Qlik Sense authentication – Using Azure AD and SAML for SSO
By Kabir Rab, 20th March 2018
I have been sitting in the shadows and reading up on all the good work the people from the Qlik community are producing. I have benefited from it more than I can count and have tried to add my small contributions to that. Unfortunately, finding the time has always been a bit of a challenge. However, I have decided to make the time and write something meaningful, in the hope that someone will read my blog and benefit from it.
There is no doubt, that we are in the age of cloud computing, organisations are moving more towards cloud solutions every day, be it a IPAAS, SAAS or IAAS. So, it’s no surprise that we are seeing the same trend occurring in the world of BI. BI solutions have traditionally sat within IT and typically hosted in-house. However, we are seeing a shift and BI implementations is following the trend and also moving to the cloud. Qlik solutions are no exception to that trend, therefore I thought I would pick a Qlik Sense deployment on azure as my first blog topic.
Qlik Sense and Cloud
At Tahola I have had the opportunity to work on a project to deploy Qlik Sense BI solutions as a managed service on cloud. The managed service solution took many aspects and risks away from Tahola’s clients and offered them more time to focus on their core business. Tahola manages the Infrastructure, Sense platform, data security, connections to number of data sources and even the application development and data modelling tasks. This frees up more time for the customer to analyse the data and drive improvement to their business.
Over the next few posts, I would like to share some of my learnings and some best practices that may help others on their journey in cloud deployments. I have decided to break my blogs down into 3 key parts, specifically looking at the areas where I have faced the most challenges:
- 1.Qlik Sense authentication – Using Azure AD and SAML for SSO.
- 2.Qlik Sense Repository backup and restore – Automation via PowerShll.
- 3.Qlik Sense Multi Node – To handle development environment separation.
Qlik Sense authentication – Using Azure AD and SAML
I am not going to go into the details relating to how Qlik Sense authentication and authorisation work at this stage. For more details on that, please read this. In this post, I will focus on Qlik Sense integration to existing corporate identity provider (IP) and allow single sign on (SSO) to Qlik Sense.
Like a lot of businesses, our customer uses Microsoft Office 365 and utilises MS Azure AD tenant as their Identity provider. They are integrating their software solutions to one identity provider to create a seamless journey for their employees. This allows them to maintain the credentials in one place, removing the overhead required for each solution they implement in the business.
Keeping this in mind, Tahola delivered the Qlik Sense solution leveraging Qlik’s and AAD’s SSO feature using SAML authentication method. I will now provide some key points as to how this was achieved.
Setup/Configuring Azure AAD and Qlik Sense
Microsoft Azure already provides a good step by step guide for how to configure SSO for Qlik Sense on AAD. This can be found here. I am not going to repeat these steps again, but instead I will highlight some of the key points that the existing documentation does not expand on, and highlight the parts of the document, that are now outdated and therefore not required.
- To set up the AAD for SSO – follow the above guide on Azure, complete all steps till section on “On Qlik Sense Enterprise Domain and URLs” (Screenshot below).
Note: For the Sign on URL – provide the full qualified address including the Qlik Sense virtual proxy you will setup in the steps at a later stage. For example – if the Qlik Sense site is being hosted at the following address –
- https://www.qliksenseserver.com and the Qlik Sense virtual proxy which will be handling the request is called “azuresaml”, your Sign on URL should be – https://www.qliksenseserver.com:443/azuresaml/ **443 here represent the port which Qlik Sense service will be listening to for the request. If you change this during installation, please use the correct port number here. Also, do not forget to configure the firewall to allow the port to communicate. For Azure deployment, you also should configure the NSG settings for the port forwarding.
- For identity provider URL, this should be – https://www.qliksenseserver.com in this scenario.
- Before you move on to the next section of the guide (“4. On the SAML Signing Certificate section”), you must enable the certificate, if this is the first time you are configuring the SSO for Qlik Sense in AAD. You should see something similar to the screenshot below under “SAML Signing Certificate”.
Note: This tells you there is a new certificate, but this is not yet active. You must enable this certificate to use it. Tick the box “Make the new certificate active” during the setup to enable the certificate. Once you have done this and saved the settings, the certificate section should look as per the screenshot below.
- Please make a note on the Signin Algorithm under advance settings in the certificate section. I recommend using Sha-256, however, I have had some issues with the Sha-256 on Qlik Sense server. You can always use Sha-1 if the first option resulted in an error.
- As for the next step of the guide – “6. Prepare the Federation Metadata XML” – Please ignore this step, Since November 2017 release of Qlik Sense, this is no longer required. You can just upload the XML file as it is from azure to Qlik Sense now.
- You can follow the rest of the steps on the guide from that point. Make sure you add your sign on URL to your Qlik sense Virtual Proxy “White List” that will handle the SAML request and ensure that you have configured your firewall settings to open the ports required.
If everything went according to plan, you should now be able to login into your Qlik Sense environment using SSO against Azure Active Directory. This opens up options for multi factor authentication and lots more security features for your organisation to consider, which can be leveraged for all your linked SSO applications.
Hopefully you will find the information I have provided in the first part of my blog ‘Qlik Sense authentication – Using Azure AD and SAML for SSO’ useful. Next time I will be covering the Qlik Sense Repository backup and restoration automation using PowerShell.
For further details on TaholaCloud please click here
Watch this space and thank you for reading, should you wish to get in touch for further information regarding the solutions we provide to our customers then please contact: