Skip to main content
Announcements
NEW: Seamless Public Data Sharing with Qlik's New Anonymous Access Capability: TELL ME MORE!

Security Rules Fail For SSO/SAML Users and The Group or Other User Attributes Returned from SSO / SAML Provider Are Not Seen in the User Record

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Damien_V
Support
Support

Security Rules Fail For SSO/SAML Users and The Group or Other User Attributes Returned from SSO / SAML Provider Are Not Seen in the User Record

Last Update:

Feb 23, 2021 4:36:00 AM

Updated By:

Sonja_Bauernfeind

Created date:

Dec 24, 2016 8:15:29 AM

When a user authenticates with SAML/JWT/Ticket, security rules based on the attributes from the SSO provider do not work and the attributes are not visible in the QMC under the User record.

Environments:

  • Qlik Sense Enterprise, all versions

 

When a user authenticates with SAML, a list of attributes will be given to Qlik Sense based on what is set up in the virtual proxy.  The attributes depend on the implementation.

User-added image


However, these User attribute(s) returned from the SSO provider are only kept for the user session and are not stored/persisted in the Qlik Sense Repository Database. Therefore, they do not appear in the QMC like attributes synchronized via a UDC connection (data which is persisted to the database).
 

Resolution:

 

  1. Reference the attributes via user.environment.[attribute name] (not user.[attribute name])
  2. View the exact attributes returned from the SSO provider by examining the logs:

    1. Set the Proxy Audit Logs to the DEBUG level

      User-added image
    2. After enabling debug logging, the (Trace/Audit) Proxy logs will reveal the extracted attribute(s). No restart is required. 

      The default location for this log is in C:\ProgramData\Qlik\Sense\Log\Proxy\Trace\servername_Proxy_audit.txt

      Example Headers that will be injected:

      [X-Qlik-Security, OS=Windows; Device=Default; Browser=Firefox 50.0; IP=fe80::f0bf:12cb:47cd:2086%14; ClientOsVersion=6.3; SecureRequest=true; Context=AppAccess; role=Domain+Users; role=group5; ] || [X-Qlik-User, UserDirectory=DOMAIN; UserId=user5] || [X-Qlik-ProxySession, b29118dd-4539-4742-ad65-fe307eb10b54] || [X-Qlik-ProxyId, ProxyId=38daa8e0-5330-4581-9f40-49d7418b858f; Prefix=adfs] || [X-Qlik-Trace, cf2e0117-ee82-4d26-bba8-b781fc4ef19e:::]
Labels (1)
Contributors
Version history
Last update:
‎2021-02-23 04:36 AM
Updated by: