Presentation is loading. Please wait.

Presentation is loading. Please wait.

Troubleshooting SAML Integrations in Qlik Sense Enterprise

Published byJonathan Elling Larsen Modified over 6 years ago

Similar presentations

Presentation on theme: "Troubleshooting SAML Integrations in Qlik Sense Enterprise"— Presentation transcript:

1 Troubleshooting SAML Integrations in Qlik Sense Enterprise
Adam Sawyer Technical Software Support Engineer May 2019

2 Today’s Presenter(s) Adam Sawyer Technical Software Support Engineer
Qlik Sense Infrastructure and Integrations Started Sept. 2017

3 Intended for Beginner - Intermediate Users

4 Agenda Scope of Support Issues
Authentication and Authorization in Qlik Sense Basics of SAML authentication Support - Needed information Real World Test Case Agenda

5 Why this presentation?

6 Closed Integrations Cases in 2018 Summarized

7 Closed Integrations Cases in 2018 by Root Cause

8 Authentication Matters!
~50% Of Integrations tickets handled by Qlik Support worldwide With the vast majority being issues outside of the product that could be avoided or overcome. When Authentication breaks, everyone notices.

9 When you say Authentication…?
Anyone who doesn’t know what they’re doing here

10 Authentication v. Authorization
Confirmation that a client end user is who they say they are by the product. Authorization Confirmation that a client end user has permission to view a resource.

11 Authentication v. Authorization
In Qlik Sense, authentication and authorization are two distinct, unconnected actions. Sources for authentication do not have to be the same as for authorization and vis-a-versa. Qlik Sense does not have its own authentication. Qlik Sense always asks an external system to verify who the user is and if the user can prove it.

12 Simplified Workflow External System User Source Lucius Fox
Windows ID: WAYNE\FOX Groups: Applied Sciences User Source

13 Examples of Types of Authentication
Default Authentication Module (Windows) Comes with Qlik Sense when a proxy is created. Can support Kerberos and NTLM Session Passes an authenticated user via a registered session token in a session cookie. Uses Qlik Sense session API Header Injected Header is supplied by client-facing device/service Notice: QPS should NOT be accessible using this model

14 Examples of Types of Authentication
JSON Web Token (JWT) Open standard for secure transmission of information between two parties Both Authentication and Authorization. Anonymous If allowed, passes an unauthenticated user to Qlik Sense without redirection to an Authentication module with the user having the option to login later.

15 Single Sign-On (SSO) v. Authentication
SSO != Authentication This distinction reveals what someone wants from a particular Business Goal versus the technology used to accomplish authentication. SSO is a concept and can be a attribute of a particular authentication method including SAML. PEDENTATIC ALERT!

16 With that out of the way…
Everyone who came to this for SAML

17 Security Assertion Markup Language (SAML)
XML based web standard which uses tokens to pass assertions between a end user client, a SAML provider, and a SAML consumer over various protocols. Originally codified in early 2000’s. SAML 2.0 Mar Qlik Supports SAML 2.0

18 SAML Unique Terms Principal Identity Provider (IDP) Service Provider
Something or Someone being authenticated. In web applications, a user at a browser. Identity Provider (IDP) System that creates, maintains, and provides authentication assertions in conjunction with an SSO profile of SAML Service Provider System that receives and accepts authentication assertions in conjunction with the profile of a principal.

19 Example Qlik SAML Setup
XHTML SENT with Configured SP information4 IDP SAML Response with Requested resources are evaluated against virtual proxy5, 6, & 7 Brucew => QLIK.JLA.COM/SAML/HUB1 QPS redirects User to IDP based on information in the virtual proxy SAML2&3 Requested resources provided or not8 User login successful against IDP 3&4

20 Detailed Generic SAML – Web Browser

21 Assertions The SAML assertions provide what the IDP is communicating back to the SP. Generic form information for each request as the user is being handed back to the SP. Can be captured with SAML Tracer or HAR File Issuer Signature Subject Conditions AuthnStatement

22 Virtual Proxies Basics
Contains settings for Authentication, Session handling, and load balancing A configuration that is linked to Qlik Proxy Service on a particular Qlik Sense Node Multiple Configurations can be set on the same Proxy

23 You went to Qonnections, so you can setup our SSO, right?!
Your Boss, probably

24 Guidance for New Setups
Plan with Pictures and Diagrams Have a diagram with how your Auth works. Have photos and copies of settings on the system. Help your self down the line, can quickly look for failures from expected state. Do your homework If you are a Qlik Admin, ask a lot of questions of your team or provider Create development environments with user source and test Have a Way back into the QMC If you use Default Virtual Proxies, create a way back in through a non- default Windows virtual proxy.

