Security Assertion Markup Language (SAML) single sign-on (SSO)
Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties (for example, between an identity provider and a service provider). SAML is typically used for web browser single sign-on (SSO).
How SAML works
The identity provider (IdP) is used for authentication. When the identity provider has asserted the user identity, the service provider (SP) can give the user access to their services. Because the identity provider has enabled SSO, the user can access several service provider sites and applications without having to log in at each site.
The SAML specification defines three roles:
- Principal: Typically a user
- IdP: The identity provider
- SP: The service provider
The principal requests a service from the SP, which requests and obtains an identity assertion from the IdP. Based on the assertion, the SP decides whether or not to perform the service requested by the principal.
SAML in Qlik NPrinting
Qlik NPrinting supports SAML 2.0 by:
- Implementing a service provided it can integrate with external identity providers
- Supporting HTTP Redirect Binding and HTTP POST Binding for SAML responses
- Supporting SAML properties for access control of resources and data
Limitations
- Qlik NPrinting does not sign the SAML authentication request. This means that identity providers that require the SAML authentication request to be signed are not supported.
- SAML response encryption is not supported, so encrypted messages or attributes are not read by Qlik NPrinting.
- SAML single logout is not supported.
You must enable Windows authentication to use the Qlik NPrinting On-Demand Add-on on QlikView Web server and Qlik Sense.
If you only want to use JWT authentication, then you must install the Qlik NPrinting On-Demand Add-on on a QlikView Server configured on a Microsoft IIS Web Server.
Installing On-Demand Add-on on a Microsoft IIS hosted QlikView AccessPoint
Qlik NPrinting web console and NewsStand configurations
Since Qlik NPrinting web console and NewsStand have different web addresses you must setup two different SAML connections to make both work.
Identity provider initiated SSO
With identity provider initiated SSO, the user logs in directly to the identity provider, which performs the SSO authentication.
When the authentication flow starts from the identity provider, the user is redirected to the Qlik NPrinting dashboard for Qlik NPrinting web console, or to the NewsStand home page.
Service provider initiated SSO
With service provider initiated SSO, the user starts at the service provider site. Instead of logging in at the service provider site, SSO authentication is initiated with the identity provider. In this authentication process, Qlik NPrinting plays the role of a service provider. Based on your SAML configuration, the Qlik NPrinting login page displays a button for each of your identity providers. When you click a button, you are redirected to the identity provider site for authentication. If you are already logged in the identity provider directs you to the Qlik NPrinting dashboard.
Metadata
The service provider (Qlik NPrinting) needs configuration information from an identity provider. This information is available as an identity provider metadata file that can be downloaded and delivered to the service provider for easy configuration. The identity provider metadata is uploaded from the Qlik NPrinting SAML configuration page.
Not all identity providers support downloading metadata files. If download is not supported, the metadata file can be created manually.
Qlik NPrinting provides the identity provider with service provider metadata, that is downloaded from the SAML configuration list page. The metadata includes the following information:
- Assertion consumer service (ACS) URL
- Entity ID
Qlik NPrinting requires the following information in the identity provider metadata:
- Certificate
- Entity ID
- HTTP-Redirect location