Qlik Community

Qlik Sense Cloud Discussions

Not applicable

Implementation of Single Sign on, When the users are coming from AD.

Hi Team,

Can anybody help me how to implement Single sign on when.

Qliksense is hosted on Cloud, And the user which i bought in QMC, are coming from and AD server.

Regards,

Ankit Jain

1 Solution

Accepted Solutions
Not applicable

Re: Implementation of Single Sign on, When the users are coming from AD.

The Qlik Sense server will allow Windows Auth pass through from the browser "if" the Qlik Sense server is on a trusted domain of the active directory.  If the Qlik Sense server is not a member of the domain, then the domain users will not be able to log in using their domain credentials.

Importing user information into Qlik Sense is not for authentication purposes, it's for authorization.  Qlik Sense does not perform identity verification.

To Recap:

1.  To use windows authentication of domain accounts with a Qlik Sense server the Qlik Sense server needs to be a member of a trusted domain the Active Directory storing the users is aware of.

2.  Importing user information into Qlik Sense using UDC does not equate to authentication.  Qlik Sense does not store passwords nor does it ever ask for one.

3.  If the Qlik Sense server is a member of an AD trusted domain, then it is possible to use windows authentication with domain accounts.  To get pass through auth to work properly, the browser needs to be set to automatically pass credentials. To make this change you need to go into the internet properties of the browser, click on the security tab and choose custom level.  At the bottom of the screen is a user authentication radio dialog.  By default for many of the zones is the selection option Automatic logon with current user name and password.  You may have to set the Internet zone (shown) to the same because the Qlik Sense server is on AWS.  But this does not matter if #1 is not satisfied.

2016-06-06 06_58_00-Movies & TV.png

9 Replies
Not applicable

Re: Implementation of Single Sign on, When the users are coming from AD.

Ankit,

If you want to use single sign on with Qlik Sense there are a number of ways to implement.  In addition, you can implement and use the AD user directory connection to look up users when they log in through a virtual proxy to use the specified user directory name.

Some videos for you to watch:

https://www.youtube.com/watch?v=vkCh_t1nd40‌ -Qlik Sense Security Overview

Qlik Sense SAML with Active Directory Federation Services: Qlik Sense SAML: ADFS Integration Part One of Three

Qlik Sense SAML with Okta: Video Link : 3653

Not applicable

Re: Implementation of Single Sign on, When the users are coming from AD.

Hi Jeffery,

Thank you so much for your time and suggestions,

Sorry to say but i can not open the videos here.

1. All the user's are coming from an AD server, I have bough in all the user's using user directory connector.

2. The machine on which they will be opening the qliksense browser is in the same domain.

3. Inst ed of logging in again and again by providing their credentials, they just want to open the browser and login directly, as they are i same domain (SSO).

4. How to implement the above.?

Waiting for your suggestion.

Regards,

Ankit Jain

Not applicable

Re: Implementation of Single Sign on, When the users are coming from AD.

1. Ad is on a different machine on a different server in a different environment.

2. Qliksense is installed in AWS.

3. I bough in all the users in qliksense.

4. now what they want is.

As they login in to their machine using their credentials,and open the link which has been provided to them for opening qliksense hub,

It should not ask for login ID and PWD.

when they have already performed a windows authentication.

Regards,

Ankit Jain

Not applicable

Re: Implementation of Single Sign on, When the users are coming from AD.

The Qlik Sense server will allow Windows Auth pass through from the browser "if" the Qlik Sense server is on a trusted domain of the active directory.  If the Qlik Sense server is not a member of the domain, then the domain users will not be able to log in using their domain credentials.

Importing user information into Qlik Sense is not for authentication purposes, it's for authorization.  Qlik Sense does not perform identity verification.

To Recap:

1.  To use windows authentication of domain accounts with a Qlik Sense server the Qlik Sense server needs to be a member of a trusted domain the Active Directory storing the users is aware of.

2.  Importing user information into Qlik Sense using UDC does not equate to authentication.  Qlik Sense does not store passwords nor does it ever ask for one.

3.  If the Qlik Sense server is a member of an AD trusted domain, then it is possible to use windows authentication with domain accounts.  To get pass through auth to work properly, the browser needs to be set to automatically pass credentials. To make this change you need to go into the internet properties of the browser, click on the security tab and choose custom level.  At the bottom of the screen is a user authentication radio dialog.  By default for many of the zones is the selection option Automatic logon with current user name and password.  You may have to set the Internet zone (shown) to the same because the Qlik Sense server is on AWS.  But this does not matter if #1 is not satisfied.

2016-06-06 06_58_00-Movies & TV.png

Not applicable

Re: Implementation of Single Sign on, When the users are coming from AD.

Thanks Jeffery,

Thanks for your time and suggestions, and improving my knowledge.

It worked for me, when i added the site in intranet zone sites.

Regards,

Ankit Jain

Not applicable

Re: Implementation of Single Sign on, When the users are coming from AD.

Excellent!  Please mark the threads in the discussion that you found helpful and answered your question to assist others with similar questions find answers quickly.

Cheers,

Jeff G

AlexOmetis
Contributor II

Re: Implementation of Single Sign on, When the users are coming from AD.

Also worth noting that you can add sites to the Trusted Sites list via Group Policy - I used the second method on this page to do that: https://blog.thesysadmins.co.uk/group-policy-internet-explorer-security-zones.html. Otherwise users have to do it manually (in some cases, they don't have access to those settings).

krishnakumars7
New Contributor

Re: Implementation of Single Sign on, When the users are coming from AD.

Hi Ankit,

We are having a similar setup

1) QlikSense installed in AWS

2) LDAP is on installed on different server different domain.

We have installed the LDAP Certificate in AWS where qliksense installed and  pulled all users using UDC.

But we are facing issue during authentication itself. Can you please let me know is there any pre-requiste on AWS, QlikSense and LDAP Side. So that we can proceed further.

Thanks.

Krishna Kumar S

bujnakbranislav
Contributor

Re: Implementation of Single Sign on, When the users are coming from AD.

Jeff: I have completed ADFS SSO SAML yesterday, but my users are being flagged as inactive after some period in QMC. Any idea what may be causing it? Thanks for any insights.

Community Browser