Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
vegard_bakke
Partner - Creator III
Partner - Creator III

"500 - Internal server error" when using SHA-256 in SAML authentication

Hi all,

 

I get a 500 Internal Server Error from Qlik Sense, September 2018 version, when using SHA-256, instead of the default SHA-1 as signing algorithm.

 

The error message in 'Proxy\TESTPUB02_Audit_Proxy.txt' is:

WARN testpub02 Audit.Proxy.Proxy.Core.RequestListener 152 973a2763-e18c-4e5a-8a23-210989e0e9d8 TESTPUB02\user Unanticipated ComponentSpace.SAML2.Exceptions.SAMLSignatureException occurred for connection

 

My settings are:

SOTEST Virtual Proxy.png

 

When I go to https://my.public.url/sotest, I get a redirect to https://my.public.url/sotest/hub/.

The hub returns a 500 Internal server error after just 5 ms.

If I choose SHA-1, I get redirected to the Google login.

 

 

 

According to this post, the certificate used for the Qlik Proxy needs to support SHA-256 XML signatures.

Our certificate says it's signing algorithm is 'sha256RSA'.  Is that not good enough?

SOTEST Certificate.png

 

Any tip is appreciated,

 

Cheers,

Vegard

Labels (4)
2 Solutions

Accepted Solutions
Bastien_Laugiero

Hello,

Looking at the error from the Audit logs it seems that the certificate does not have the correct Cryptographic Provider set.

In order to use SHA-256 in Qlik Sense with SAML, the cryptographic provider for the certificate applied on the Qlik Sense proxy must be "Microsoft Enhanced RSA and AES Cryptographic Provider".

Here is an article referring to the error message.

And here is an article providing the steps to check and change the cryptographic provider

Hope this helps! 

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.

View solution in original post

Bastien_Laugiero

Hello,

Thank you for applying the article. So the error has now changed.

In the beginning, it was: Unanticipated ComponentSpace.SAML2.Exceptions.SAMLSignatureException

And now: Unanticipated ComponentSpace.SAML2.Exceptions.SAMLBindingException

This new error is related to the fact that your Idp metadata has been created with the binding method HTTP POST instead of HTTP REDIRECT.
Every information is documented here.

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.

View solution in original post

8 Replies
Bastien_Laugiero

Hello,

Looking at the error from the Audit logs it seems that the certificate does not have the correct Cryptographic Provider set.

In order to use SHA-256 in Qlik Sense with SAML, the cryptographic provider for the certificate applied on the Qlik Sense proxy must be "Microsoft Enhanced RSA and AES Cryptographic Provider".

Here is an article referring to the error message.

And here is an article providing the steps to check and change the cryptographic provider

Hope this helps! 

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.
vegard_bakke
Partner - Creator III
Partner - Creator III
Author

Thank you so much for you quick reply. I will check out this, and give you some feedback. 🙂

Bastien_Laugiero

Thank you!! Looking forward to hear the result 🙂
Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.
vegard_bakke
Partner - Creator III
Partner - Creator III
Author

I've tried a few different things now.  All give the same results, unfortunately.

 

I have one self-signed certificate for the testpub02.company.com, and one for *.company.com.

I have added the "Microsoft Enhanced RSA and AES Cryptographic Provider" using openssl as described in your second link.  (cert

I have set up one Qlik virtual proxy with our local IdP-metadata, and one virtual proxy using IdP-metadata for Google Accounts. (The certutil.exe -dump now reports Provider = Microsoft Enhanced RSA and AES Cryptographic Provider.)

 

Going to the "Google IdP prefix", I get immediately redirected to the Google login page.
But using the #local IdP prefix" still gives 500 Internal server error. 

And the error message is still:

WARN testpub02 Audit.Proxy.Proxy.Core.RequestListener TESTPUB02\user Unanticipated ComponentSpace.SAML2.Exceptions.SAMLBindingException occurred for connection

 

Is there anywhere I can get a more detailed error message?  Or any logging I can turn on?

How can I find out what is actually going wrong? I looks like it might be something wrong with our metadata. But how to identify what it is, beats me... 😕

 

 

Vegard

Bastien_Laugiero

Hello,

Thank you for applying the article. So the error has now changed.

In the beginning, it was: Unanticipated ComponentSpace.SAML2.Exceptions.SAMLSignatureException

And now: Unanticipated ComponentSpace.SAML2.Exceptions.SAMLBindingException

This new error is related to the fact that your Idp metadata has been created with the binding method HTTP POST instead of HTTP REDIRECT.
Every information is documented here.

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.
vegard_bakke
Partner - Creator III
Partner - Creator III
Author

Thank you! I didn't notice that the exception was indeed different. And thank you for the link.

I will look into this on Monday.

cheers 🙂

vegard_bakke
Partner - Creator III
Partner - Creator III
Author

Thank you so much Bastien! Our test IdP was not enabled for HTTP-Redirect.

Maybe not the easiest error messages to decode. But now at least the community forum contains the error messages and links to the Qlik Support Knowledge articles, for others at a later stage.

A little more can be found here:
https://qliksupport.force.com/QS_CoveoSearch#q=ComponentSpace.SAML2&t=All&sort=relevancy


Again, thank you so much! 🙂
Bastien_Laugiero

Thank you!
Glad it could be resolved 🙂
Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.