Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Search our knowledge base, curated by global Support, for answers ranging from account questions to troubleshooting error messages.
SAML is not supported by default in QlikView but can be implemented by creating a custom authentication module that will convert SAML requests/responses to QlikView Ticket to log the user in.
This customization is provided as is. Qlik Support cannot provide continued support of the solution. For assistance, contact our Professional Services or engage in our QlikView Integrations forum.
Currently, this solution only works for SP initiated authentication. Making it work for IDP-initiated authentication might require further code changes in the library/module source code.
This has been tested with QlikView 12.10 SR7.
<GetWebTicket url="/QvAjaxZfc/GetWebTicket.aspx"/>
to<GetWebTicket url="/QvAjaxZfc/GetWebTicket.aspx">
<TrustedIP>fe80::b178:730a:5c2a:86d2%11</TrustedIP>
</GetWebTicket>
public void ValidateAttribute(SamlAttribute samlAttribute)
{
if (!Uri.IsWellFormedUriString(samlAttribute.Name, UriKind.Absolute))
throw new DKSaml20FormatException("The DK-SAML 2.0 profile requires that an attribute's \"Name\" is an URI.");
after
public void ValidateAttribute(SamlAttribute samlAttribute)
{
/*
if (!Uri.IsWellFormedUriString(samlAttribute.Name, UriKind.Absolute))
throw new DKSaml20FormatException("The DK-SAML 2.0 profile requires that an attribute's \"Name\" is an URI.");
*/
<QlikViewSaml
accessPointUrl="https://qlikserver1.domain.local/"
authenticatePage="QvAjaxZfc/Authenticate.aspx"
webTicketPage="QvAjaxZfc/GetWebTicket.aspx"
tryPage="https://qlikserver1.domain.local/qlikview/"
backUrl="https://qlikserver1.domain.local/webticketerror.html" />
Replace https://qlikserver1.domain.local/ by your qlikview server URL in the above code.<AllowedAudienceUris>
<Audience>https://qlikserver1.domain.local</Audience>
</AllowedAudienceUris>
<Federation xmlns="urn:dk.nita.saml20.configuration">
<SigningCertificate findValue="CN=qlikserver1" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName"/>
*In this case, we use a certificate that has "CN=qlikserver1" as its distinguished name.<IDPEndPoints metadata="C:\idpdata\">
...
See the Qlik Online Help for general information about Qlik Sense and AWS deployments. The content may change depending on the version of Sense.
In an Amazon Web Services (AWS) deployment, you install Qlik Sense Enterprise on an Amazon virtual private cloud infrastructure that is flexible, high-performance, and quick to set up.
Deploying Qlik Sense Enterprise on AWS will enable you to quickly add new applications in a simple and scalable manner. You can do this with a basic knowledge of AWS security and scalability options but without the need to follow complex on-premise installation and configuration procedures. Using AWS will enable you to get your Qlik Sense infrastructure up and running in fraction of the time required for an on-premise deployment, and will enable you to scale your deployment quickly and easily, regardless of unexpected changes in demand.
You can deploy Qlik Sense to AWS manually, or you can use an Amazon Machine Image (AMI) available in the AWS Marketplace that includes Qlik Sense preinstalled. However, predefined images do not include a file share, so can only support single node Qlik Sense deployments.
Qlik Sense Enterprise on Windows deployment to AWS (about)
Preparing your Amazon AWS platform to install Qlik Sense Enterprise on Windows
Install Qlik Sense Enterprise on Windows on the AWS server
Qlik Sense supports Web Content Accessibility (WCAG 2.0 compliant).
When using the Qlik Sense hub, this is available by default, however, in a mashup, some work is needed from the mashup developer to make the mashup accessible.
This article provides an example of a mashup that is compliant with Web Content Accessibility. Find the attachment below.
The example is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.
This article provides step-by-step instructions for implementing Azure AD as an identify provider for Qlik Cloud. We cover configuring an App registration in Azure AD and configuring group support using MS Graph permissions.
It guides the reader through adding the necessary application configuration in Azure AD and Qlik Sense Enterprise SaaS identity provider configuration so that Qlik Sense Enterprise SaaS users may log into a tenant using their Azure AD credentials.
Content:
Throughout this tutorial, some words will be used interchangeably.
The tenant hostname required in this context is the original hostname provided to the Qlik Enterprise SaaS tenant.
Copy the "value of the client secret" and paste it somewhere safe.After saving the configuration the value will become hidden and unavailable.
