Download presentation
Presentation is loading. Please wait.
Published byJonathan Elling Larsen Modified over 6 years ago
1
Troubleshooting SAML Integrations in Qlik Sense Enterprise
Adam Sawyer Technical Software Support Engineer May 2019
2
Today’s Presenter(s) Adam Sawyer Technical Software Support Engineer
Qlik Sense Infrastructure and Integrations Started Sept. 2017
3
Intended for Beginner - Intermediate Users
4
Agenda Scope of Support Issues
Authentication and Authorization in Qlik Sense Basics of SAML authentication Support - Needed information Real World Test Case Agenda
5
Why this presentation?
6
Closed Integrations Cases in 2018 Summarized
7
Closed Integrations Cases in 2018 by Root Cause
8
Authentication Matters!
~50% Of Integrations tickets handled by Qlik Support worldwide With the vast majority being issues outside of the product that could be avoided or overcome. When Authentication breaks, everyone notices.
9
When you say Authentication…?
Anyone who doesn’t know what they’re doing here
10
Authentication v. Authorization
Confirmation that a client end user is who they say they are by the product. Authorization Confirmation that a client end user has permission to view a resource.
11
Authentication v. Authorization
In Qlik Sense, authentication and authorization are two distinct, unconnected actions. Sources for authentication do not have to be the same as for authorization and vis-a-versa. Qlik Sense does not have its own authentication. Qlik Sense always asks an external system to verify who the user is and if the user can prove it.
12
Simplified Workflow External System User Source Lucius Fox
Windows ID: WAYNE\FOX Groups: Applied Sciences User Source
13
Examples of Types of Authentication
Default Authentication Module (Windows) Comes with Qlik Sense when a proxy is created. Can support Kerberos and NTLM Session Passes an authenticated user via a registered session token in a session cookie. Uses Qlik Sense session API Header Injected Header is supplied by client-facing device/service Notice: QPS should NOT be accessible using this model
14
Examples of Types of Authentication
JSON Web Token (JWT) Open standard for secure transmission of information between two parties Both Authentication and Authorization. Anonymous If allowed, passes an unauthenticated user to Qlik Sense without redirection to an Authentication module with the user having the option to login later.
15
Single Sign-On (SSO) v. Authentication
SSO != Authentication This distinction reveals what someone wants from a particular Business Goal versus the technology used to accomplish authentication. SSO is a concept and can be a attribute of a particular authentication method including SAML. PEDENTATIC ALERT!
16
With that out of the way…
Everyone who came to this for SAML
17
Security Assertion Markup Language (SAML)
XML based web standard which uses tokens to pass assertions between a end user client, a SAML provider, and a SAML consumer over various protocols. Originally codified in early 2000’s. SAML 2.0 Mar Qlik Supports SAML 2.0
18
SAML Unique Terms Principal Identity Provider (IDP) Service Provider
Something or Someone being authenticated. In web applications, a user at a browser. Identity Provider (IDP) System that creates, maintains, and provides authentication assertions in conjunction with an SSO profile of SAML Service Provider System that receives and accepts authentication assertions in conjunction with the profile of a principal.
19
Example Qlik SAML Setup
XHTML SENT with Configured SP information4 IDP SAML Response with Requested resources are evaluated against virtual proxy5, 6, & 7 Brucew => QLIK.JLA.COM/SAML/HUB1 QPS redirects User to IDP based on information in the virtual proxy SAML2&3 Requested resources provided or not8 User login successful against IDP 3&4
20
Detailed Generic SAML – Web Browser
21
Assertions The SAML assertions provide what the IDP is communicating back to the SP. Generic form information for each request as the user is being handed back to the SP. Can be captured with SAML Tracer or HAR File Issuer Signature Subject Conditions AuthnStatement
22
Virtual Proxies Basics
Contains settings for Authentication, Session handling, and load balancing A configuration that is linked to Qlik Proxy Service on a particular Qlik Sense Node Multiple Configurations can be set on the same Proxy
23
You went to Qonnections, so you can setup our SSO, right?!
