Qlik Community

Qlik Design Blog

All about product and Qlik solutions: scripting, data modeling, visual design, extensions, best practices, etc.

Employee
Employee

Qlik Sense SAML – A standardized approach to authentication

jeff3.jpg
Hello everyone, today I have the pleasure of introducing Jeff Goldberg as our guest blogger - (jog‌) - Jeff is a Senior Enterprise Architect on the Americas Pre-sales team who has worked in various technology positions for over 15 years. In between running half-marathons and crushing crossfit workouts , Jeff focuses on integration, deployment, automation, security, and api topics across a wide range of software.  If you have a technical challenge, Jeff can put you on a path to figuring out the best way to overcome it. Jeff has the extreme pleasure of introducing you to SAML authentication with Qlik Sense, not only in text - but as well in supporting videos. Thanks for this valuable contribution Jeff!

Qlik Sense SAML

With the release of Qlik Sense 2.0, we introduced SAML as an authentication option between enterprise identity management systems (known as identity providers) and Qlik Sense. While SAML is a standard for authentication and authorization, it is open to interpretation and variability in its implementation.  Consequently, implementing SAML can be a bit tricky.  The goal of this blog post is to demystify SAML and provide some examples you can use to implement it with Qlik Sense.

SAML stands for Security Assertion Markup Language, an xml based authentication and authorization standard for web applications to exchange user credentials and attributes.  SAML works between two parties, an identity provider (IdP) and a service provider (SP), to facilitate single sign-on access to secure content for a user.

Identity providers come in a variety of shapes and sizes.  Salesforce.com, Active Directory Federation Services, and Ping Federate are just a few of the options available for handling the authentication components of the SAML handshake. The service provider is the system with the content we want to access.  In this case, Qlik Sense is the service provider.

The figure below illustrates the SAML authentication process.

Keep in mind the SAML protocol is an open standard, therefore, implementing the solution between the SP and the IdP differs based on the requirements of the chosen provider.

For example:

  • ADFS metadata contains a whole section of information that needs to be removed before it is imported into Qlik Sense. 
  • With Ping Federate, the IdP configuration needs to have the name ID format for the SAML response manually set to transient or the user authentication to Qlik Sense will fail. 
  • One login doesn’t care about the name ID format for the response.

Bottom line, expect some trial and error when configuring SAML, regardless if it’s with Qlik Sense or some other solution.

To ease the pain and hopefully reduce frustration, we have created some videos to help walk through configuring different SAML identity providers with Qlik Sense.  As we encounter more flavors of IdP, we will create content to help with configuration.

For now, have a watch of the following videos, enjoy!

Video Link : 3601

Video Link : 3605

Video Link : 3653

Video Link : 3652

20 Comments
korsikov
Valued Contributor II

great job!

it's be very interested for me.

0 Likes
5 Views
srinivasa1
Contributor

Really helpful. Good job.

5 Views
Not applicable

Thanks for this. Very good info indeed.

I would like to know if there  are any Qlik Sense authentication available currently with the IDaaS?

Would be great if you can share some info on that.

5 Views
Not applicable

Hello I'm new to Qlik Sense and trying to get Okta SAML working but keep getting URL 404 error message.  I'm followed the youtube video listed for Okta configuration, could this URL be a firewall issue?

5 Views
csomineni
New Contributor

Great Job!! Thanks for the valuable info

5 Views
henry_vssecurit
New Contributor II

has anyone tried to integrate SAML authentication with WSO2 Identity Management Server?  We have tried to integrate it and keep on getting 404 as well!!

5 Views
ujjawal1989
New Contributor II

Thanks Jeff for this article. Great help. However, i would like to know how many users attributes we can use while authenticating in SAML.  If we want to use UPN for users to login, EmplyoeeID or customized attributes. Can we use this with Qlik Sense or only particular set of attributes are required?

Thanks, 

5 Views
cpalbrecht
Contributor

Thanks for the great explanation. But what about Qlik is behind a reverse proxy like NGINX. Does anybody know how to configure NGINX to get the same SAML authentication working?

5 Views
rva_heldendaten
Contributor III

Do you already have NGINX working as Revese Proxy with Qlik Sense?

I'm aware of the sample configuration by Johannes Sunden: Reverse Proxy and Authentication port redirect, but haven't seen it in combination with SAML.

5 Views
cpalbrecht
Contributor

Ok, it works fine also with NGINX and SAML. I just forgot the websocket upgrade in NGINX config.

5 Views
naman_mittal
New Contributor III

I am unable to do the integration, as the parameter wantAssertionsSigned = "true" & AuthnRequestsSigned = "false" are different as compared to your video.

Please help me here.

5 Views
naman_mittal
New Contributor III

Update : I was successful in integrating Salesforce with QlikSense just by following the exact same steps as in your video,even though the value of one of the parameter was different.

5 Views
naman_mittal
New Contributor III

I want to integrate QlikSense with Veeva Irep(CRM mobile) such that the rep logins to IREP can see QlikSense dashboards with SSO.

Here, is it possible that we can save some licensing cost to the company via this integration?

That Multiple User from Veeva CRM can view reports pertaining to his/her territory made in QlikSense, with QlikSense having single or few user?

Basically, we want to map users b/w Veeva and QS with cardinality many :1.

5 Views
jjuarezh
New Contributor

Hi, I want to integrate Azure AD with Qlik Sense, but i get the error 400, I followed the documentation of Microsoft and the tutorial of one login, and still the same error, can anyone help me?

0 Likes
5 Views
ssamuels
New Contributor III

Hi Jair, I have successfully integrated with Azure AD for SAML authentication, so maybe I can help you. What are the configuration steps that you have followed?.

0 Likes
5 Views
jjuarezh
New Contributor

Thanks for your answer. I been follow the documentation of azure,Tutorial: Azure Active Directory integration with Qlik Sense Enterprise | Microsoft Docs‌.

0 Likes
5 Views
ssamuels
New Contributor III

Can you provide a screenshot of the configuration (properties) of the Application in Azure AD and also the virtual proxy in Qlik Sense?

0 Likes
5 Views
jjuarezh
New Contributor

Hi, i made a question about it in Error 400- SAML Null request

0 Likes
5 Views
lfimotoo
New Contributor II

Hi Naman.

Were you able to integrate to Azure AD even though the wantAssertionsSigned and AuthnRequestsSigned were different to the video?


I am facing the error "AADSTS50011: The reply uri specified in the request is not a valid URL" when logging through O365, and I was guessing the problem was related to AuthnRequestsSigned property (mine is set to "true", whereas in video the value is "false").

0 Likes
5 Views
naman_mittal
New Contributor III

Hi Luis,

I did connection between Salesforce and QlikSense and yes the values of wantAssertionsSigned and AuthnRequestsSigned were different to the video.But I didnt change them.Leave them as it is in the file downloaded.

0 Likes
5 Views