Qlik Community

Qlik Support Updates Blog

Important and useful support information about end-of-product support, new service releases, and general support topics.

Support
Support

Qlik NPrinting Integration with SAML

Hello Qlik NPrinting World!!

 

Last time I talked about Qlik NPrinting connections, but now we are going to delve into integrating Qlik NPrinting with SAML!

 

Topics:

  1. What is SAML?
  2. IdP versus SP Initiated SAML
  3. Requirements 
  4. Limitations
  5. Configuration

 

What is SAML?

SAML or Security Assertion Markup Language is a form of Single Sign On. It allows the end users to login to the Qlik NPrinting WebConsole and/or NewsStand with the click of a button.

2019-09-05 10_55_14-Window.png

 IdP versus SP Initiated SAML:

IdP (Identity Provider) Initiated SAML starts at the Identity Provider URL such as Okta, PingIdentity, ADFS and then redirects the user to the Service Provider URL, Qlik NPrinting.

SP (Service Provider) Initiated SAML starts at the Service Provider URL, Qlik NPrinting, then redirects the user to the IdP for Authentication, and then redirects back to the Service Provider URL.

 

IdP.png

 

Requirements:

  • An installed and licensed version of Qlik NPrinting Server April 2018 or newer
  • Administrative Accounts for both Qlik NPrinting and the Identity Provider

 

Limitations:

Deploying Qlik NPrinting SAML

  • Qlik NPrinting does not sign the SAML authentication request. This means that identity providers that require the SAML authentication request to be signed are not supported.
  • SAML response encryption is not supported, so encrypted messages or attributes are not read by Qlik NPrinting.
  • SAML single logout is not supported.

 

Configuration:

I worked with the Education Team to help create a "Qlik Fix" video. The video is found here:

It will take you through the configuration steps to integrate Qlik NPrinting with SAML, in the video we are using Okta as our Identity Provider.

To summarize the video:

First enable SAML in Qlik NPrinting:

  1. Log into the Qlik NPrinting WebConsole with an Administrative User
  2. Click on Admin and choose Settings
  3. Select the SAML button
  4. Click Add Configuration
  5. Add a name for this configuration
  6. Insert your FQDN for the Service Provider URL with the appropriate port number.                                                     Example: https://QlikNPrintingServer.com:4993
    1. 4993 = WebConsole
    2. 4994 = NewsStand
  7. Enter an Entity ID
  8. Select the Authenticate user by email option and enter the attribute for email. 
  9.  Click Save

  10. Open the SAML page again and download the SP Metadata. This will be our "cheat sheet" for setting up the Identity Provider.

Second setup your Okta Configuration:

  1. Log into Okta with an Administrative User
  2. Click the Admin button
  3. Click Add Applications
  4. Create New App
  5. Choose the Web Platform and SAML 2.0 for the Sign On Method
  6. Click Create
  7. Choose an App Name
  8. Click Next
  9. Enter the Single Sign On URL. This is the same URL that appears in the SP Metadata that was downloaded earlier. The URL will be in the Location setting. Do not enter any quotes.
  10. Enter the Audience URI (SP Entity ID) this is the Entity ID you setup in Qlik NPrinting. The Entity ID will also be in the SP metadata file that was downloaded earlier. It will be in the entityID setting. Do not enter any quotes.
  11. The Default RelayState should remain empty
  12. The Name ID Format is always Transient. This would match the SP Metadata file that was downloaded earlier from Qlik NPrinting.
  13. Application username is Okta username
  14. Enter any Attributes and Group Attribute statements2019-09-05 11_25_23-Window.png
  15. Click Finish

  16. On the Sign On screen right click on the Identity Provider Metadata and choose "Save Link As" ensure you save the file with a .xml file extension

  17. Return to the Qlik NPrinting WebConsole - Admin - Settings - SAML Settings

  18. Open the SAML page again by selecting the appropriate name

  19. Browse for the IdP xml Metadata file previously downloaded from the Okta site

  20. Click Save

  21. Navigate back to the Okta Admin page and choose the Assignment tab

  22. Choose the necessary users that need access to the Qlik NPrinting WebConsole 

Testing:

  1. Open the Qlik NPrinting WebConsole
  2. Choose the OktaWebConsole button at the login screen 2019-09-05 11_36_21-Window.png
  3. You will be redirected to Okta, enter your credentials
  4. You will be redirected to the Qlik NPrinting WebConsole

 

Congratulations!! The SAML Authentication should now be setup between Qlik NPrinting WebConsole and Okta. ✔️

A step-by-step guide is found in our Knowledge Article: Qlik NPrinting SAML Authentication with Okta

 

Are there any other Identity Providers that you would like to see added to our Knowledge? Recently I configured Qlik NPrinting with PingOne PingIdentity. That article is found here: Qlik NPrinting SAML Authentication with PingOne PingIdentity

 

Please let me know in the comments!

5 Comments
Partner
Partner

Hi @Eva_B  - thanks for this info. Does this process automatically create users or help manage recipients of NPrinting reports (i.e., they'll never log in to create them, only receive via email)? One of the biggest problems we have is that the user store in NP needs to be manually created before it can be authenticated, which is problematic keeping it in sync with our primary user store (or even Qlik Sense).

0 Likes
660 Views
Support
Support

Hello @millerhm :

As of now it is necessary for the user to exist in Qlik NPrinting first. I do realize with Qlik Sense that will create the users from the IdP, but this is currently a limitation of the product since SAML was introduced in the April 2018 version for NPrinting.

You can import users from a variety of sources which is explained here (Excel / LDAP): Importing users

There is already an Idea / Enhancement request for this feature. The ID for tracking purposes is: ID: 2022

Thank you,

Eva

0 Likes
630 Views
Partner
Partner

Thanks @Eva_B  - we don't use LDAP and the Excel option is pretty clunky.  I would add to the Idea/Enhancement if it doesn't already contain this that it's important that a solution includes a method for setting up recipient-only users, not only user creation on actual login.

0 Likes
586 Views
Support
Support

Hello @millerhm  - 

I am adding your comments to the existing Feature Request now.

Thank you very much for the feedback!

Regards,

Eva

0 Likes
420 Views
Partner
Partner

Thank you!

0 Likes
406 Views