5 Replies Latest reply: Nov 10, 2017 2:30 PM by Carlos Agullo Perez RSS

    Multi-Node SAML with SSL - Isolate users to Engine nodes

    Alex Byrd



      Some details first:


      1. We have a multi-node site on Qlik Sense September 2017 consisting of 1 central node and 1 engine node in shared persistence.
      2. We are using auth0 SSO SAML for Authentication using a virtual proxy that's linked to the central node.
      3. The Auth0 callback is pointing to https://<dns>:443/<proxy>/samlauthn/
      4. The Virtual Proxy SAML Host URI and entity ID are both the DNS name.
      5. We have our SSL certificate and DNS configured and pointed towards the central node.
      6. The Central Node host is the DNS name (not the machine name or IP address).


      Ideally we would send users to only the Engine node after authentication through the virtual proxy (not load balancing with the central), currently they are only using the Central node and nobody has ever hit the Engine.


      When I link the virtual proxy to the Central node, and load balance with only the Engine, I get the auth0 login which is great. I then log in and get 'The service did not respond or could not process the request'. This error does NOT occur when I load balance with the Central node only.


      Reading Configuring load balancing to isolate development nodes ‒ Qlik Sense makes me believe we can have the Virtual Proxy linked to the Central node but how in the world do I send users to only the Engine?


      I can't figure it out! Do I do this with load balancing rules?


      Any help?