17 Replies Latest reply: Dec 9, 2017 7:49 AM by Naman Mittal RSS

    QlikSense SAML

    Logesh Jayaraman

      I have configured the SAML as suggested in the documentation. And when i tried to access the Qlik Sense URL with SAML as suggested in the documentation

       

      https://[node]/[prefix]/


      the URL is getting redirected to the windows authentication like this https://server:port/windows_authentication/?targetId=11234 

      and prompting for windows authentication. And it works fine.


      (a) How to validate it is authenticated through SAML. Is there any logs associated with it ? Is it expected to prompt for windows authentication and validated through SAML.



      Is there any specific setting has to be changed or additional coding required apart from the QMC settings





        • Re: QlikSense SAML
          Jeffrey Goldberg

          Brind,

           

          No, you shouldn't be redirected to a windows auth through the browser.  How are you configuring SAML?  Put another way, what identity management solution are you using as an identity provider?

           

          Can you send a screen shot of your virtual proxy configuration?

           

          jg

            • Re: QlikSense SAML
              Logesh Jayaraman

              It is ping federate

                • Re: QlikSense SAML
                  Jeffrey Goldberg

                  Ok, have you configured a virtual proxy in Qlik Sense to talk to PingFederate with PFs idp metadata and then performed similar configuration on PF with Qlik Sense SP metadata?

                   

                  For example, here is a screenshot of my SAML config for Salesforce on my Qlik Sense server.

                  2015-08-05 18_25_10-Virtual proxy edit - QMC.png

                  See the  SAML Metadata IdP?  Have you uploaded the PF metadata there?

                   

                  For config examples, here is a set of videos for Salesforce and ADFS

                • Re: QlikSense SAML
                  Logesh Jayaraman

                  Virtual proxy configuration as follows

                   

                  Identification

                  Description: SSO integration

                  Prefix : SSO

                  Session inactivity Timeout(Minutes) :30

                  Session Cookie header name : X-SSO-Session

                   

                  Authentication

                  Anonymous access mode: Allow anonymous user

                  Authentication method: SAML

                  SAML host URI : https://a1234d.abc.com

                  (--------------https://a1234d.abc.com/qmc/ and https://a1234d.abc.com/hub---------------)

                  SAML entitity Id : ssoqliksense

                  SAML Medtadata Idp : uploaded the metadata

                  SAML attribute for userid : {id }

                  SAML attribute for user active-directory:{id}


                  And linked to default proxy. Let me know if you need any additional information



                   

                    • Re: QlikSense SAML
                      Jeffrey Goldberg

                      I wonder if Allow anonymous user is tripping it up.  What happens if you set to no anonymous users?  In addition, have you set up PF with the SP metadata from Qlik Sense?

                       

                      And to clarify, the userid attribute should be the attribute name or the schema reference url, and the user directory if static uses square brackets and not curly braces.

                       

                      jg

                        • Re: QlikSense SAML
                          Logesh Jayaraman

                          Thanks Jg

                           

                          Do i need do the same for the SAML attribute mapping. Brackets for both SAML and QlikSense attributes

                           

                          SAML Attribute mapping

                           

                          SAML attribute  QlikSense Attribute

                          [id]                     [id]

                            • Re: QlikSense SAML
                              Jeffrey Goldberg

                              If they are static (meaning that you aren't using an OID or schema definition) you need the brackets.  The SAML attribute and the Qlik Sense attribute do not need to have the same name.

                               

                              jg

                                • Re: QlikSense SAML
                                  Logesh Jayaraman

                                  Thanks jg

                                   

                                  When i try the url servername/hub/saml .it redirects to windows authentication. If i try with servername/prefix i am getting the error as No available qliksense engine was found refresh your browser or contact your administrator.

                                   

                                  Is there any port has to changed or any log files. how to look for request and response flow. I tried with fiddler didnt get anything.

                                    • Re: QlikSense SAML
                                      Jeffrey Goldberg

                                      ok, so with all virtual proxies (ticketing, header, session, or SAML) the prefix is mandatory or you are going to go the central proxy virtual proxy which is going to pop up windows authentication.  So you do need to do this:

                                       

                                      https://servername/virtualProxyprefix/hub

                                       

                                      As for ports, no ports should have to change.

                                       

                                      Logs are located in c:\programdata\qlik\sense\logs\proxy\trace and the audit proxy log.

                                       

                                      servername/hub/saml is not valid.

                                       

                                      Try the servername/virtualproxy/hub and see if you get redirected to PF.  Check the logs and if you want attach them here and I can take a look.

                                       

                                      jg

                                        • Re: QlikSense SAML
                                          Logesh Jayaraman

                                          Is there any way i can send the log only to you?

                                          • Re: QlikSense SAML
                                            Eric Clutario

                                            Hi,

                                             

                                            I am trying to SAML-authenticate Qlik Sense with Google as my identity provider and have followed the instructional video and your instructions from this thread. The error I am getting is "The user cannot be authenticated by the SAML response through the following proxy: QlikSense"

                                             

                                            QlikSense is my virtual proxy. Here's the configuration

                                             

                                            Identification

                                            Description: SSSO authentication with Google

                                            Prefix : sso

                                            Session inactivity Timeout(Minutes) :30

                                            Session Cookie header name : X-Qlik-Session-SSO

                                             

                                            Authentication

                                            Anonymous access mode: No anonymous user

                                            Authentication method: SAML

                                            SAML host URI : https://testdashboard.irri.org

                                            SAML entitity Id : sso

                                            SAML Medtadata Idp : uploaded the metadata in QMC

                                            SAML attribute for userid : email

                                            SAML attribute for user active-directory: [GOOGLE]


                                            have linked to default proxy Central.


                                            The link https://testdashboard.irri.org/sso produce the error i mentioned above. The Google part seemed to be working as it passes through Google authentication:


                                            Google login window:

                                            Screen Shot 2016-06-15 at 9.54.43 AM.png

                                            2 factor authentication


                                            Screen Shot 2016-06-15 at 9.54.29 AM.png


                                            then the error in Qlik


                                            Screen Shot 2016-06-15 at 9.55.04 AM.png

                                            Any idea where to look at to fix this?

                                             

                                            Thanks!

                                             

                                            Eric

                                            • Re: QlikSense SAML
                                              Naman Mittal

                                              Hi Jeffrey,

                                               

                                              I was successful in implementing SSO b/w QlikSense & Salesforce with one user.

                                              Now when I log in to QlikSense hub via sfdc it redirects me to Salesforce login page(okay) but when I login by another salesforce user, it is giving me the same error as in the screenshot above.

                                               

                                              Cant know the reason.Maybe I didn't have that user in QS mapped.

                                              How can I correct this? Urgently.

                                • Re: QlikSense SAML
                                  Nithesh Kattekola

                                  Hi All,

                                   

                                  I have integrated SAML with 1 proxy node for PF IDP which works fine. Now I have added one more proxy node and I have linked the same node in SAML virtual proxy. When I try to access https://localhost/saml/hub I get below error.

                                   

                                  Do I need to anything on top of this?

                                   

                                  Thanks for your help in advance.

                                   

                                   

                                  Please help!!

                                   

                                    • Re: QlikSense SAML
                                      Senthil Kumar

                                      Immediately after seeing this error, look at the log file ????_audit_proxy.txt (found under

                                      c:\programdata\qlik\sense\logs\proxy\trace\) and check the last few entries.

                                       

                                      The log file will tell you why the authentication is failing. It could be your ID provider rejecting the request. Find out if something was changed in your ID provider side. If you have changed/updated your security certificate recently, you may have to send your metadata again to the ID provider and get it imported there.