Skip to main content Skip to complementary content

SAML authentication

The Security Assertion Markup Language (SAML) is a data format for authentication and authorization. One of the key benefits of SAML is that it enables single sign-on (SSO), and thereby minimizes the number of times a user has to log on to cloud applications and websites.

Three entities are involved in the authentication process:

  • the user
  • the identity provider (IdP)
  • the service provider (SP)

The identity provider authenticates the user. When the identity provider has asserted the user identity, the service provider can give the user access to their services. Because the identity provider has enabled SSO, the user can access several service provider sites and applications without having to log in at each site.

Identity provider initiated SSO

With identity provider initiated SSO, the user logs in directly to the identity provider, which performs the SSO authentication.

We recommend that you always set RelayState to https://<machine_name>/<vp_prefix>/hub, because if RelayState is empty, some identity providers will send a get request instead of a post request, which will cause a failure.

Information noteIf RelayState is empty, misspelled, or not part of the host allowlist, the user will automatically be redirected to the hub.
Information noteFor the IdP initiated SSO to work the assertions must be signed.

Service provider initiated SSO

With service provider initiated SSO, the user starts at the service provider site, but instead of logging in at the SP site, SSO authentication is initiated with the identity provider. In the authentication process, Qlik Sense plays the role of a service provider. When a user logs in to Qlik Sense, the login is transferred to the identity provider that handles the actual SSO authentication.


The service provider (Qlik Sense) needs configuration information from an identity provider. This information is available as an IdP metadata file that users can download and deliver to the service provider for easy configuration. The IdP metadata is uploaded from the QMC.

Information noteNot all IdPs support download of metadata files. If download is not supported, the metadata file can be created manually.

Qlik Sense as a service provider is to provide the identity provider with SP metadata, which is downloaded from the QMC. The metadata includes the following information:

  • Assertion consumer service (ACS) URL
  • Entity ID
  • Security certificate
Information noteIf the virtual proxy is set up with a metadata file that does not include certificates, the IdP initiated workflow will not work.


Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!