SAML configuration with OneLogin

The Security Assertion Markup Language (SAML) is a data format for authentication and authorization. SAML enables single sign-on (SSO), to reduce the number of times a user has to log on to access websites and applications.

SAML can be configured for authentication with third-party products. With OneLogin, authentication is initiated either by the identity provider (IdP) or by the service provider (SP).

Single sign-on initiated by the identity provider

The identity provider authenticates the user. When the identity provider has asserted the user identity, the service provider can give the user access to their services. Because the identity provider has enabled SSO, the user can access several service provider sites and applications without having to log in at each site.

Single sign-on initiated by the service provider

The service provider redirects the user to the identity provider, where the authentication takes place. In the authentication process, Qlik Sense plays the role of a service provider. After a successful authentication, the user can access several service provider sites and applications without additional logins.

Setting up SAML SSO with OneLogin requires configuration of a virtual proxy in Qlik Sense and also of the identity provider, OneLogin.

Creating and configuring the virtual proxy

Do the following:

  1. In the Qlik Management Console (QMC), open Virtual proxies.

  2. Click P Create new.

  3. In Properties, to the right, ensure that the sections Identification, Authentication, Load balancing, and Advanced are selected.

  4. Under Identification, enter onelogin for Description and Prefix.

  5. For Session cookie header name, add -onelogin at the end of the existing name so that it reads X-Qlik-Session-onelogin.

  6. For Authentication method, select SAML.

  7. Select SAML single logout. SAML single logout is a way to make sure that all SSO sessions are properly closed.

  8. For SAML host URI, enter the URL users will use to access Qlik Sense, that is, the name of your server, in the following format: https://myhost.company.com.

  9. For SAML entity ID, enter onelogin.

    This is a unique identifier for your OneLogin configuration.

    Note: SAML IdP metadata will be added at a later stage.
  10. For SAML attribute for user ID, enter userid.

    This is the user's email address, stored in OneLogin. You can choose a different standard or custom field within the OneLogin configuration to act as the user ID.

  11. For SAML attribute for user directory, enter [onelogin].

    This is a static attribute that requires brackets.

  12. For SAML signing algorithm, select SHA-1.

  13. Under SAML attribute mapping, click P Add new attribute.

  14. Enter Email as SAML attribute and email as Qlik Sense attribute. Clear the selection in Mandatory. (If a mandatory attribute is missing from the SAML response, Qlik Sense will reject the authentication request.)

  15. Click P Add new attribute again, to add another attribute.

  16. Enter userid as SAML attribute and name as Qlik Sense attribute. Clear the selection in Mandatory.

  17. Under Load balancing nodes, click P Add new server node.

  18. Select the engine nodes this virtual proxy will load balance connections to.

  19. Under Advanced, in the Host white list section, click P Add new value.

  20. Add the host name of the Qlik Sense server, that is, the same server that you entered for SAML host URI.

  21. Click Apply and then OK to restart the services.

  22. In the Associated items menu to the right, select Proxies.

  23. Click Link and link the virtual proxy to the proxy or proxies that will use this configuration.

    The proxy service is restarted.

  24. Navigate back to the Virtual proxies overview page.

  25. Select the onelogin configuration that you created and click Download SP metadata in the action bar.

  26. Open the metadata that Qlik Sense generated. Check the following:

    • entityID: You need this value to enable OneLogin to communicate with the Qlik Sense server.
    • AssertionConsumerService URL (Location). This is the URL Qlik Sense generates when you enter the SAML host URI and add the virtual proxy path to the end. Notice that samlauthn has been added to the end. This is the URL OneLogin will use to communicate SAML assertions to Qlik Sense.

This completes the virtual proxy settings for now. You will return to this page to upload the IdP metadata file, which you retrieve from the identity provider's web page. The next step is to configure OneLogin.

Configuring OneLogin

OneLogin will be the identity provider in your configuration, and before you can begin configuring OneLogin, you need to register an account. See https://www.onelogin.com/ for details.