In the OpenID permissions section, check email, openid, and profile. In the Users section, check user.read.
Failing to grant consent to GroupMember.Read.All may result in errors authenticating to Qlik using Azure AD. Make sure to complete this step before moving on.
In this example, I had to change the email claim to upn to obtain the user's email address from Azure AD. Your results may vary.
While not hard, configuring Azure AD to work with Qlik Sense Enterprise SaaS is not trivial. Most of the legwork to make this authentication scheme work is on the Azure side. However, it's important to note that without making some small tweaks to the IdP configuration in Qlik Sense you may receive a failure or two during the validation process.
For many of you, adding Azure AD means you potentially have a bunch of clean up you need to do to remove legacy groups. Unfortunately, there is no way to do this in the UI but there is an API endpoint for deleting groups. See Deleting guid group values from Qlik Sense Enterprise SaaS for a guide on how to delete groups from a Qlik Sense Enterprise SaaS tenant.
Qlik Cloud: Configure Azure Active Directory as an IdP
The attached document guides the reader through adding the necessary application configuration in AWS Cognito and Qlik Sense Enterprise SaaS (Qlik Cloud) identity provider configuration so that Qlik Sense Enterprise SaaS users may log into a tenant using their AWS Cognito credentials.
Content of the document:
This customization is provided as is. Qlik Support cannot provide continued support of the solution. For assistance, reach out to our Professional Services or engage in our active Integrations forum.
This video will demonstrate how to install and configure Qlik-CLI for SaaS editions of Qlik Sense.
Content:
get-command qlik
choco install qlik-cli
if ( -not (Test-Path $PROFILE) ) {
echo "" > $PROFILE
}
qlik completion ps > "./qlik_completion.ps1" # Create a file containing the powershell completion.
. ./qlik_completion.ps1 # Source the completion.
Advanced and additional instructions as seen in the video can be found at Qlik-CLI on Qlik.Dev. Begin with Get Started.
Qlik Enterprise Manager (QEM) allows Personal Access Token authentication with Okta. The token generation in QEM will fail if the incorrect variables have been passed in. Missing quotations on the variables will result in the variables being treated as "Null" values. The following error would be seen in the Enterprise Manager logs if null values are found.
Parameter name: s
System.ArgumentNullException: Value cannot be null.
Parameter name: s
at System.Runtime.InteropServices.Marshal.SecureStringToBSTR(SecureString s)
at Attunity.Infrastructure.Globals.Crypto.GetClearString(SecureString value)
at Attunity.Infrastructure.Globals.Authentication.OpenIdAuthClient..ctor(HttpClient httpClient, String authority, String clientId, String redirectUri, SecureString clientSecret, String additionalScopes, String openIdUserNameClaimType, String openIdDisplayNameClaimType, String openIdGroupClaimType)
at Attunity.Infrastructure.HostManager.HostManager.CreateOpenIdAuthClient()
at Attunity.Infrastructure.HostManager.RestHandler.OpenIdRedirect(OpenIdRedirectParams param)
Ensure the following variables are double-quoted and correct information from the Okta integration app is used
Syntax
aemctl.exe configuration set --open_id_authority your-openid-connect-authority --open_id_client_id your-client-id --open_id_client_secret your-secret
Example using Okta
aemctl.exe configuration set --open_id_authority "https://dev-13465054.okta.com" --open_id_client_id "0oa8ohkl5ftweZNWTT5d7" --open_id_client_secret "FJxXqWOpJsROGrthsaVzfUIcNthG6JLA1-nAJH0"
Setting up Personal Access Token authentication for the API
Qlik Cloud allows for the configuration of independent identity providers, including Okta. The setup procedure for Okta and Qlik Cloud can be found here: How to configure Qlik Cloud with Okta.
During the setup process, you will be required to add an Authorization Server, an option which is only available if you have purchased Okta's API Access Management. Qlik provides a workaround in case you have not purchased this add-on and therefore do not have the Authorization Server option.
The workaround consists of selecting the "ADFS" provider while configuring Identity Provider in the Qlik Cloud management console, which will force Qlik Cloud to read the user information from the ID token instead of the userinfo endpoint.
Follow the steps outlined in How to configure Qlik Cloud with Okta, with the exception of configuring the Identity Provider in the Qlik Cloud Management console differently and skipping step 12 (adding the Authorization Server).
