Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
brindlogcool
Creator III
Creator III

QlikSense SAML

I have configured the SAML as suggested in the documentation. And when i tried to access the Qlik Sense URL with SAML as suggested in the documentation

https://[node]/[prefix]/


the URL is getting redirected to the windows authentication like this https://server:port/windows_authentication/?targetId=11234 

and prompting for windows authentication. And it works fine.


(a) How to validate it is authenticated through SAML. Is there any logs associated with it ? Is it expected to prompt for windows authentication and validated through SAML.



Is there any specific setting has to be changed or additional coding required apart from the QMC settings





17 Replies
Not applicable

Brind,

No, you shouldn't be redirected to a windows auth through the browser.  How are you configuring SAML?  Put another way, what identity management solution are you using as an identity provider?

Can you send a screen shot of your virtual proxy configuration?

jg

brindlogcool
Creator III
Creator III
Author

It is ping federate

brindlogcool
Creator III
Creator III
Author

Virtual proxy configuration as follows

Identification

Description: SSO integration

Prefix : SSO

Session inactivity Timeout(Minutes) :30

Session Cookie header name : X-SSO-Session

Authentication

Anonymous access mode: Allow anonymous user

Authentication method: SAML

SAML host URI : https://a1234d.abc.com

(--------------https://a1234d.abc.com/qmc/ and https://a1234d.abc.com/hub---------------)

SAML entitity Id : ssoqliksense

SAML Medtadata Idp : uploaded the metadata

SAML attribute for userid : {id }

SAML attribute for user active-directory:{id}


And linked to default proxy. Let me know if you need any additional information



Not applicable

Ok, have you configured a virtual proxy in Qlik Sense to talk to PingFederate with PFs idp metadata and then performed similar configuration on PF with Qlik Sense SP metadata?

For example, here is a screenshot of my SAML config for Salesforce on my Qlik Sense server.

2015-08-05 18_25_10-Virtual proxy edit - QMC.png

See the  SAML Metadata IdP?  Have you uploaded the PF metadata there?

For config examples, here is a set of videos for Salesforce and ADFS

Not applicable

I wonder if Allow anonymous user is tripping it up.  What happens if you set to no anonymous users?  In addition, have you set up PF with the SP metadata from Qlik Sense?

And to clarify, the userid attribute should be the attribute name or the schema reference url, and the user directory if static uses square brackets and not curly braces.

jg

brindlogcool
Creator III
Creator III
Author

Thanks Jg

Do i need do the same for the SAML attribute mapping. Brackets for both SAML and QlikSense attributes

SAML Attribute mapping

SAML attribute  QlikSense Attribute

[id]                     [id]

Not applicable

If they are static (meaning that you aren't using an OID or schema definition) you need the brackets.  The SAML attribute and the Qlik Sense attribute do not need to have the same name.

jg

brindlogcool
Creator III
Creator III
Author

Thanks jg

When i try the url servername/hub/saml .it redirects to windows authentication. If i try with servername/prefix i am getting the error as No available qliksense engine was found refresh your browser or contact your administrator.

Is there any port has to changed or any log files. how to look for request and response flow. I tried with fiddler didnt get anything.

Not applicable

ok, so with all virtual proxies (ticketing, header, session, or SAML) the prefix is mandatory or you are going to go the central proxy virtual proxy which is going to pop up windows authentication.  So you do need to do this:

https://servername/virtualProxyprefix/hub

As for ports, no ports should have to change.

Logs are located in c:\programdata\qlik\sense\logs\proxy\trace and the audit proxy log.

servername/hub/saml is not valid.

Try the servername/virtualproxy/hub and see if you get redirected to PF.  Check the logs and if you want attach them here and I can take a look.

jg