Note: Because this configuration involves a third-party product, we cannot guarantee that the configuration is exactly as described here. Changes may occur in the third-party product, without our knowledge.

Do the following:

  1. In the OneLogin top menu, select Apps.

  2. Click Add App.

  3. In the search box, type SAML.

    A list of SAML templates appears.

  4. Select SAML Test Connector (IdP).

  5. Change Display Name to Qlik Sense SAML configuration.

  6. Click SAVE.

  7. Click the tab Configuration.

  8. For Audience, enter the entity ID from the SAML virtual proxy: onelogin.

  9. For Recipient, ACS (Consumer) URL Validator, and ACS (Consumer) URL, enter the AssertionConsumerService URL from your SP metadata file into the field. Make sure to include the trailing slash after samlauthn, or Qlik Sense will not accept the SAML assertion.

  10. For Single Logout URL, use the following format: https://<myhost.company.com>/<vp_prefix>/samlauthn/slo/

  11. Click the tab Parameters.

  12. By default, OneLogin supplies the NameID (fka Email) attribute.

    This is one of the two attributes that you added in the virtual proxy setup.

  13. Click Add parameter to add the second attribute from the virtual proxy setup.

    A New Field window is opened.

  14. For Field name, type userid.

  15. Select Include in SAML assertion and click SAVE.

  16. Click the userid attribute.

    An Edit Field Userid window is opened.

  17. In the Value list, select Email name part and click SAVE.

  18. Click SAVE up to the right.

  19. In the top menu, click USERS, and select All Users.

  20. Click the user for whom you will add the app.

  21. Click the Applications tab, and click the + sign, next to Applications.

  22. In the Assign New Login to <user> window, select the Qlik Sense SAML configuration that you created earlier and click CONTINUE.

  23. In the window Edit Qlik Sense SAML Configuration Login for <user>, click CANCEL.

  24. In the top menu, click APPS and select Company Apps.

  25. Click the Qlik Sense SAML Configuration app.

  26. From the MORE ACTIONS list, select SAML Metadata.

This completes the OneLogin configuration. A final step is needed before you can test the connection: uploading the IdP metadata to the virtual proxy.

Uploading the IdP metadata file

Do the following:

  1. Navigate back to the QMC and open the onelogin virtual proxy for editing.

  2. Under Authentication, SAML IdP metadata, click Choose File.

  3. Select the metadata file downloaded from OneLogin.

  4. Click View content to review the metadata.

  5. Click Apply.

  6. Click OK to accept the changes to the virtual proxy.

  7. Click Refresh QMC.

You are now set to test the configuration.

Testing the OneLogin SAML configuration

As mentioned earlier, you can either initiate single sign-on (SSO) through a service provider or an identity provider.

Single sign-on initiated by the service provider

Do the following:

  1. Open a new browsers window and navigate to the Qlik Sense server URL, including the virtual proxy path. Example: https://myhost.company.com/onelogin/

    The browser is redirected to OneLogin to authenticate the login request.

  2. Type your user credentials.

    OneLogin redirects you back to the Qlik Sense hub.

Single sign-on initiated by the identity provider

  1. Open a browser and navigate to www.onelogin.com.

  2. Log in with your user credentials.

  3. In the menu at the top, click My Applications.

    The available applications are displayed.

  4. Click the Qlik Sense SAML application.

    The Qlik Sense hub is opened in a new tab.

Note: We recommend that you always set RelayState to https://<machine_name>/<vp_prefix>/hub, because if RelayState is empty, some identity providers will send a get request instead of a post request, which will cause a failure. If RelayState is empty, misspelled, or not part of the host white list, the user will automatically be redirected to the hub.
Note: For the IdP initiated SSO to work the assertions must be signed.

Did this information help you?

Thanks for letting us know. Is there anything you'd like to tell us about this topic?

Can you tell us why it did not help you and how we can improve it?