Your Boss, probably
24
Guidance for New Setups
Plan with Pictures and Diagrams Have a diagram with how your Auth works. Have photos and copies of settings on the system. Help your self down the line, can quickly look for failures from expected state. Do your homework If you are a Qlik Admin, ask a lot of questions of your team or provider Create development environments with user source and test Have a Way back into the QMC If you use Default Virtual Proxies, create a way back in through a non- default Windows virtual proxy.
25
Usual Suspects Pick a known vendor unless you can’t
Use of logos for complementary technologies does not represent an endorsement of any kind.
26
Helpful Resources Qlik Sense: Information needed to Troubleshoot SAML SSO related issues: How To Use SAML Authentication With Qlik Sense: Quick Guide to installing ADFS for testing SAML: Cryptographic Errors:
27
Oh no! No one can login! What did you do, you monster!?
An end user, definitely
29
Required Information From the User: From the QMC: From the Server:
The Essentials From the User: User, Time/Date, Error encountered SAML trace logs and/or Har file From the QMC: Screenshot of Virtual Proxy settings SAML IDP Metadata and/or IDP Logs From the Server: Qlik Sense Logs – Qlik Proxy Logs
30
Required Information Why do you need that
At the end of the day, its about tracing the user through this workflow your environment for your business goals. There is always more to know about SAML, Security, and Authentication/Authorization. Very few will take the time to experiment, test what works still, but that is always trading time now for time later.
31
Required Information Har Files, Audit Proxy Logs
Why do you need that Har Files, Audit Proxy Logs Confirms the user got to Qlik Sense Proxy Service Confirms IDP redirected user came back SAML Tracer Files Confirms what requests were redirected to IDP *Fiddler/Network Device Did it get the IDP *not usually a thing but always good to know
32
Required Information IDP Logs
Why do you need that IDP Logs Did it get there, with what, and what got sent back. Virtual Proxy Screenshots Expected IDP Expected Attributes Security (SHA 1 v. SHA 256) Whitelist
33
Tools for the Job HAR Files – Chrome/Firefox Dev Tools Fiddler
Fiddler Qlik Sense Log Collector Virtual Proxy Screenshot SAML Tracer
34
True Story
35
Sizeable Telecom Customer
Case Study Sizeable Telecom Customer 1 week before project end and big internal release They upgraded Qlik Sense and…
37
Case Study User, Time/Date, Error encountered
Awesome SysAdmin provided: User, Time/Date, Error encountered Har file showing user go to Qlik Sense and was redirected. SAML trace logs showing a valid request to the correct IDP. Screenshot of Virtual Proxy settings which were correct and consistent with other environments. Qlik Sense Logs – Qlik Proxy Logs which show that the user was redirected.
38
Refused to meet claiming the issue was Qlik Sense.
Case Study IDP Team on the other hand Non-Standard IDP Refused to meet claiming the issue was Qlik Sense. Refused to provide IDP metadata or get on a screen share.
39
Tested the various other upgraded environments
Case Study In the meantime… SEV 1 Ticket Was open for 2 techs for 3 days with 4 meetings Tested the various other upgraded environments Pretty sure SysAdmin slept in the Office Wish I was joking
40
Case Study IDP team finally agreed to meet
“Nothing wrong with their IDP” Went setting by setting of previous troubleshooting User, Time/Date, Error encountered - Har file showing user go to Qlik Sense and was redirected. SAML trace logs showing a valid request to the correct IDP. Screenshot of Virtual Proxy settings which were correct and consistent with other environments. Qlik Sense Logs – Qlik Proxy Logs which show that the user was redirected. Compared the IDP Metadata between environments…
41
THERE WAS NO TRAILING SLASH AFTER THE SP REDIRECT
qlik.bigcompany.com/saml/authn/ Versus qlik.bigcompany.com/saml/authn
42
The answer is not more hours, it's less bull****
David Heinemeier Hansson Author of Rework, partner at Basecamp, and creator of Ruby on Rails
43
Find all my resources at this link:
articles/
44
Q & A
45
Thank You
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.