Skip to main content
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!

Qlik Sense: Common error messages when using SAML

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Damien_V
Support
Support

Qlik Sense: Common error messages when using SAML

Last Update:

Feb 1, 2022 4:18:56 AM

Updated By:

Francisco_Fernandez

Created date:

Oct 29, 2017 9:41:44 AM

This article gives an explanation of some of the common error messages.

Error 1:

Error 400 - Bad request

Contact your system administrator. The user cannot be authenticated by the SAML response through the following virtual proxy:

Error 2:

SAML mandatory attribute for user ID is missing

Error 3:

SAML assertion is expired

Error 4:

Error 500 - Internal server error

Internal server error

Error 5:

SAML assertion must be encrypted on an unsecured connection

 

Environment:

Qlik Sense Enterprise on Windows 

 

Error 400: Bad request

This is the most common error message that is encountered when using SAML. It basically means that the SAML request is malformed, missing some mandatory information, or we are encountering a time sync issue.

Contact your system administrator SAML.png

 

Missing Attribute:

The first step to take when this error appears is to check the Servername_Audit_Proxy.txt (C:\Programdata\Qlik\Sense\log\Proxy\Trace)

WARN    QlikServer2    Audit.Proxy.Proxy.SessionEstablishment.Authentication.SAML.SamlAuthenticationHandler    47    82c8cc12-5bf4-42a5-af04-b8e2c64d5c50    DOMAIN\Administrator    SAML mandatory attribute for user ID is missing    0    

The error is sometimes obvious as in the above example. An attribute is missing.

The second step would be to look into the SAML response and see if the SAML attribute you have set for your user ID is in there:

 

SAML Attribute SAML tracer.png

Check if you have an element <saml:Attribute ... Name="Nameofyourattribute" > inside the <saml:AttributeStatement> element.

In this example, the attribute we were trying to use for the User ID is Email. We see that it is not present in the <saml:AttributeStatement> element.

 

Time sync issue:

Verify that the SAML request is not rejected because it is "expired" or "SAML assertion is expired" and also result in "400: Bad request". This can happen if for example an AWS server with Sense installed on it was not configured to automatically update its date/time settings. The time difference between the identity provider and Sense can then lead to the message being rejected.

In this case, adjust time settings accordingly.

 

Error 500: Internal Server error:

This can have different reasons but the troubleshooting process is similar to the example above.

Error 500 Internal Server Error.png

In SAML, error 500 usually indicates an error with the certificate used. Either the certificate used is incorrect or does not have the proper Cryptographic Provider.

In order to use SHA-256 in Qlik Sense with SAML, the cryptographic provider for the certificate applied on the Qlik Sense proxy must be "Microsoft Enhanced RSA and AES Cryptographic Provider".
This limitation does not apply to the certificate used by the Identity provider.

The Servername_Audit_Proxy.txt (C:\Programdata\Qlik\Sense\log\Proxy\Trace) will either indicate "could not decrypt data" or an error with ComponentSpace.SAML2.Exceptions.SAMLSignatureException.

SAML assertion must be encrypted on an unsecured connection:

All network traffic has to be encrypted, that means it's mandatory to use the port 443 in order to have a secure connection. 

Labels (1)
Comments
Senor_Dai
Partner - Creator II
Partner - Creator II

Hi @Damien_V ,

 

I hope you can help.. Ive tried to implement SSO using Auth0 for QlikSense.  SSO is working perfectly until I try to add user attributes.  When I try to add SAML attributes to the qliksense proxy :

|Screenshot 2021-11-24 at 19.55.45.png

I get the Bad request 400 error when I try to login ...

 

Ive checked the logs (as you suggest) and it is saying there is a missing attribute :

Screenshot 2021-11-24 at 19.51.39.png

But you can see from above Im trying to pass a 'groups' attribute.

 

This is the Auth0 Rule Script
Screenshot 2021-11-24 at 20.02.49.png

And this is the Test User Metadata:
Screenshot 2021-11-24 at 20.04.13.png

 

Id be so grateful if you could point out any mistakes in my configuration?

Many thanks

Dai

Damien_V
Support
Support

Hello @Senor_Dai 

It's because you need to write the full name of the attribute "https://schemas.auth0.com/https://qlik;com/groups" in the virtual proxy settings, not just "groups" as this is how Auth0 sends it in the SAML response.

Senor_Dai
Partner - Creator II
Partner - Creator II

Hi @Damien_V ,

 

Thanks so much for taking the time to reply.  Ive tried your suggestion :
Screenshot 2021-11-25 at 09.55.39.png

 

Any thoughts as to why Im still getting the 400 Bad Request error?

Damien_V
Support
Support

Hello @Senor_Dai 

Are you still getting exactly the same error in the Qlik Sense Proxy logs ?

Error 400 is just a generic error, you need to check the logs as you did before.

Damien_V
Support
Support

Actually when I look at it twice, the attribute name begins with http://, not https://

I would suggest you just copy the attribute name from the logs under "Existing attributes" to make sure it matches exactly.

Senor_Dai
Partner - Creator II
Partner - Creator II

Hi @Damien_V , Fantastic that allowed me to login... 

Can you help further on how we 'pick up' the Group when our test user logs in?  At the moment Im not seeing it against the user info:

Screenshot 2021-11-25 at 10.54.51.png

 

Thanks once again

Damien_V
Support
Support

@Senor_Dai 

In Qlik Sense August 2021 and earlier, optional SAML attributes are not persisted so they won't show up in the QMC (they're just available for the time of the session), but you can still create security rules on them by referencing them as "user.environment.groups" in a security rule.

See https://community.qlik.com/t5/Knowledge/Security-Rules-Fail-For-SSO-SAML-Users-and-The-Group-or-Othe...

In Qlik Sense November 2021 and onwards, you have a checkbox in the virtual proxy settings that lets you decide if you want to persist or not those attributes. If you choose to persist them, then you will see it in the user info in the QMC, which makes it easier to audit.

Senor_Dai
Partner - Creator II
Partner - Creator II

Fantastic thanks again @Damien_V  - your help has been invaluable!

Senor_Dai
Partner - Creator II
Partner - Creator II

Hi @Damien_V ,  

We are using your solution to great success - so thanks so much!!

 

Could I ask another question on using Auth0  User Metadata and App Metadata?  Could I also pass 'UserLevel' as an attribute so we can utilise both User Metadata and AppMetadata when logging in via Auth0 SSO?

 

Auth0 User Details:

Screenshot 2022-02-03 at 11.00.07.png

 

Would we add another attribute for UserLevel in the virtual proxy :
Screenshot 2022-02-03 at 11.06.47.png

Thanks again for your time.

 

Senor Dai

fsiviero
Partner - Contributor
Partner - Contributor

Hi @Damien_Villaret

I'm trying to find the checkbox in virtual proxy that lets you decide if you want to persist or not SAML attributes in user profile. I'm using February 2022 version 

I didn't find any reference about this new feature in help pages.

Can you give me more information? thanks

Francesco

Version history
Last update:
‎2022-02-01 04:18 AM
Updated by: