Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Search our knowledge base, curated by global Support, for answers ranging from account questions to troubleshooting error messages.
This article provides step-by-step instructions for implementing Azure AD as an identify provider for Qlik Cloud. We cover configuring an App registration in Azure AD and configuring group support using MS Graph permissions.
It guides the reader through adding the necessary application configuration in Azure AD and Qlik Sense Enterprise SaaS identity provider configuration so that Qlik Sense Enterprise SaaS users may log into a tenant using their Azure AD credentials.
Content:
Throughout this tutorial, some words will be used interchangeably.
The tenant hostname required in this context is the original hostname provided to the Qlik Enterprise SaaS tenant.
Copy the "value of the client secret" and paste it somewhere safe.After saving the configuration the value will become hidden and unavailable.
In the OpenID permissions section, check email, openid, and profile. In the Users section, check user.read.
Failing to grant consent to GroupMember.Read.All may result in errors authenticating to Qlik using Azure AD. Make sure to complete this step before moving on.
In this example, I had to change the email claim to upn to obtain the user's email address from Azure AD. Your results may vary.
While not hard, configuring Azure AD to work with Qlik Sense Enterprise SaaS is not trivial. Most of the legwork to make this authentication scheme work is on the Azure side. However, it's important to note that without making some small tweaks to the IdP configuration in Qlik Sense you may receive a failure or two during the validation process.
For many of you, adding Azure AD means you potentially have a bunch of clean up you need to do to remove legacy groups. Unfortunately, there is no way to do this in the UI but there is an API endpoint for deleting groups. See Deleting guid group values from Qlik Sense Enterprise SaaS for a guide on how to delete groups from a Qlik Sense Enterprise SaaS tenant.
Qlik Cloud: Configure Azure Active Directory as an IdP
Upgrade installation or fresh installation of Qlik Replicate 2023.11 (includes builds GA, PR01 & PR02), Qlik Replicate reports errors for MySQL or MariaDB source endpoints. The task attempts over and over for the source capture process but fail, Resume and Startup from timestamp leads to the same results:
[SOURCE_CAPTURE ]T: Read next binary log event failed; mariadb_rpl_fetch error 0 () [1020403] (mysql_endpoint_capture.c:1060)
[SOURCE_CAPTURE ]T: Error reading binary log. [1020414] (mysql_endpoint_capture.c:3998)
Upgrade to Replicate 2023.11 PR03 (coming soon)
If you are running 2022.11, then keep run it.
No workaround for 2023.11 (GA, or PR01/PR02) .
Jira: RECOB-8090 , Description: MySQL source fails after upgrade from 2022.11 to 2023.11
There is a bug in the MariaDB library version 3.3.5 that we started using in Replicate in 2023.11.
The bug was fixed in the new version of MariaDB library 3.3.8 which be shipped with Qlik Replicate 2023.11 PR03 and upper version(s).
support case #00139940, #00156611
Replicate - MySQL source defect and fix (2022.5 & 2022.11)
Qlik Sense supports Web Content Accessibility (WCAG 2.0 compliant).
When using the Qlik Sense hub, this is available by default, however, in a mashup, some work is needed from the mashup developer to make the mashup accessible.
This article provides an example of a mashup that is compliant with Web Content Accessibility. Find the attachment below.
The example is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.
This article goes over how to use LDAP filters and common examples when setting up Qlik Sense User Directory Connector (UDC).
Note: Qlik Support has no scope in assisting in composing an LDAP filter that fits the environment needs. If further assistance is needed please see How and When to Contact the Consulting Team? AD and Qlik Sense must be within the same Domain. If different domains refer to this article Users of a different Active Directory, but with membership to a group in the same Domain as the QlikSense server, are not synced
Click here for Video Transcript
Notes:
1. (Optional) Create a group that the filter will be based on. For example, "SenseUsers" group with 4 users is created in AD:
2. Recommended: Mark all RootAdmins as Delete Prohibited to prevent locking oneself out of the QMC, see How to avoid the RootAdmin(s) from becoming inactive
3. In this article, we will use native Windows tools to preview the LDAP query. Third party tools like LDAP Admin or LDAP Browser by Softerra are also valid tools to use.
