Quick Guide to installing ADFS for testing SAML

This example is under the assumption there's an understanding of your environment and having the proper permissions to perform the actions shown. Accounts used are all Local Administrators and the servers are open, with nothing blocked, and no other programs are installed on them.?

Prerequisites:
3rd Party SSL OR Self-Signed exported Certificate from the QMC for the ADFS server
Access to Sense installed on a server that can connect to the ADFS environment
Access to a server to install and configure ADFS

Note: Read the entire documentation to verify access and understanding of all actions stated within prior to starting the install and configuration.

Example Environment:
AD FS: DC1.domain.local
Qlik Sense: QlikServer1.domain.local 

Note: This documentation is only to used to validate and test SAML and ADFS. Use this at your own discretion


Step 1:
Install/import a valid certificate for the ADFS server with a Trusted Root from a Certificate Authority. This will be used to make sure both the SSL certificate bound to the Qlik Sense Proxy and ADFS trusts each other.


Example: TinyCerts.org – You can create your own CA and then certificates against that CA for any server name requested. Note: This option requires less steps in the long run, but would need to have access to the Certificate Authority and/or the certificate is prepared prior to save on time.


 
Example: Using the Qlik Sense self-signed certificates that are exported from the QMC for the ADFS server name.








Step 2:
Install the DC1.domain.local certificate chain


Note: The example shown is from TinyCerts.org and is a complete PFX file with the SSL certificate AND the Trusted Root Certificate combined. When installed it imports both certificates to their correct locations on the ADFS server. Self-Signed certificates import/install information is below.






Confirm the certificate is installed correctly:




 
Note: The same main steps are performed with the Self-Signed certificates exported by the QMC.

Import the certificate

1. Launch Microsoft Management Console (mmc.exe) on the ADFS server
2. In the MMC, go to File > Add / Remove Snap-in...
3. Select Certificates and click Add
4. Select Computer account, click Next, select Local computer and click Finish
5. In the MMC, go to Certificates (Local Computer)/Personal
6. In the MMC, go to Actions > All Tasks > Import...
7. Browse to the certificate file provided to you from your CA / Export from the QMC
8. Follow the instructions on the screen to import the certificate, including the private key
9. Verify the new certificate has been imported into Certificates (Local Computer) > Personal > Certificates and that it contains a private key
   1. Viewing the certificate when installed should have this entry: 
10. Follow the same steps to for the Trusted Root, but place it in Certificates (Local Computer) > Trusted Root Certification > Certificates 

 
Information:

• The “server.pfx” is going to be installed in the Certificates (Local Computer) > Personal > Certificates
  •  Server name of the ADFS server you created (Example: dc1.domain.local)
• The “root.cer” is going to be installed in the Certificates (Local Computer) > Trusted Root Certificates  > Certificates
  • Server name of the Central node of the Sense site once installed (Example: QlikServer1.domain.local)

Step 3:
Install ADFS on to DC1.domain.local through the Add/Remove features and selecting the check box for Active Directory Federation Services

• There’s no configurations steps to Add the Feature for the demonstration (all default values)

Step 4:
Configure AD FS - Click Manage in the Server Manager and finish the ADFS setup




 
Note: Notice that dc1.domain.local is available in the drop down. If this is a clean install of server and then ADFS is installed, there will be NO certificates there other than ones you install (or are on the default image of the server). This is why we are using the one we created and makes it easier to ensure that all the certificates will trust everyone without extra configurations.






Example of the View Script



Click Configure to start the installation process




You can ignore this message in a single ADFS test environment.


Step 5:
Configure the virtual proxy for ADFS




SAML attribute for user ID: http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
Note: The brackets around the SAML attribute for user directory. This will be needed for all directory names, even if linking to an established User Directory Connector. 


IF you’re going to use a 3rd party SSL certificate and do NOT want to change the encryptioncertificaterevocationcheck and signingcertificaterevocationcheck settings (Step 12 below) for the Relaying Trust, review Step 5-A at the end of the document, then proceed.


Step 6:
Download the SP metadata for the ADFS virtual proxy in the QMC and move it to the ADFS server (or a shared folder)
Note: You mus link the Virtual Proxy to a Proxy or this will not be possible and the button will be grayed out.



 


Step 7:
Configure the Relaying Party Trust using the SP metadata from Sense









Note: Once completed, go back into the Properties for this Relaying Party Trust and change it rom SHA-256 to SHA-1 for this demonstration.


Step 8:
Add the Claim information for the Relaying Party Trust







Note: You can pass many different AD attributes, but for this we are just sending the Windows Account Name information as the UserID (as set in the virtual proxy)


Step 9:
Download the ADFS IdP Metadata





ADFS Metadata URL: https://<ADFS_server_name>/FederationMetadata/2007-06/FederationMetadata.xml
Note: Putting the link into Chrome/Firefox will download the .xml file, but you can copy and paste it into Notepad and save it as .xml

Step 10:
Once you get the metadata in a file, you will need to remove any and all sections containing RoleDescriptor.
Note: This step may not be needed depending on the version of Sense and AD FS. If you're in current builds (any 2018 or later), it will most likely be fine just using the full IdP metadata XML. You will get an error in the QMC when applying, if it's not valid. 


Default Notepad:
Click at the start of the file and Find RoleDescriptor and the first entry.



Make a few returns / spaces so when you select from the bottom to the top you’ll know where to stop.



Scroll to the bottom of the file and click to move the cursor to the end of the file



Change the direction from Down to Up and Find Next



Once found, select the entire section between those two points and delete it. This will lower the size of the XML by more than half its original.



Note: You can use other text editors, but this one is default on Windows and just takes a few quick searches.


Step 11:
Import the ADFS IdP into the virtual proxy for ADFS




Note: At this point Sense and ADFS are configured.  Follow Step 12 if you did not do 5-A.


Step 12: Removing the signingcertificaterevocationcheck and encryptioncertificaterevocationcheck on the ADFS server for the Relaying Trust in an elevated (run as Administrator)  Windows PowerShell:

• You need to make ADFS not do any certificate check on that Relaying Party Trust
  • Set-ADFSrelyingpartytrust –targetName “Qlik Sense” –signingcertificaterevocationcheck “none”
  • Set-ADFSrelyingpartytrust –targetName “Qlik Sense” –encryptioncertificaterevocationcheck “none”

Reason: This is because ADFS and Sense do not have all the certificates trusted. This removes the need to have to deal with it.


Step 5-A:
This step is to be performed before getting the SP metadata for the virtual proxy in Qlik Sense. The reason for this is that the SP metadata has the certificate information for the Proxy that’s linked to it. By default it will use the self-signed certificate that’s created when Sense is installed. However, ADFS does not trust this chain and to make it easier, we will just use a 3rd party certificate that’s from the same CA as the one that’s used for ADFS.

Below is an example of a certificate from the same CA as the DC1.domain.local and is made for qlikserver1.domain.local. The thumbprint is placed in the proxy that the virtual proxy for ADFS is linked to, and will now use this certificate for trust.