vanilla userId is being sent as an attribute currently. If so, swap it out for the SAML Attribute for user ID section for the virtual proxy.
I don't have an Azure AD SAML virtual proxy setup, but to use an analogy to my Auth0 virtual proxy, my attributes are like so:
If I wanted to use just the portion before the @, then I'd use the nickname attribute and the value I'd enter into Qlik Sense is http://schemas.auth0.com/nickname (the value for the name element is how you tell Qlik Sense what to parse).
If there isn't an attribute present, then that means adding in on the SAML side and I don't have a doc ready made for that though from this guide (https://community.qlik.com/t5/Technology-Partners-Ecosystem/Azure-AD-Single-Sign-on-SAML-Over-an-App...) it looks like this is done when configuring Azure AD.
For the secondary concern,
- Add a prefix to the Windows virtual proxy (e.g. windows)
- Access the QMC using the new Windows virtual proxy prefix (e.g. analytics.company.com/windows/qmc)
- Remove the prefix for the SAML virtual proxy
- Make any adjustments to the SAML config
Primary question:
Ultimately you will want to match the userDirectory and userIds between the two authentication providers.
userDirectory is easy: QMC > Virtual Proxies > Edit Authentication > SAML Attribute for user directory. If you have a single AD, then just wrap the NETBIOS name of the domain (in this example CONTOSO) in brackets ([CONTOSO]). If you have varying ADs then use the same approach as the userId.
userId is a bit more complicated. At the outset, you should first review the attributes which are being sent. I regularly use this extension for Chrome, but there are similar ones for other browsers. After looking over the attribute statement, find if just plain vanilla userId is being sent as an attribute currently. If so, swap it out for the SAML Attribute for user ID section for the virtual proxy.
I don't have an Azure AD SAML virtual proxy setup, but to use an analogy to my Auth0 virtual proxy, my attributes are like so:
If I wanted to use just the portion before the @, then I'd use the nickname attribute and the value I'd enter into Qlik Sense is http://schemas.auth0.com/nickname (the value for the name element is how you tell Qlik Sense what to parse).
If there isn't an attribute present, then that means adding in on the SAML side and I don't have a doc ready made for that though from this guide (https://community.qlik.com/t5/Technology-Partners-Ecosystem/Azure-AD-Single-Sign-on-SAML-Over-an-App...) it looks like this is done when configuring Azure AD.
For the secondary concern,
- Add a prefix to the Windows virtual proxy (e.g. windows)
- Access the QMC using the new Windows virtual proxy prefix (e.g. analytics.company.com/windows/qmc)
- Remove the prefix for the SAML virtual proxy
- Make any adjustments to the SAML config
Thanks, Levi! Earlier this morning, before your reply came in, I did some experimenting and came up with basically the same solution. I'll rehash it here with screenshots for those who'd like to see the context.
The main idea, as you expressed, is to make the user directory and user name for the SAML authentication match the directory and name for the existing Windows-authenticated users.
It was straightforward to set the directory; it was a matter of changing the "SAML attribute for user directory" from [AZURE] (as recommended in the tutorial) to our user directory name, [CONTOSO]:
To change the username format from an email address to firstname.lastname to match our existing Qlik usernames, I experimented with a number of different options for the "Name" in the screen below, logging out/in with an anonymous browser until I found one that worked: "onpremisessamaccountname":
After making these two changes, the new SAML username/directory combinations matched the old Windows ones (firstname.lastname), and it didn't create a second copy of the user, which satisfied our primary concern.
As for our secondary concern of preserving the same url as before, I followed your general approach and got it to work, so I'm very happy. Note, however, that after I set the prefix of the central virtual proxy to "windows", I was NOT able to log in with the /windows prefix. However, I was still able to log in under the secondary SAML virtual proxy I had already established with the /sso prefix, and then I was able to remove the sso prefix and then log in without a prefix. Phew!
Thanks again!
