Qlik Community

Qlik Sense Deployment & Management

Discussion board where members learn more about Qlik Sense Installation, Deployment and Management.

Highlighted
balexbyrd
New Contributor III

Multi-Node SAML with SSL - Isolate users to Engine nodes

Hello!

Some details first:

  1. We have a multi-node site on Qlik Sense September 2017 consisting of 1 central node and 1 engine node in shared persistence.
  2. We are using auth0 SSO SAML for Authentication using a virtual proxy that's linked to the central node.
  3. The Auth0 callback is pointing to https://<dns>:443/<proxy>/samlauthn/
  4. The Virtual Proxy SAML Host URI and entity ID are both the DNS name.
  5. We have our SSL certificate and DNS configured and pointed towards the central node.
  6. The Central Node host is the DNS name (not the machine name or IP address).

Ideally we would send users to only the Engine node after authentication through the virtual proxy (not load balancing with the central), currently they are only using the Central node and nobody has ever hit the Engine.

When I link the virtual proxy to the Central node, and load balance with only the Engine, I get the auth0 login which is great. I then log in and get 'The service did not respond or could not process the request'. This error does NOT occur when I load balance with the Central node only.

Reading Configuring load balancing to isolate development nodes ‒ Qlik Sense‌ makes me believe we can have the Virtual Proxy linked to the Central node but how in the world do I send users to only the Engine?

I can't figure it out! Do I do this with load balancing rules?

Any help?

5 Replies
balexbyrd
New Contributor III

Re: Multi-Node SAML with SSL - Isolate users to Engine nodes

Looks like I'm getting a 500 error (internal server error) at /api/hub/about

I've removed IPV6 from the engine node

I've fully uninstalled the Engine node, removing the certificates and relinking.

I've restarted the services

I've made sure the ports are open between the Central & Engine.

What else is left?!

Found other users in similar situations

Qlik Sense Multi-nodes site guidance

Qlik Sense and Webseal - header authentication

Error 500.PNG

Error 500 2.PNG

Error 500 3.PNG

balexbyrd
New Contributor III

Re: Multi-Node SAML with SSL - Isolate users to Engine nodes

I've tested this with Ticket > Windows Authentication and get the same result

I've tested this with Google Chrome and Internet Explorer and get the same result

I've test this with all of the services running on the Engine node and get the same result.

This has to be bug

Logged a ticket with support.

carlos_agullo
New Contributor

Re: Multi-Node SAML with SSL - Isolate users to Engine nodes

Hi Alex,

I am pretty interested on how you set up Qlik with Auth0. I have been trying to do something similar, but I am getting a "SAML attribute not present, userID" error constantly. I guess that I am not mapping the userID value from Auth0 correctly. In the SAML configuration I have tried to do something like the following:

"recipient" : https://..............

"destination" : https://...............

"mappings" : {

      "userID" : "http://schemas.auth0.com/nickname"

}

How did you get this Qlik-Auth0 connection to work? I will really appreciate if you can share some hints about the process you followed

Thanks

balexbyrd
New Contributor III

Re: Multi-Node SAML with SSL - Isolate users to Engine nodes

Hey Carlos,

We're using auth0 with an email . So in the virtual proxy > SAML attribute for user id we have 'uid'

Here's a snip from our settings

  "mappings": {

    "email": "uid"

  }

Qlik

auth0.PNG

In Auth0

auth02.PNG

Does this help?

carlos_agullo
New Contributor

Re: Multi-Node SAML with SSL - Isolate users to Engine nodes

Hey Alex

Definitely it helped, the mappings I was using were wrong, it was much more simpler!

Thanks