25 Usual Suspects Pick a known vendor unless you can’t
Use of logos for complementary technologies does not represent an endorsement of any kind.

26 Helpful Resources Qlik Sense: Information needed to Troubleshoot SAML SSO related issues: How To Use SAML Authentication With Qlik Sense: Quick Guide to installing ADFS for testing SAML: Cryptographic Errors:

27 Oh no! No one can login! What did you do, you monster!?
An end user, definitely

28

29 Required Information From the User: From the QMC: From the Server:
The Essentials From the User: User, Time/Date, Error encountered SAML trace logs and/or Har file From the QMC: Screenshot of Virtual Proxy settings SAML IDP Metadata and/or IDP Logs From the Server: Qlik Sense Logs – Qlik Proxy Logs

30 Required Information Why do you need that
At the end of the day, its about tracing the user through this workflow your environment for your business goals. There is always more to know about SAML, Security, and Authentication/Authorization. Very few will take the time to experiment, test what works still, but that is always trading time now for time later.

31 Required Information Har Files, Audit Proxy Logs
Why do you need that Har Files, Audit Proxy Logs Confirms the user got to Qlik Sense Proxy Service Confirms IDP redirected user came back SAML Tracer Files Confirms what requests were redirected to IDP *Fiddler/Network Device Did it get the IDP *not usually a thing but always good to know

32 Required Information IDP Logs
Why do you need that IDP Logs Did it get there, with what, and what got sent back. Virtual Proxy Screenshots Expected IDP Expected Attributes Security (SHA 1 v. SHA 256) Whitelist

33 Tools for the Job HAR Files – Chrome/Firefox Dev Tools Fiddler
Fiddler Qlik Sense Log Collector Virtual Proxy Screenshot SAML Tracer

34 True Story

35 Sizeable Telecom Customer
Case Study Sizeable Telecom Customer 1 week before project end and big internal release They upgraded Qlik Sense and…

36

37 Case Study User, Time/Date, Error encountered
Awesome SysAdmin provided: User, Time/Date, Error encountered Har file showing user go to Qlik Sense and was redirected. SAML trace logs showing a valid request to the correct IDP. Screenshot of Virtual Proxy settings which were correct and consistent with other environments. Qlik Sense Logs – Qlik Proxy Logs which show that the user was redirected.

38 Refused to meet claiming the issue was Qlik Sense.
Case Study IDP Team on the other hand Non-Standard IDP Refused to meet claiming the issue was Qlik Sense. Refused to provide IDP metadata or get on a screen share.

39 Tested the various other upgraded environments
Case Study In the meantime… SEV 1 Ticket Was open for 2 techs for 3 days with 4 meetings Tested the various other upgraded environments Pretty sure SysAdmin slept in the Office Wish I was joking

40 Case Study IDP team finally agreed to meet
“Nothing wrong with their IDP” Went setting by setting of previous troubleshooting User, Time/Date, Error encountered - Har file showing user go to Qlik Sense and was redirected. SAML trace logs showing a valid request to the correct IDP. Screenshot of Virtual Proxy settings which were correct and consistent with other environments. Qlik Sense Logs – Qlik Proxy Logs which show that the user was redirected. Compared the IDP Metadata between environments…

41 THERE WAS NO TRAILING SLASH AFTER THE SP REDIRECT
qlik.bigcompany.com/saml/authn/ Versus qlik.bigcompany.com/saml/authn

42 The answer is not more hours, it's less bull****
David Heinemeier Hansson Author of Rework, partner at Basecamp, and creator of Ruby on Rails

43 Find all my resources at this link:
articles/

44 Q & A

45 Thank You

46

47

48

Download ppt "Troubleshooting SAML Integrations in Qlik Sense Enterprise"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Enterprise Single Sign On Identity management for web applications.

Enterprise Single Sign On Identity management for web applications.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Troubleshooting Federation, AD FS 2.0, and More…

Troubleshooting Federation, AD FS 2.0, and More…
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation www.telerik.com.

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
Troubleshooting Federation, AD FS 2.0, and More…

Troubleshooting Federation, AD FS 2.0, and More…
Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May 20121.0First version. Modified from Enterprise edition.NBL.

Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May First version. Modified from Enterprise edition.NBL.
Integrating with UCSF’s Shibboleth system

Integrating with UCSF’s Shibboleth system
Cross-Enterprise User Assertion IHE Educational Workshop 2007 Cross-Enterprise User Assertion IHE Educational Workshop 2007 John F. Moehrke GE Healthcare.

Cross-Enterprise User Assertion IHE Educational Workshop 2007 Cross-Enterprise User Assertion IHE Educational Workshop 2007 John F. Moehrke GE Healthcare.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
ArcGIS Server and Portal for ArcGIS An Introduction to Security

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Similar presentations

Ads by Google