3 Replies Latest reply: Feb 3, 2017 9:27 AM by Ahmed Syed RSS

    QlikSense redirect via IIS, SAML virtual proxy

    Justin Wood

      Good morning folks,

       

      We're in the process of implementing a multi layered Qlik Sense environment. We have a load balancer F5 BIGIP out front that then directs traffic to one of two rim/proxy nodes in a DMZ that then talk to a Central Node behind a protected network. I've completed implementing the SAML piece on virtual proxies attached to the two proxy nodes. I have also tested Qlik Sense using the windows auth default node successfully but we do not want users to land on the windows authentication piece, we only want users to hit the virtual proxy with the SAML authentication enabled.


      If I input our VIP from the F5 with /saml/ on the end, it works properly but we do not want to have to provide a URL for users past the initial VIP for simplicity's sake. I was attempting to use IIS to perform an HTTP redirect but it doesn't appear to capture the traffic, the default node grabs it instead. Does anyone know if it is possible to use IIS to redirect from the incoming request (the Nodes are using a certificate that I put in place) to the virtual proxy? My http redirect is very simple, just gives the server and path locally for the SAML node as if I use the VIP/saml/ from there, the DNS entry will force it to go back out to the beginning of the loop so it redirects to https://servername/saml/ and is set to send all traffic there, but upon testing, I go straight to the default windows auth node.

       

      I've looked at the fact that people are using NGINX but I have had no experience with that software and the examples other people are using are more for http and re-wrapping the ports into one, which might be useful to us, but I'm not certain how to make all the necessary pieces work and not having that familiarity, I'm not certain it would be the smartest move to put something I can't easily troubleshoot into production play.

       

      Thank you for any advice, help or tips, if I can provide more info, please let me know:

      Qlik Sense 2.2

      2 proxy nodes on DMZ - Server 2012 R2

      1 central node on protected network - Server 2012 R2

      Using basic HTTP redirection on the server level, when i tested setting up the redirect at the site level, it clashed with the base setup for 443 already being in use.

       

      thanks again,

      Justin Wood

      University of Virginia

      Enterprise Systems & Computing Platforms