Skip to main content

Security Assertion Markup Language (SAML) single sign-on (SSO)

Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties (for example, between an identity provider and a service provider). SAML is typically used for web browser single sign-on (SSO).

How SAML works

The identity provider (IdP) is used for authentication. When the identity provider has asserted the user identity, the service provider (SP) can give the user access to their services. Because the identity provider has enabled SSO, the user can access several service provider sites and applications without having to log in at each site.

The SAML specification defines three roles:

  • Principal: Typically a user
  • IdP: The identity provider
  • SP: The service provider

The principal requests a service from the SP, which requests and obtains an identity assertion from the IdP. Based on the assertion, the SP decides whether or not to perform the service requested by the principal.

SAML in Qlik NPrinting

Qlik NPrinting supports SAML 2.0 by:

  • Implementing a service provided it can integrate with external identity providers
  • Supporting HTTP Redirect Binding and HTTP POST Binding for SAML responses
  • Supporting SAML properties for access control of resources and data


  • Qlik NPrinting does not sign the SAML authentication request. This means that identity providers that require the SAML authentication request to be signed are not supported.
  • SAML response encryption is not supported, so encrypted messages or attributes are not read by Qlik NPrinting.
  • SAML single logout is not supported.
Information note

You must enable Windows authentication to use the Qlik NPrinting On-Demand Add-on on QlikView Web server and Qlik Sense.

If you only want to use SAML authentication, then you must install the Qlik NPrinting On-Demand Add-on on a QlikView Server configured on a Microsoft IIS Web Server.

Installing On-Demand Add-on on a Microsoft IIS hosted QlikView AccessPoint

Qlik NPrinting web console and NewsStand configurations

Since Qlik NPrinting web console and NewsStand have different web addresses you must setup two different SAML connections to make both work.

Identity provider initiated SSO

With identity provider initiated SSO, the user logs in directly to the identity provider, which performs the SSO authentication.

When the authentication flow starts from the identity provider, the user is redirected to the Qlik NPrinting dashboard for Qlik NPrinting web console, or to the NewsStand home page.

Service provider initiated SSO

With service provider initiated SSO, the user starts at the service provider site. Instead of logging in at the service provider site, SSO authentication is initiated with the identity provider. In this authentication process, Qlik NPrinting plays the role of a service provider. Based on your SAML configuration, the Qlik NPrinting login page displays a button for each of your identity providers. When you click a button, you are redirected to the identity provider site for authentication. If you are already logged in the identity provider directs you to the Qlik NPrinting dashboard.


The service provider (Qlik NPrinting) needs configuration information from an identity provider. This information is available as an identity provider metadata file that can be downloaded and delivered to the service provider for easy configuration. The identity provider metadata is uploaded from the Qlik NPrinting SAML configuration page.

Not all identity providers support downloading metadata files. If download is not supported, the metadata file can be created manually.

Qlik NPrinting provides the identity provider with service provider metadata, that is downloaded from the SAML configuration list page. The metadata includes the following information:

  • Assertion consumer service (ACS) URL
  • Entity ID

Qlik NPrinting requires the following information in the identity provider metadata:

  • Certificate
  • Entity ID
  • HTTP-Redirect location
Information noteWhen reading the certificate to verify the SAML response signature, Qlik NPrinting will use the first certificate with the "signing" attribute. If the IdP metadata provided contains more than one certificate with the "signing" attribute, and it does not use the first one to sign responses, the signature verification will fail. You must remove the unused certificate from your IdP metadata file before uploading it to Qlik NPrinting.