SAML configuration with Okta
The Security Assertion Markup Language (SAML) is a data format for authentication and authorization. SAML enables single sign-on (SSO), to reduce the number of times a user has to log on to access websites and applications.
SAML can be configured for authentication with third-party products. With Okta, authentication is initiated either by the identity provider (IdP) or by the service provider (SP).
Single sign-on initiated by the identity provider
The identity provider authenticates the user. When the identity provider has asserted the user identity, the service provider can give the user access to their services. Because the identity provider has enabled SSO, the user can access several service provider sites and applications without having to log in at each site.
Single sign-on initiated by the service provider
The service provider redirects the user to the identity provider, where the authentication takes place. In the authentication process, Qlik Sense plays the role of a service provider. After a successful authentication, the user can access several service provider sites and applications without additional logins.
Setting up SAML SSO with Okta requires configuration of a virtual proxy in Qlik Sense and also of the identity provider, Okta.
Creating and configuring the virtual proxy
Do the following:
-
Open the QMC: https://<QPS server name>/qmc
-
In the QMC, open Virtual proxies.
-
Click Create new.
-
In Properties, to the right, ensure that the sections Identification, Authentication, Load balancing, and Advanced are selected.
-
Under Identification, enter okta for Description and Prefix.
-
For Session cookie header name, add -okta at the end of the existing name so that it reads X-Qlik-Session-okta.
-
For Authentication method, select SAML.
-
Select SAML single logout. SAML single logout is a security measure to ensure that all SSO sessions are properly closed.
-
For SAML host URI, enter the URL users will use to access Qlik Sense, that is, the name of your server, in the following format: https://myhost.company.com.
-
For SAML entity ID, enter okta.
This is a unique identifier for your Okta configuration.
Information noteSAML IdP metadata will be added at a later stage. -
For SAML attribute for user ID, enter email.
This is the user's email address, stored in Okta. You can choose a different standard or custom field within the Okta configuration to act as the user ID.
-
For SAML attribute for user directory, enter [okta].
This is a static attribute that requires brackets.
-
For SAML signing algorithm, select SHA-1.
-
Under SAML attribute mapping, click Add new attribute.
-
Enter groups as SAML attribute and group as Qlik Sense attribute. Clear the selection in Mandatory.
The name groups is the attribute name in the SAML assertion. The attribute name group is the name Qlik Sense will respond to when using this attribute in security rules.
-
Under Load balancing nodes, click Add new server node.
-
Select the engine nodes this virtual proxy will load balance connections to.
-
Under Advanced, in the Host allow list section, click Add new value.
-
Add the host name of the Qlik Sense server, that is, the same server that you entered for SAML host URI.
-
Click Apply and then OK to restart the services.
-
In the Associated items menu to the right, select Proxies.
-
Click Link and link the virtual proxy to the proxy or proxies that will use this configuration.
The proxy service is restarted.
-
Navigate back to the Virtual proxies overview page.
-
Select the okta configuration that you created and click Download SP metadata in the action bar.
-
Open the metadata that Qlik Sense generated. Check the following:
-
entityID: You need this value to enable Okta to communicate with the Qlik Sense server.
-
SingleLogoutServiceURL (Location). This is the URL Qlik Sense generates when you enter the SAML host URI and add the virtual proxy path to the end. Notice that samlauthn and slo have been added to the end. This is the URL Okta will use to communicate SAML single logout to the identity provider.
-
AssertionConsumerService URL (Location). This is the URL Qlik Sense generates when you enter the SAML host URI and add the virtual proxy path to the end. Notice that samlauthn has been added to the end. This is the URL Okta will use to communicate SAML assertions to Qlik Sense.
-
NameIDFormat: By default, the transient name format is specified in the metadata. It is not always required to be set this way in SAML configurations, but to ensure proper operability, you should make note of this value and set it appropriately in the configuration.
-
This completes the virtual proxy settings for now. You will return to this page to upload the IdP metadata file, which you retrieve from the identity provider's web page. The next step is to configure Okta.
Configuring Okta
Okta will be the identity provider in your configuration, and before you can begin configuring Okta, you need to register an account. See https://www.okta.com/ for details.
