When trying to configure SAML authentication with Qlik Sense you may see SAML GET request invalid format or SAML POST request invalid format errors, unfortunately these errors do not indicate what is incorrect about the request.
Environments:
1. Is the SAML Assertion Consumer URL set up correctly on the Identity Provider?
This needs to be exactly the same URL than the one in the Service Provider metadata, including the ending slash
For example: https://qlikserver2.domain.local:443/prefix/samlauthn/ will work but https://qlikserver2.domain.local:443/prefix/samlauthn will not work.
2. For Service Provider initiated authentication, Qlik Sense's SAML implementation requires a RelayState value to be provided in SAML responses.
If that value is missing then the Invalid Format error is generated.
RelayState is optional for Identity Provider initiated authentication.
RelayState is sent as a query parameter in both the SAML Request and the SAML Response, the value in both of them must be matching for the authentication to succeed.
3. Does the SAML assertion contain any attribute ?
Make sure that the SAML assertion (section in the SAML response returned by the IdP) has some attributes included, if there are no attributes at all in the SAML assertion, then this generic error GET request invalid format will be thrown, if there is at least one attribute, the error will be more talkative about if there is another attribute missing.
4. Is the SAML Assertion Consumer URL all in lower case in the Identity Provider settings ?
Make sure that the SAML Assertion Consumer URL is all in lower case in the Identity Provider settings. If Qlik Sense is called on a URL that contains any character in upper case, it will redirect to the URL that is all in lower case, but the SAML response content will be lost during redirection, which will cause this error to appear in the logs.
For example: https://servername/prefix/samlauthn/ will work, but https://servername/PREFIX/samlauthn/ will not work.
