Configuring Active Directory Federation Services as a SAML identity provider
This topic describes how to set up Active Directory Federation Services (AD FS) as an identity provider for Qlik Cloud.
Prerequisites
Ensure that you have a fully functioning installation of Active Directory Federation Services (AD FS) and a set of users within your Active Directory (AD).
Download the AD FS server metadata
Retrieve the metadata for your AD FS server, as it will be needed for later configuration in Qlik Cloud.
Download the metadata file by accessing the following URL:
Create an IdP configuration in Qlik Cloud
Log in to Qlik Cloud as a tenant admin to create an IdP configuration.
Do the following:
-
In the Administration activity center, go to Identity provider and click Create new.
-
For Type, select SAML.
-
For Provider, select ADFS.
-
Optionally, provide a description for the IdP configuration.
-
Select Use IdP metadata.
-
Under SAML IdP metadata, click Upload file and select the metadata file downloaded from AD FS.
IdP configuration.
-
Click Create.
-
In the Create interactive identity provider dialog, clear the Validate IdP checkbox, and then click Create.
This creates the IdP configuration without immediate validation. Validation will be performed at a later stage. -
Locate the the IdP configuration you just created, click
, and select View provider configuration.The service provider metadata is displayed.
-
Click Download metadata to download the Qlik Cloud metadata file.
-
Click Download signing certificate to download the Qlik Cloud signing certificate.
Configure a SAML application in AD FS
Set up a SAML application in AD FS to establish trust with your Qlik Cloud tenant as a service provider (SP).
Do the following:
-
Log in to your Windows server hosting AD FS using administrator credentials.
-
Open the AD FS Management application.
-
Right-click Relying Party Trusts and select Add Relying Party Trust.
-
In the Add Relying Party Trust Wizard, select Claims aware and click Start.
-
Select Import data about the relying party from a file. Browse to the Qlik Cloud metadata file saved earlier, and then click Next.
Importing SP metadata.
-
Enter a Display name, such as Qlik Cloud, and click Next to proceed.
-
Choose the appropriate access control policy and click Next. Click Next once again to confirm the configuration.
-
Select Configure claims issuance policy for this application and click Close.
-
In the Edit Claim Rules dialog, click Add Rule.
-
Select Send LDAP Attributes as Claims and click Next.
-
Provide a Claim rule name and select your Attribute store from the list, for example, Active Directory.
-
Configure the following mappings (or customize them based on your organization's specific requirements):
-
SAM-Account-Name to Name ID
-
Display-Name to Name
-
E-Mail-Addresses to E-Mail Address
-
Token-Groups - Unqualified Names to groups
Claim rule mappings.
-
-
Save the changes.
-
Go to the Properties for the Qlik Cloud relying party and select the Signature tab.
-
Click Add, and then locate the Qlik Cloud signing certificate that you downloaded earlier.
Specifying the signature certificate.
-
Save the changes.
AD FS is now set up to validate SAML request signatures. Return to Qlik Cloud to initiate the validation process.
Validate your identity provider in Qlik Cloud
After successfully setting up AD FS, you can validate the IdP configuration in Qlik Cloud.
Do the following:
-
In the Administration activity center, go to Identity providers.
-
On your AD FS IdP configuration, click
and select Validate. -
Follow the steps in the validation wizard to perform a login as the user added to the AD FS application. Verify that the user profile data is correct.
You will be presented with the options to promote the user to a Qlik Cloud tenant admin and to activate the IdP. Note that activating the IdP will deactivate any previously configured interactive identity provider in the tenant.