Qlik Sense Desktop authentication process using SAML
Article Number: 000036022 | Last Modified: 2018/06/12
Customer is getting prompted for credentials using Sense 3.2.4 desktop even after configuring virtual proxy with a desktop link.
According to our documentation once we authenticate from desktop by entering our credentials, we don’t need to authenticate again until 10 days:
"After you have been authenticated once, internet access is not required to continue using Qlik Sense Desktop. However, you have to re-authenticate yourself if ten days have passed since you last authenticated, if you have logged out, or if your administrator has revoked your user access for Qlik Sense Enterprise server."
With SAML authentication, every time a browser is closed, the session cookie will be deleted.
Default SAML Behavior: By nature if one browser is open with SAML SSO and if the browser is closed, then you need to login again. The SAML response (which is comprised of XML and Certificate security) depends on the validation to whom the SAML token is issued. Now if you close the browser your whole SAML session is lost. That is the reason SAML response has timeout value within itself.
On Qlik Sense Desktop authentication with Server using SAML authentication: you open a new http client (browser) every time you launch the Qlik Sense Desktop. So whatever cookies you had previously will not be valid for the new Session. The SSO server will see that this token either expired or takes it as new request every time.
If SAML is in play, users must authenticate every time to the Sense server, they will not be able to use offline mode. A documentation bug (QLIK-78814) has been entered for this issue.