Solved: Re: Possible to publish QS via Azure Application P... - Qlik Community

andy · ‎2022-04-20

Hi mighty forum,

For Qlik Sense on premise published via Azure Application Proxy we have problems when Azure Pre-authentication is enabled, we get stuck in an endless loop.
The goal is to be able to reach QS on premise from internet for any user authenticated in the Azure AD.
We have enabled SAML authentication and now would like to get rid of the requirement of VPN as well.

We have read the instructions from 2018 about disable the Pre-Authentication, but IT do not prefer that option at all since they see it as a potential security risk to allow unauthenticated traffic into the corporate network.
https://community.qlik.com/t5/Technology-Partners-Ecosystem-Documents/Azure-AD-Single-Sign-on-SAML-O...
Anyone knows a way to configure this with Azure Pre-authentication enabled?

Any help is highly appreciated

andy · ‎2022-05-23

Hi again

Finally we found the missing link.

The issue was solved by setting the "Translate URLs in headers" setting in Azure as in the attached image.

View solution in original post

andy · ‎2022-05-05

Hi again,

Got answer from Qlik support which states that it shall be possible to achieve. Unfortunately we have been unsuccessful so far to get the settings right.

"Based on the feedback received from R&D pre-authentication should work just fine with the latest QS releases.
At the time that the article was written, it required two enterprise apps, since an enterprise app at the time didn’t support both SAML and the azure app proxy. Pre-authentication should work fine, as that happens before logging into Qlik. You would need to use a single enterprise app."

Anyone who have done this and can share which settings were done in Azure and the virtual proxy?

Any help is still highly appreciated.

andy · ‎2022-05-18

Now the loop is gone but this error is thrown when being outside the corporate network (it works when on the corporate network)

Albert_Candelario · ‎2022-05-18

Hello @andy ,

Thanks for posting.

I assume you already reviewed Error AADSTS50011 the redirect URI not match the redirect URIs configured for the application - Acti...

Cheers,

Albert

Please, remember to mark the thread as solved once getting the correct answer

andy · ‎2022-05-19

Hi, I thought that we had read everything about it but I cannot remember we tested this so we'll test it on Monday when the Azure admin is back.

Thanks for the hint!

Albert_Candelario · ‎2022-05-19

Sure @andy , let us know how it goes!

Cheers,

Albert

Please, remember to mark the thread as solved once getting the correct answer

andy · ‎2022-05-23

Hi again

Finally we found the missing link.

The issue was solved by setting the "Translate URLs in headers" setting in Azure as in the attached image.

Albert_Candelario · ‎2022-05-23

Excellent @andy , I am glad you have found it! Thanks for sharing it.

Cheers,

Albert

Please, remember to mark the thread as solved once getting the correct answer

andy · ‎2022-05-31

Here are the settings in Azure. We also needed to separate the url's on the internal network from the one used to reach the Azure proxy.

Albert_Candelario · ‎2022-06-01

Thanks Andy for sharing! Appreciate by the Community!

Please, remember to mark the thread as solved once getting the correct answer

Possible to publish QS via Azure Application Proxy with pre-authentication enabled?

Client Managed

Security