1 Reply Latest reply: Jun 28, 2016 3:15 PM by Mahendra Krish RSS

    Qlik Sense SAML Issue

    Mahendra Krish

      We are trying to integrate Qlik Sense with Oracle Access Manager (OAM) for SAML SSO. Qlik Sense is the SP and OAM is IDP.

       

      We have followed the documentation for SAML configuration. While testing the qlik sense, we are getting the below error.

       

      Error 400 - Bad request

      Contact your Qlik Sense administrator. The user cannot be authenticated by the SAML response through the following virtual proxy: SAML

       

      There are no errors logged in OAM (IDP) logs. Here is the SAML response generated.

       

      <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

        xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"

        xmlns:enc="http://www.w3.org/2001/04/xmlenc#"

        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

        xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"

        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

        Destination="https://qlik.company.com:443/saml/samlauthn/"

        ID="id-nx5QbHnpTnhU9kIZb6XFk-N6LMm-h1Q4-fqxK-FZ"

        InResponseTo="_a81cdcd1-6a08-4edb-afc7-70e4f7425459"

        IssueInstant="2016-06-22T20:00:29Z"

        Version="2.0"

        >

        <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sso.company.com/oamfed</saml:Issuer>

        <dsig:Signature>

        <dsig:SignedInfo>

        <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

        <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

        <dsig:Reference URI="#id-nx5QbHnpTnhU9kIZb6XFk-N6LMm-h1Q4-fqxK-FZ">

        <dsig:Transforms>

        <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

        <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

        </dsig:Transforms>

        <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

        <dsig:DigestValue>lqWyIV+BRIp8ym3bLZCp8TU5P6s=</dsig:DigestValue>

        </dsig:Reference>

        </dsig:SignedInfo>

        <dsig:SignatureValue>YE+1WRtkmfQZbHS1LCA954RKtsMTJQEYuXlPCcqKw1kuh/TVDSyYFBgfRUj2OeNqutXuib5/Iolole4oi4wjtSaeCLoI32Fh45nlC1wzR9MKNeJnFsxsLMbApWUawk76WCRDaHKaXo3P/vCif6rhbvTJtUHNrSOvADJkIQ/lMO91pd5hTyWyua13tUrCvR2DgzzGAB/uxVp1yLDzEokWw9mZDei0n5/5MK/tlbNERtzgRvle1U4EX6552BVyJtdccbvWL4bL/dUi2YNpL0jBHarauJQwoLxtWtJ2v1PolInLkVaQzMJHBvZgOD5Fp4ja2GHiMGZdNsPLf4ui0WwHGg==</dsig:SignatureValue>

        </dsig:Signature>

        <samlp:Status>

        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">

        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied" />

        </samlp:StatusCode>

        <samlp:StatusMessage>User is not authorized to perform Federation SSO</samlp:StatusMessage>

        </samlp:Status>

      </samlp:Response>

       

       

      I have also found that SAML Authentication request did not have AssertionConsumerServiceURL, NameIDPolicy and ProviderName parameters. The SAML Response contains status code RequestDenied which means IDP denied the request because of insufficient data in SP request.

       

      Please suggest if this is configuration issue in Qlik Sense or a bug.

       

      Thanks
      Mahendra.

        • Re: Qlik Sense SAML Issue
          Mahendra Krish

          Hi All,

           

          The issue has been resolved. First, the IDP has authorization problem and once it it fixed it is able to send successful SAML token. Second issue is that userid sent from IDP in NameID value is not matching in Qlik Sense user attribute provided in virtual proxy.

           

          In IDP, I have specified uid as Name ID value and sending couple of attributes such as email etc., In Qlik Sense specify the user attribute name such that name ID value matches that attribute value.

           

          Please get back to me if you need any more details.

           

          Thanks
          Mahendra.