Do the following:
-
In Okta, hover over Developer Console in the top menu and select Classic UI.
-
In the top menu, select Applications.
-
Click Add Application.
-
Click Create New App.
-
For Platform, select Web.
-
For Sign on method, select SAML 2.0.
-
Click Create.
The configuration screen appears.
-
Name this app Qlik Sense SAML configuration.
-
Optional: Add a logo.
-
Click Next.
The SAML Settings page appears.
-
For Single sign on URL, enter the AssertionConsumerService URL from your SP metadata file into the field. Make sure to include the trailing slash after samlauthn, or Qlik Sense will not accept the SAML assertion.
-
For Audience URI (SP Entity ID): Enter the entityID value from the SP metadata you opened earlier (okta).
-
For Name ID format, select Transient.
-
Click Show Advanced Settings.
-
For Enable Single Logout, select Allow application to initiate Single Logout.
-
For Single Logout URL, use the following format: https://<machine_name>/<vp_prefix>/samlauthn/slo/
-
For SP issuer, use the SAML entity ID from the virtual proxy (okta).
-
Extract the certificate from the service provider metadata file downloaded from the QMC > Virtual proxies. Click Download SP metadata for the related virtual proxy.
-
Copy the certificate located between the tags <X509Certificate> and </X509Certificate> in the file.
-
In the new file, add -----BEGIN CERTIFICATE----- at the beginning and -----END CERTIFICATE----- at the end of the file.
-
Save the file with a .pem or a .crt extension.
- Click Upload Certificate.
-
In the ATTRIBUTE STATEMENTS section, for Name, enter email and for Value, select user.email.
-
In the GROUP ATTRIBUTE STATEMENTS section, for Name, enter groups and for Filter, select Regex and add the following string: ^[A-Za-z0-9_.]+$
Information noteYou use a regular expression to define a search pattern. Only strings that match the search pattern criteria will be found. With the following search pattern: ^[A-Za-z0-9_.]+$, a group name is found if it only contains any of the following characters: letters A-Z, a-z, numbers 0-9,underscore (_), period (.). Note that if a name includes a dash (-), it does not match the search pattern, and will not be found. For more information, see Wikipedia: Regular expressions. -
Click Next.
A feedback section is opened.
-
For the question Are you a customer or partner? select I'm an Okta customer adding an internal app.
-
Optional: Select This is an internal app that we have created.
-
Click Finish.
The Sign On page is displayed. From this page you can download the IdP metadata.
-
Scroll down and click the link Identity Provider metadata. Qlik Sense requires that the metadata file has an xml extension, so make sure to save the file as metadata.xml.
-
Scroll up and select People in the top menu.
-
You must assign users to the app, so that they can use the connection that you have created. Click Assign to People and add users. (Users must have an Okta account.)
This completes the Okta configuration. A final step is needed before you can test the connection: uploading the IdP metadata to the virtual proxy.
Uploading the IdP metadata file
Do the following:
-
Navigate back to the QMC and open the okta virtual proxy for editing.
-
Under Authentication, SAML IdP metadata, click Choose File.
-
Select the metadata file downloaded from Okta.
-
Click View content to review the metadata.
-
Click Apply.
-
Click OK to accept the changes to the virtual proxy.
-
Click Refresh QMC.
You are now set to test the configuration.
Testing the Okta SAML configuration
As mentioned earlier, you can either initiate single sign-on (SSO) through a service provider or an identity provider.
Single sign-on initiated by the service provider
Do the following:
-
Open a new browsers window and navigate to the Qlik Sense server URL, including the virtual proxy path. Example: https://myhost.company.com/okta/
The browser is redirected to Okta to authenticate the login request.
-
Type your user credentials.
Okta redirects you back to the Qlik Sense hub.
Single sign-on initiated by the identity provider
-
Open a browser and navigate to www.okta.com.
-
Log in with your user credentials.
-
In the menu at the top, click My Applications.
The available applications are displayed.
-
Click the Qlik Sense SAML application.
The Qlik Sense hub is opened in a new tab.