1 Reply Latest reply: Aug 23, 2017 3:05 PM by Lauri Scharf RSS

    Qlik Sense SAML - Certificates

    Mihai Hutanu

      Dear All,

       

      I need some help configuring Qlik Sense authentication integration with ECAS via SAML. I need to understand better how these certificates work. Kindly advise on the following:

       

      1. Where do I take the Cert Footprint to put it in the config of the Proxy to which the SAML Virtual Proxy is attached?

       

      Here is what I have done: Generated a self-signed certificate via QMC and sent it to the ECAS team. Online documentation is saying I should use the footprint of that certificate (if I got it right). Does this mean I have to import it on the server? Or if not, then what footprint am I looking at? Qlik Sense has certificates in different stores (Local Computer\Personal, Local Computer\Trusted Cert Authorities, User\Personal, User\Trusted Cert Authorities, etc). Besides that, the Proxy is on a RIM node. So do I take the Cert Footprint from this RIM Node or from the Central Node?

       

      2. I am using the latest Qlik Sense version - 3.2.4. I checked the certificates and they say the signature algorithm is SHA-256. But I found some online documentation of users having similar problems, and saying the issue is caused by self-signed certs being SHA-1. Did anything change in Qlik Sense and it now generates SHA-256 certs or am I missing something?


      Any help will be much appreciated!


      Kind regards,

      Mihai

        • Re: Qlik Sense SAML - Certificates
          Lauri Scharf

          Mihai,

          You may already have resolved this, but if not, you need to grab the cert's Thumbprint (not footprint). Go to the cert itself, open its properties, and copy its thumprint, which is a long string of numbers and spaces. Paste that into the Proxy in QMC.

           

          I have seen documentation saying to install your cert under machine account > Personal Certificates. I have also gotten advice to (a) ALSO put it in the trusted root certs and (b) NOT put it in the Personal certs but ONLY the trusted root. So I'm not sure what the final answer is.

           

          Regarding SHA-1 vs. SHA-256, I'm not sure. Documentation indicates you should choose the same as what your cert is.

           

          HTH