4. On the Windows Server, open the Server Manager:
5. Click on Manage then Add Roles and Features:
6. If Before You Begin is displayed, click Next
7. On Installation Type, select Role-based or feature-based installation:
8. On Server Selection, select the server that you are working with
9. Next navigate to Features, and select the Active Directory Administrative Center option:
10. Confirm that this is the feature(s) that you want to install and allow the installation to complete
11. After the installation completes, Click Start then select Administrative Tools and open the Active Directory Users and Computers module
12. The main domain that the server is on should automatically be present, so right click on the domain and select Find:
13. In the Find section select Custom Search:
14. Write out your potential LDAP filter and ensure that it selects all the expected users:
15. Once you have an LDAP filter which works correctly outside of Qlik Sense, then navigate in the QMC to User Directory Connectors > edit the pre-existing Active Directory Connector > ensure that the Advanced section is displayed and paste in the LDAP filter. At this step you should unselect the Sync user data for existing users toggle:
16. The rationale for unselecting the Sync user data for existing users toggle is as follows. If you are already filtering the results from AD, then it makes sense to pull in the entire set of the filtered subset of users. This step isn't strictly speaking required but if you opt for the route of using an LDAP filter then it makes logistical sense to pull in all the users in the filtered subset.
17. Save the changes and go back to the root of the User Directory Connectors section and sync the altered Connector:
Qlik Sense: How to connect to AD using "Active Directory" UDC
How to get LDAP filters for Active Directory groups from users already in Qlik Sense
LDAP filter to only include all users in a certain Organizational Unit (OU) into Qlik Sense
Retrieve OU (Organizational Unit) users from Active Directory LDAP Filter
Video: Qlik Sense Platform - Qlik Management Console - User Directory Connector - Part 5
ADSI - Search Filter Syntax - Extended match operator / Nested groups rule
Qlik NPrinting and Qlik Sense are installed on Azure cloud machines. The configuration respects all the requirements. in particular, the NPrinting Engine user is present on both the NPrinting and Sense servers with the same domain and SSID.
The Metadata reload test fails with a "Not a domain user" message. On the other side, the Metadata reload is successful when launched (ignoring the Test error) even if the NPrinting Engine logs show these error and warning messages:
Engine.Navigator.QlikSense.SDK.QlikSenseDiagnose 20231128T103337.642+01:00 ERROR NP-SERVER _NAME 0 0 0 0 0 0 0 0 PerformDiagnosis found a problem. ERROR: System.Exception: Not a domain User : Domain\NPUser↓↓ at Engine.Navigator.QlikSense.SDK.QlikSenseDiagnose.<>c__DisplayClass8_0.<PerformDiagnosis>b__3() in C:\Jws\release-may2023-SwCB9Sd4b\server\NPrinting\src\Engine.Navigator.QlikSense.SDK\QlikSenseDiagnose.cs:line 90↓↓ at Engine.Navigator.QlikSense.SDK.QlikSenseDiagnose.GetStep(DiagnoseStep step, Action stepCode) in C:\Jws\release-may2023-SwCB9Sd4b\server\NPrinting\src\Engine.Navigator.QlikSense.SDK\QlikSenseDiagnose.cs:line 40
Engine.Navigator.QlikSense.SDK 23.20.5.0 Engine.Navigator.QlikSense.SDK.QRSApi
20231128T103350.840+01:00 WARN NP-SERVER _NAME 0 0 0 0 0 0 0 0 Domain user check failed for Domain\NPUser. ERROR: System.Runtime.InteropServices.COMException (0x8007200A): The specified directory service attribute or value does not exist.↓↓↓↓ at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)↓↓ at System.DirectoryServices.DirectoryEntry.Bind()↓↓ at System.DirectoryServices.DirectoryEntry.get_SchemaEntry()↓↓
Ignore the error message and proceed with the metadata reload.
According to the current analysis, the error message is shown because Azure does not organize users and permissions as on-premise Windows servers do. NPrinting does not receive the expected answers from Azure AD Connect and interprets this as missing access levels in Azure during the connection tests.
