Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Live today at 11 AM ET. Get your questions about Qlik Connect answered, or just listen in. SIGN UP NOW
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
vegard_bakke
Partner - Creator III
Partner - Creator III
‎2019-06-02 12:12 PM

Does Qlik Sense support "Cryptographic API: Next Generation" for signing SAML requests?

In a previous thread, I got help from @Bastien_Laugiero  sorting out the "provider" of my certificate for signing SAML 2.0 using SHA-256. (Ref: https://community.qlik.com/t5/Qlik-Sense-Deployment-Management/quot-500-Internal-server-error-quot-w...)

 

I received a new certificate but it was having the provider:

  • Microsoft Software Key Storage Provider, uses Cryptographic API: Next Generation (CNG), MS-link

And not:

  • Microsoft Enhanced RSA and AES Cryptographic Provider, uses CryptoAPI, MS-link

 

CNG is taking over for CryptoAPI, which apparently is deprecated. (Although, I have not found the source of this information.) Both support SHA-256, and AES signing.

 

My security colleague is hesitant to use CryptoAPI (named 'Legacy key' in his system), and not 'CNG key'. 

 

 

I guess my questions are:

 - Does Qlik support any CNG type providers for signing SAML 2.0 messages with SHA-256?

If not, why is the CryptoAPI provider needed? (I might ned some help with the wording on this one, to hightligh if there are any security issues, or in particular, why there might not be any issues using the Microsoft Enhanced RSA and AES Cryptographic Provider.

 

 

If someone could enlighten me, it would very much be appreciated.  🙂

 

Cheers,

Vegard

955 Views
0 Likes
1 Reply
Yang_Jiao
Support
Support
‎2019-06-11 08:56 AM

Hi Veggard,

Thanks for your questions. Quite several in this post. 😄 Let's try to address them one by one.

Firstly I have found the page here where it stated those deprecated CryptoAPI functions, but that's all I can find for the topic. I couldn't find any announcement, not even a date etc.. Seems like those functions are 'silently' deprecated to me. 

Secondly, "Why is the CryptoAPI provider needed?". The Cryptographic Service Providers (CSPs) from Microsoft typically implement cryptographic algorithms and provide key storage. So my understanding is that it provides the instructions to both encrypting and decrypting parties about what algorithms it support to hash, sign, and encrypt content in the certificate. You may find a full list of CSPs based on CryptoAPI from this page, with more details of each CSP and the algorithms it supports. 

Qlik Sense Enterprise requires the CSP from the certificate to be Microsoft Enhanced RSA and AES Cryptographic Provider if you need to use the certificate for SAML authentication, because that is the only one support SHA-256, SHA-384 and SHA-512 XML signature algorithms. Here is also an article where you can find more information, and how to work with your certificate if you have issues to use it in Qlik Sense. (https://support.qlik.com/articles/000033752)

Now, back to your main question "Does Qlik support any CNG type providers for signing SAML 2.0 messages with SHA-256?". The answer is unfortunately 'no' at the moment. However, there is already a request for assessment raised to Qlik RD for this mater. We might hear something more in the future. 

Hope this answers your questions. If it does, please mark the thread as resolved. Thank you!

 

915 Views
0 Likes