How to configure Qlik Cloud with Okta
Identity Providers
Custom Auth Servers VS Org Auth Servers: https://developer.okta.com/docs/concepts/auth-servers/
In case you missed it, Google finally set Q3 2024 as the date for 100% blocking all content relying on third-party cookies rendered on web pages in Chrome. At Qlik, the date is not a surprise to us, and to all our customers who embed Qlik Sense, we appreciate your collaboration and patience. We’ve been working hard for two years to prepare our products to handle this change and the impact it has on your end users. Here’s some additional information we believe will help you understand the changes Google and other browser makers have made to their software and how to configure Qlik Cloud and Qlik Sense Enterprise Client-Managed to keep embedded analytics working smoothly with your web applications and mashups.
Browser makers are handling third-party cookie blocking in different ways. You can learn more about the browsers Qlik supports for Qlik Cloud and Qlik Sense Enterprise Client-Managed and how those browsers handle third-party cookies and the changes they’re making by reviewing Google's Privacy Sandbox pages, and Saying goodbye to third-party cookies in 2024. Here’s a quick recap for popular browsers:
Microsoft Edge & Mozilla Firefox do not currently break Qlik Sense embedding with default privacy or cookie configurations. Please refer to your browser provider for up-to-date information.
If you're embedding Qlik Sense into a web app or mashup, we recommend reviewing configurations and deployments end-to-end to ensure they implement best practices for operating in browsers blocking third-party cookies. By default, Qlik Cloud and Qlik Sense Enterprise Client-Managed utilize cookies to maintain an authenticated session between the client browser and Qlik services. Because of the browser changes your solution may not display embedded content. To mitigate this issue, you can augment your solution to change how Qlik maintains an authenticated connection from your application to Qlik Sense.
Since release at the end of 2022, embedding analytics from Qlik Cloud is possible using OAuth2 tokens for a cookie-less session. You can learn more by reading our authentication best practices for Qlik Cloud.
Using OAuth2 works with many of our embedding frameworks, including the new qlik-embed framework, capability APIs, nebula and enigma, and the various SDKs.
If you are using classic embedding libraries like the app integration and single integration APIs, you can use a session cookie proxy for Qlik Cloud, although you should look to use qlik-embed where possible in place of these experiences.
The easiest way to mitigate third-party cookie blocking is to use a trusted domain certificate issued by a valid certificate provider. This will enable your web application and the Qlik Sense server to share the same root domain name (e.g. example.com). Therefore, there will be no third-party cookie issue with embedded content between the Qlik server and your web application. The typical implementation uses a wildcard certificate so that your web application and the Qlik Sense server share the same root domain but have their own subdomain names. For example, with a wildcard certificate “*.example.com”, your web application would be “web-app.example.com”, and your Qlik server would be “qlik-sense.example.com”. You can learn more about adding a signed server certificate on help.qlik.com.
This guide provides the basic instructions on configuring Qlik Cloud with Okta as an identity provider.
This customization is provided as is. Qlik Support cannot provide continued support of the solution. For assistance, reach out to our Professional Services or engage in our active Integrations forum.
This must be the actual tenant name, not the alias.
For additional information on how to create new identity providers in Qlik Cloud, see Creating a new identity provider configuration.
The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.
Using Google as the IdP with the Qlik Sense Mobile (SaaS) app on either iOS or Android fails.
The following error is shown in the app:
Authorisation Error
Error 400: invalid_scope
Some requested scopes were invalid. {valid=[openid,
https://www.googleapis.com/auth/userinfo.profile,
https://www.googleapis.com/auth/userinfo.email],
invalid=[offline_access]}
Set the Block_offline_access scope in your Google IdP Advanced settings in the Qlik Cloud console.
Qlik Sense Mobile SaaS with Qlik Cloud
When using SAML or ticket authentication which started in Qlik Sense June 2019, some users belonging to a big number of groups see the error "Qlik Sense G3 Broker API" on the hub and cannot proceed further.
You may receive the following error when setting up the SAML virtual proxy: cachebust pending
Environments:
The only known workaround in the above versions is to reduce the number of groups sent in the SAML response or ticket request.
The fix for this defect is included in the following versions, but additional steps may be necessary:
All Versions
The default setting will still be a header size of 8192 bytes. The fix adds support for a configurable MaxHttpHeaderSize.
Steps:
[globals]
LogPath="${ALLUSERSPROFILE}\Qlik\Sense\Log"
MigrationPort=4545
(...)
MaxHttpHeaderSize=65534
Note: Above value (16384) is an example. You may potentially need to put more depending of the total number of characters of all the AD groups to which the user belongs. The max value is 65534.