On the other side, when the environment is correctly configured, the NPrinting Engine user has access to the Qlik Sense applications, so the metadata reload and the tasks executions are completed successfully at the end.
SAML is not supported by default in QlikView but can be implemented by creating a custom authentication module that will convert SAML requests/responses to QlikView Ticket to log the user in.
This customization is provided as is. Qlik Support cannot provide continued support of the solution. For assistance, contact our Professional Services or engage in our QlikView Integrations forum.
Currently, this solution only works for SP initiated authentication. Making it work for IDP-initiated authentication might require further code changes in the library/module source code.
This has been tested with QlikView 12.10 SR7.
<GetWebTicket url="/QvAjaxZfc/GetWebTicket.aspx"/>
to<GetWebTicket url="/QvAjaxZfc/GetWebTicket.aspx">
<TrustedIP>fe80::b178:730a:5c2a:86d2%11</TrustedIP>
</GetWebTicket>
public void ValidateAttribute(SamlAttribute samlAttribute)
{
if (!Uri.IsWellFormedUriString(samlAttribute.Name, UriKind.Absolute))
throw new DKSaml20FormatException("The DK-SAML 2.0 profile requires that an attribute's \"Name\" is an URI.");
after
public void ValidateAttribute(SamlAttribute samlAttribute)
{
/*
if (!Uri.IsWellFormedUriString(samlAttribute.Name, UriKind.Absolute))
throw new DKSaml20FormatException("The DK-SAML 2.0 profile requires that an attribute's \"Name\" is an URI.");
*/
<QlikViewSaml
accessPointUrl="https://qlikserver1.domain.local/"
authenticatePage="QvAjaxZfc/Authenticate.aspx"
webTicketPage="QvAjaxZfc/GetWebTicket.aspx"
tryPage="https://qlikserver1.domain.local/qlikview/"
backUrl="https://qlikserver1.domain.local/webticketerror.html" />
Replace https://qlikserver1.domain.local/ by your qlikview server URL in the above code.<AllowedAudienceUris>
<Audience>https://qlikserver1.domain.local</Audience>
</AllowedAudienceUris>
<Federation xmlns="urn:dk.nita.saml20.configuration">
<SigningCertificate findValue="CN=qlikserver1" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName"/>
*In this case, we use a certificate that has "CN=qlikserver1" as its distinguished name.<IDPEndPoints metadata="C:\idpdata\">
...
See the Qlik Online Help for general information about Qlik Sense and AWS deployments. The content may change depending on the version of Sense.
In an Amazon Web Services (AWS) deployment, you install Qlik Sense Enterprise on an Amazon virtual private cloud infrastructure that is flexible, high-performance, and quick to set up.
Deploying Qlik Sense Enterprise on AWS will enable you to quickly add new applications in a simple and scalable manner. You can do this with a basic knowledge of AWS security and scalability options but without the need to follow complex on-premise installation and configuration procedures. Using AWS will enable you to get your Qlik Sense infrastructure up and running in fraction of the time required for an on-premise deployment, and will enable you to scale your deployment quickly and easily, regardless of unexpected changes in demand.
You can deploy Qlik Sense to AWS manually, or you can use an Amazon Machine Image (AMI) available in the AWS Marketplace that includes Qlik Sense preinstalled. However, predefined images do not include a file share, so can only support single node Qlik Sense deployments.
Qlik Sense Enterprise on Windows deployment to AWS (about)
Preparing your Amazon AWS platform to install Qlik Sense Enterprise on Windows
Install Qlik Sense Enterprise on Windows on the AWS server
The attached document guides the reader through adding the necessary application configuration in AWS Cognito and Qlik Sense Enterprise SaaS (Qlik Cloud) identity provider configuration so that Qlik Sense Enterprise SaaS users may log into a tenant using their AWS Cognito credentials.
Content of the document:
This customization is provided as is. Qlik Support cannot provide continued support of the solution. For assistance, reach out to our Professional Services or engage in our active Integrations forum.
This video will demonstrate how to install and configure Qlik-CLI for SaaS editions of Qlik Sense.
