Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
We are trying to integrate Qlik Sense with Oracle Access Manager (OAM) for SAML SSO. Qlik Sense is the SP and OAM is IDP.
We have followed the documentation for SAML configuration. While testing the qlik sense, we are getting the below error.
Error 400 - Bad request
Contact your Qlik Sense administrator. The user cannot be authenticated by the SAML response through the following virtual proxy: SAML
There are no errors logged in OAM (IDP) logs. Here is the SAML response generated.
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
xmlns:enc="http://www.w3.org/2001/04/xmlenc#"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
Destination="https://qlik.company.com:443/saml/samlauthn/"
ID="id-nx5QbHnpTnhU9kIZb6XFk-N6LMm-h1Q4-fqxK-FZ"
InResponseTo="_a81cdcd1-6a08-4edb-afc7-70e4f7425459"
IssueInstant="2016-06-22T20:00:29Z"
Version="2.0"
>
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sso.company.com/oamfed</saml:Issuer>
<dsig:Signature>
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<dsig:Reference URI="#id-nx5QbHnpTnhU9kIZb6XFk-N6LMm-h1Q4-fqxK-FZ">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>lqWyIV+BRIp8ym3bLZCp8TU5P6s=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>YE+1WRtkmfQZbHS1LCA954RKtsMTJQEYuXlPCcqKw1kuh/TVDSyYFBgfRUj2OeNqutXuib5/Iolole4oi4wjtSaeCLoI32Fh45nlC1wzR9MKNeJnFsxsLMbApWUawk76WCRDaHKaXo3P/vCif6rhbvTJtUHNrSOvADJkIQ/lMO91pd5hTyWyua13tUrCvR2DgzzGAB/uxVp1yLDzEokWw9mZDei0n5/5MK/tlbNERtzgRvle1U4EX6552BVyJtdccbvWL4bL/dUi2YNpL0jBHarauJQwoLxtWtJ2v1PolInLkVaQzMJHBvZgOD5Fp4ja2GHiMGZdNsPLf4ui0WwHGg==</dsig:SignatureValue>
</dsig:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied" />
</samlp:StatusCode>
<samlp:StatusMessage>User is not authorized to perform Federation SSO</samlp:StatusMessage>
</samlp:Status>
</samlp:Response>
I have also found that SAML Authentication request did not have AssertionConsumerServiceURL, NameIDPolicy and ProviderName parameters. The SAML Response contains status code RequestDenied which means IDP denied the request because of insufficient data in SP request.
Please suggest if this is configuration issue in Qlik Sense or a bug.
Thanks
Mahendra.
Hi All,
The issue has been resolved. First, the IDP has authorization problem and once it it fixed it is able to send successful SAML token. Second issue is that userid sent from IDP in NameID value is not matching in Qlik Sense user attribute provided in virtual proxy.
In IDP, I have specified uid as Name ID value and sending couple of attributes such as email etc., In Qlik Sense specify the user attribute name such that name ID value matches that attribute value.
Please get back to me if you need any more details.
Thanks
Mahendra.
Hi All,
The issue has been resolved. First, the IDP has authorization problem and once it it fixed it is able to send successful SAML token. Second issue is that userid sent from IDP in NameID value is not matching in Qlik Sense user attribute provided in virtual proxy.
In IDP, I have specified uid as Name ID value and sending couple of attributes such as email etc., In Qlik Sense specify the user attribute name such that name ID value matches that attribute value.
Please get back to me if you need any more details.
Thanks
Mahendra.
hi Mahendra,
How will I identify the IDP authorization problem and SAML token. Also what if I don't have any attribute mapping in qliksense.
Thanks and Regards
Miskin M
Could you please provide your SAML reponse xml and qlik sense saml configuration ?
I am encounted qlik sense error in proxy audit error:SAML assertion was not signed
Please share the details.
were you able to get multiple values for memberof using OAM and SAML?
Setting up attribute mappings are not neccesary