Other Related Articles:
https://community.qlik.com/t5/Official-Support-Articles/Error-431-when-trying-to-access-the-Qlik-Sense-Management/ta-p/1789124
QB-234.
The steps below are for an example test setup of authentication using Auth0 as Identity Provider (IdP) with on Qlik Sense Enterprise SaaS.
Environment:
Resolution:
! The information in this article is provided as-is and to be used at own discretion. Ongoing support on the solution is not provided by Qlik Support.
Note: These steps assume an auth0 "Developer" account has already been created.
Create a new Application in Auth0.
Proceed with the following steps:
Creating a database connection in Auth0
Create a database connection and configure the application to use this connection.
Proceed with the following steps:
Creating a new user
If users are not in Auth0, proceed with the following steps:
Setup the Identity Provider in the Management Console within Qlik Sense Enterprise SaaS.
Related Content:
The steps below are for an example test setup of SAML authentication using auth0 as Identity Provider with Qlik Sense Enterprise on Windows.
This customization is provided as is. Qlik Support cannot provide continued support of the solution. For assistance, reach out to our Professional Services or engage in our active Integrations forum.
Note: These steps assume an auth0 "Developer" account has already been created
{
"groups": [
"Everyone"
]
}
function (user, context, callback) {
if((user.user_metadata || {} ).groups){
context.idToken['https://qlik.com/groups'] = user.user_metadata.groups;
}
callback(null, user, context);
}
function (user, context, callback) {
context.idToken['https://qlik.com/sub'] = user.email;
callback(null, user, context);
}
Description | SAML_auth0 | An appropriate description |
Prefix | auth0 | This will be the prefix used when accessing Qlik Sense via URL |
Session cookie header name | X-Qlik-Session-auth0 | Needs to differ for every Virtual Proxy |
Authentication method | SAML | The authentication enabled via auth0 |
SAML host URI | https:// | The Qlik Sense Server |
SAML entity ID | https://.auth0.com | This can be found in the metadata file downloaded from auth0 under entityID |
SAML IdP metadata | Choose File: This is the xml file downloaded from Auth0 | The IdP metadata file downloaded from auth0 |
SAML attribute for user ID | See Claim Types (learn.microsoft) | This is also found in the metadata file from auth0 |
SAML attribute for user directory | [Auth0] | Directory name |
SAML signing algorithm | SHA-1 | Used by auth0 |
User are requested to re-enter their credentials when they launch an On-Demand request from a device not running windows, for example a Mac computer.
This does not happen to the same users when working on Windows OS machines.
When an On-Demand request is launched, the user credentials are passed to NPrinting by the Integrated Windows authentication (IWA).
This functionality is only available on Windows machines. The credentials entered when the user has logged to Qlik Sense can't be passed if IWS is not active, as happens on any devices that does not run a Windows OS.
This is due to a limitation on the operating systems and can't be fixed by Qlik.
In Qlik Cloud Services (Qlik Sense Enterprise SaaS), it is possible to get the iFrame HTML code to embed a chart in a webpage by right-clicking that chart and choosing "embed chart".
However, just placing this code on a web page is not sufficient to handle the authentication part.
The information provided in this article provides an example of how this can be achieved. Further customization is likely necessary. For assistance, join our active community in the Integrations and Extensions forum or contact our Consulting Services for an engagement.
Environments:
The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Document</title>
<script type="text/javascript">
const webIntegrationId = "g-yrbnOz9wV5-YnIqYLZMgfAxf_iKg30";
function login() {
function isLoggedIn() {
return fetch("https://yourtenant.eu.qlikcloud.com/api/v1/users/me", {
method: 'GET',
mode: 'cors',
credentials: 'include',
headers: {
'Content-Type': 'application/json',
'qlik-web-integration-id': webIntegrationId,
},
}).then(response => {
return response.status === 200;
});
}
return isLoggedIn().then(loggedIn => {
if (!loggedIn) {
// check login
window.top.location.href = "https://yourtenant.eu.qlikcloud.com/login?qlik-web-integration-id=" + webIntegrationId + "&returnto=" + top.location.href;
throw new Error('not logged in');
}
});
}
login()
</script>
</head>
<body style="height:600px;">
<iframe
src="https://yourtenant.eu.qlikcloud.com/single/?appid=9539b869-1c84-4e6d-9129-4c5b031ca88a&obj=WJhPv&opt=ctxmenu,currsel"
style="border:none;width:100%;height:100%;"></iframe>
</body>
</html>
const webIntegrationID = "IDGOESHERE";
<iframe>src="linktotheobjecthere"></iframe>