Content:
get-command qlik
choco install qlik-cli
if ( -not (Test-Path $PROFILE) ) {
echo "" > $PROFILE
}
qlik completion ps > "./qlik_completion.ps1" # Create a file containing the powershell completion.
. ./qlik_completion.ps1 # Source the completion.
Advanced and additional instructions as seen in the video can be found at Qlik-CLI on Qlik.Dev. Begin with Get Started.
Qlik Enterprise Manager (QEM) allows Personal Access Token authentication with Okta. The token generation in QEM will fail if the incorrect variables have been passed in. Missing quotations on the variables will result in the variables being treated as "Null" values. The following error would be seen in the Enterprise Manager logs if null values are found.
Parameter name: s
System.ArgumentNullException: Value cannot be null.
Parameter name: s
at System.Runtime.InteropServices.Marshal.SecureStringToBSTR(SecureString s)
at Attunity.Infrastructure.Globals.Crypto.GetClearString(SecureString value)
at Attunity.Infrastructure.Globals.Authentication.OpenIdAuthClient..ctor(HttpClient httpClient, String authority, String clientId, String redirectUri, SecureString clientSecret, String additionalScopes, String openIdUserNameClaimType, String openIdDisplayNameClaimType, String openIdGroupClaimType)
at Attunity.Infrastructure.HostManager.HostManager.CreateOpenIdAuthClient()
at Attunity.Infrastructure.HostManager.RestHandler.OpenIdRedirect(OpenIdRedirectParams param)
Ensure the following variables are double-quoted and correct information from the Okta integration app is used
Syntax
aemctl.exe configuration set --open_id_authority your-openid-connect-authority --open_id_client_id your-client-id --open_id_client_secret your-secret
Example using Okta
aemctl.exe configuration set --open_id_authority "https://dev-13465054.okta.com" --open_id_client_id "0oa8ohkl5ftweZNWTT5d7" --open_id_client_secret "FJxXqWOpJsROGrthsaVzfUIcNthG6JLA1-nAJH0"
Setting up Personal Access Token authentication for the API
Qlik Cloud allows for the configuration of independent identity providers, including Okta. The setup procedure for Okta and Qlik Cloud can be found here: How to configure Qlik Cloud with Okta.
During the setup process, you will be required to add an Authorization Server, an option which is only available if you have purchased Okta's API Access Management. Qlik provides a workaround in case you have not purchased this add-on and therefore do not have the Authorization Server option.
The workaround consists of selecting the "ADFS" provider while configuring Identity Provider in the Qlik Cloud management console, which will force Qlik Cloud to read the user information from the ID token instead of the userinfo endpoint.
Follow the steps outlined in How to configure Qlik Cloud with Okta, with the exception of configuring the Identity Provider in the Qlik Cloud Management console differently and skipping step 12 (adding the Authorization Server).
How to configure Qlik Cloud with Okta
Identity Providers
Custom Auth Servers VS Org Auth Servers: https://developer.okta.com/docs/concepts/auth-servers/
In case you missed it, Google finally set Q3 2024 as the date for 100% blocking all content relying on third-party cookies rendered on web pages in Chrome. At Qlik, the date is not a surprise to us, and to all our customers who embed Qlik Sense, we appreciate your collaboration and patience. We’ve been working hard for two years to prepare our products to handle this change and the impact it has on your end users. Here’s some additional information we believe will help you understand the changes Google and other browser makers have made to their software and how to configure Qlik Cloud and Qlik Sense Enterprise Client-Managed to keep embedded analytics working smoothly with your web applications and mashups.
Browser makers are handling third-party cookie blocking in different ways. You can learn more about the browsers Qlik supports for Qlik Cloud and Qlik Sense Enterprise Client-Managed and how those browsers handle third-party cookies and the changes they’re making by reviewing Google's Privacy Sandbox pages, and Saying goodbye to third-party cookies in 2024. Here’s a quick recap for popular browsers:
Microsoft Edge & Mozilla Firefox do not currently break Qlik Sense embedding with default privacy or cookie configurations. Please refer to your browser provider for up-to-date information.
