SAML configuration with AD FS

The Security Assertion Markup Language (SAML) is a data format for authentication and authorization. SAML enables single sign-on (SSO), to reduce the number of times a user has to log on to access websites and applications.

SAML can be configured for authentication with third-party products. With Active Directory Federation Services (AD FS), authentication is initiated by the service provider (SP).

Single sign-on initiated by the service provider

The service provider redirects the user to the identity provider, where the authentication takes place. In the authentication process, Qlik Sense plays the role of a service provider. After a successful authentication, the user can access several service provider sites and applications without additional logins.

Setting up SAML SSO with AD FS requires configuration of a virtual proxy in Qlik Sense and also of the identity provider, AD FS. We assume that you have already installed AD FS. This topic does not cover how to install AD FS.

Tip: The following video presents how to install AD FS on a Windows server: Qlik Sense SAML: ADFS Integration Part One of Three.

Creating and configuring the virtual proxy

Do the following:

  1. In the Qlik Management Console (QMC), open Virtual proxies.

  2. Click P Create new.

  3. In Properties, to the right, ensure that the sections Identification, Authentication, Load balancing, and Advanced are selected.

  4. Under Identification, enter adfs for Description and Prefix.

  5. For Session cookie header name, add -adfs at the end of the existing name so that it reads X-Qlik-Session-adfs.

  6. For Authentication method, select SAML.

  7. Select SAML single logout. SAML single logout is a security measure to ensure that all SSO sessions are properly closed.

  8. For SAML host URI, enter the URL users will use to access Qlik Sense, that is, the name of your server, in the following format: https://myhost.company.com.

  9. For SAML entity ID, enter adfs.

    This is a unique identifier for your AD FS configuration.

  10. Download the IdP metadata from your AD FS server: https://<adfs_server>/FederationMetadata/2007-06/FederationMetadata.xml

  11. Under Authentication, SAML IdP metadata, click Choose File.

  12. Select the metadata file downloaded from AD FS.

  13. Click View content to review the metadata.

  14. For SAML attribute for user ID, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn.

    This is the schema definition of the user principal name (UPN). This definition is available in AD FS manager, under Service > Claim Descriptions.

  15. For SAML attribute for user directory, enter [adfs].

    This is a static attribute that requires brackets.

  16. For SAML signing algorithm, select SHA-1.

    This is the signing certificate that the Qlik Sense server adds to the metadata.

  17. Under SAML attribute mapping, click P Add new attribute.

  18. Enter http://schemas.xmlsoap.org/claims/Group as SAML attribute and Group as Qlik Sense attribute. Clear the selection in Mandatory. If you keep the selection, and the attribute is missing from the SAML response, Qlik Sense will reject the authentication request. The SAML attribute description is available in AD FS manager, under Service > Claim Descriptions.

  19. Under Load balancing nodes, click P Add new server node.

  20. Select the engine nodes this virtual proxy will load balance connections to.

  21. Under Advanced, in the Host white list section, click P Add new value.

  22. Add the host name of the Qlik Sense server, that is, the same server that you entered for SAML host URI.

  23. Click Apply and then OK to restart the services.

  24. In the Associated items menu to the right, select Proxies.

  25. Click Link and link the virtual proxy to the proxy or proxies that will use this configuration.

    The proxy service is restarted.

  26. Navigate back to the Virtual proxies overview page.

  27. Select the adfs configuration that you created and click Download SP metadata in the action bar.

    You will need this metadata file when you configure the AD FS.

  28. Open the metadata that Qlik Sense generated. Check the following:

    • entityID: You need this value to enable AD FS to communicate with the Qlik Sense server.
    • AssertionConsumerService URL (Location). This is the URL Qlik Sense generates when you enter the SAML host URI and add the virtual proxy path to the end. Notice that samlauthn has been added to the end. This is the URL AD FS will use to communicate SAML assertions to Qlik Sense.

    • NameIDFormat: By default, the transient name format is specified in the metadata. It is not always required to be set this way in SAML configurations, but to ensure proper operability, you should make note of this value and set it appropriately in the configuration.

This completes the virtual proxy settings. The next step is to configure AD FS.

Configuring AD FS

This topic describes how you configure AD FS, but not how to install AD FS. AD FS will be the identity provider in your configuration, and before you can begin configuring, you need access to AD FS.

Note: Because this configuration involves a third-party product, we cannot guarantee that the configuration is exactly as described here. Changes may occur in the third-party product, without our knowledge.

Do the following:

  1. In AD FS, open the Server Manager.

  2. In the menu to the right, select Tools > AD FS Management.

  3. Click the Trust Relationships folder to the left.

    A wizard is opened.

  4. To the right, under Actions, select Add Relying Party Trust.

  5. Click Start.

  6. Select the option Import data about the relying from a file, navigate to the SP metadata file that you downloaded after configuring the virtual proxy, and click Next.

  7. Type a display name for the relying party and click Next.

  8. Select I do not want to configure multi-factor authentication settings for this relying party trust at this time and click Next.

  9. Select Permit all users access to this relying party and click Next.

  10. In the Ready to Add Trust window, click Next.

  11. Click Close.

    The Edit Claim Rules for <display name> dialog is opened.

  12. Click Add Rule.

    A rule template page window is opened.

  13. Click Next.

    The rule configuration window is opened.

  14. Type a claim rule name and select Active Directory in Attribute store.

  15. In the LDAP Attribute list, select User-Principal-Name, and for the Outgoing Claim Type, select UPN.

  16. On the second row of the LDAP Attribute list, select User-Principal-Name again and for the Outgoing Claim Type, select Name ID.

  17. On the third row of the LDAP Attribute list, select Token-Groups - Unqualified Names and for the Outgoing Claim Type, select Group.

  18. Click Finish.

  19. Click Apply and OK.

  20. Double-click your new relying party trust and open the Advanced tab.

  21. Change the Secure hash algorithm to SHA-1.

  22. Click Apply and OK.

PowerShell settings for the certificates

Because the certificates are self-signed, you must turn off the revocation checks for the signing certificate and the encryption certificate. You do this in Windows PowerShell.

Do the following:

  1. Open PowerShell.

  2. Enter the following string:

    Set ADFSRelyingPartyTrust -targetname "<your target name>" -SigningCertificateRevocationCheck "none"

  3. On a new line, enter the following string:

    Set ADFSRelyingPartyTrust -targetname "<your target name>" -EncryptionCertificateRevocationCheck "none"
  4. Press Enter.

This completes the AD FS configuration. You are now set to test the configuration.

Testing the AD FS SAML configuration

You initiate single sign-on (SSO) through the service provider.

Single sign-on initiated by the service provider

Do the following:

  1. Open a new browsers window and navigate to the Qlik Sense server URL, including the virtual proxy path. Example: https://myhost.company.com/adfs/

    The browser is redirected to AD FS to authenticate the login request.

  2. Type your user credentials.

    AD FS redirects you back to the Qlik Sense hub.

Did this information help you?

Thanks for letting us know. Is there anything you'd like to tell us about this topic?

Can you tell us why it did not help you and how we can improve it?