Here are the steps I took to set up Okta to allow users to authenticate to Sense Enterprise (initially version 3.1, now June 2017).
Our users are mostly external to our organization, but we create their accounts in our local Windows Active Directory. We assign them to a security group called 'qlik.'
On Sense: Create a virtual proxy that will listen for Okta SAML assertions. Follow the steps in the video.
Also make sure you have another virtual proxy that uses WIndows authentication -- your monitoring apps will need it to run properly. And it's good to have so you can log into Qlik locally if/when you have problems with Okta.
In Okta: Set up a connection to your user directory under "Directory Integrations" (I installed the Okta agent on our AD server to sync automatically.)
In Okta: Set up the SAML to Qlik under "Applications." This part is tricky and needs to be just right. Follow steps in the video. In my case, the values in the General section are like these:
Under the Sign On section, I set up a Policy with a rule requiring multifactor at every sign on. This was because Sense didn't support Single Sign Out (until a very recent version, I forget which, but after Sept 2017), so if a user logs out but keeps the browser open, he can just click the browser "back" button and be logged in again.
Side Note: Our Sense server is not a member of our AD domain.
There is plenty more to describe but hopefully the video gets you there. The Okta app works very well as the 2nd factor. I'm happy to answer any questions you have.