If you're embedding Qlik Sense into a web app or mashup, we recommend reviewing configurations and deployments end-to-end to ensure they implement best practices for operating in browsers blocking third-party cookies. By default, Qlik Cloud and Qlik Sense Enterprise Client-Managed utilize cookies to maintain an authenticated session between the client browser and Qlik services. Because of the browser changes your solution may not display embedded content. To mitigate this issue, you can augment your solution to change how Qlik maintains an authenticated connection from your application to Qlik Sense.
Since release at the end of 2022, embedding analytics from Qlik Cloud is possible using OAuth2 tokens for a cookie-less session. You can learn more by reading our authentication best practices for Qlik Cloud.
Using OAuth2 works with many of our embedding frameworks, including the new qlik-embed framework, capability APIs, nebula and enigma, and the various SDKs.
If you are using classic embedding libraries like the app integration and single integration APIs, you can use a session cookie proxy for Qlik Cloud, although you should look to use qlik-embed where possible in place of these experiences.
The easiest way to mitigate third-party cookie blocking is to use a trusted domain certificate issued by a valid certificate provider. This will enable your web application and the Qlik Sense server to share the same root domain name (e.g. example.com). Therefore, there will be no third-party cookie issue with embedded content between the Qlik server and your web application. The typical implementation uses a wildcard certificate so that your web application and the Qlik Sense server share the same root domain but have their own subdomain names. For example, with a wildcard certificate “*.example.com”, your web application would be “web-app.example.com”, and your Qlik server would be “qlik-sense.example.com”. You can learn more about adding a signed server certificate on help.qlik.com.
This guide provides the basic instructions on configuring Qlik Cloud with Okta as an identity provider.
This customization is provided as is. Qlik Support cannot provide continued support of the solution. For assistance, reach out to our Professional Services or engage in our active Integrations forum.
This must be the actual tenant name, not the alias.
For additional information on how to create new identity providers in Qlik Cloud, see Creating a new identity provider configuration.
The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.
Using Google as the IdP with the Qlik Sense Mobile (SaaS) app on either iOS or Android fails.
The following error is shown in the app:
Authorisation Error
Error 400: invalid_scope
Some requested scopes were invalid. {valid=[openid,
https://www.googleapis.com/auth/userinfo.profile,
https://www.googleapis.com/auth/userinfo.email],
invalid=[offline_access]}
Set the Block_offline_access scope in your Google IdP Advanced settings in the Qlik Cloud console.
Qlik Sense Mobile SaaS with Qlik Cloud
When using SAML or ticket authentication which started in Qlik Sense June 2019, some users belonging to a big number of groups see the error "Qlik Sense G3 Broker API" on the hub and cannot proceed further.
You may receive the following error when setting up the SAML virtual proxy: cachebust pending
Environments:
The only known workaround in the above versions is to reduce the number of groups sent in the SAML response or ticket request.
The fix for this defect is included in the following versions, but additional steps may be necessary:
All Versions
The default setting will still be a header size of 8192 bytes. The fix adds support for a configurable MaxHttpHeaderSize.
Steps:
[globals]
LogPath="${ALLUSERSPROFILE}\Qlik\Sense\Log"
MigrationPort=4545
(...)
MaxHttpHeaderSize=65534
Note: Above value (16384) is an example. You may potentially need to put more depending of the total number of characters of all the AD groups to which the user belongs. The max value is 65534.
Other Related Articles:
https://community.qlik.com/t5/Official-Support-Articles/Error-431-when-trying-to-access-the-Qlik-Sense-Management/ta-p/1789124
QB-234.
The steps below are for an example test setup of authentication using Auth0 as Identity Provider (IdP) with on Qlik Sense Enterprise SaaS.
Environment:
Resolution:
! The information in this article is provided as-is and to be used at own discretion. Ongoing support on the solution is not provided by Qlik Support.
Note: These steps assume an auth0 "Developer" account has already been created.
Create a new Application in Auth0.
Proceed with the following steps:
Creating a database connection in Auth0
Create a database connection and configure the application to use this connection.
Proceed with the following steps:
Creating a new user
If users are not in Auth0, proceed with the following steps:
Setup the Identity Provider in the Management Console within Qlik Sense Enterprise SaaS.
Related Content: