Google Workspace can be used as a SAML identify Provider for Qlik Sense Enterprise on Windows, facilitating a single sign-on solution. In this article, we will cover how to perform a quick setup using Qlik Sense Enterprise on Windows September 2020.
Prepare the SAML App in Google Marketplace.
- Log on to your Google Marketplace Admin console
- Open Apps
- From the list of available Applications, select SAML Apps
- Click Add App
- Choose Add custom SAML app
- Choose an App name.
We are using Qlik Sense as the App name.
- Click Continue
- Click DOWNLOAD METADATA and CONTINUE.
- The download provides you with a GoogleIDPMetadata.XML file. Copy this file to your Qlik Sense Enterprise on Windows host machine.
Setting up SAML
To begin setting up SAML, we need to set up a new Virtual Proxy.
- Open the Qlik Sense Management Console
- In the menu to the left, locate Virtual Proxies
- In the Virtual Proxies setup, click Create new
- Select Identification, Authentication, Load balancing, and Advanced in the Properties menu on the right.
- Populate the Virtual Proxy fields. Our example follows below, including short descriptions.
- We begin with the Identification settings
- Description: SAML
This is the description of the Virtual Proxy.
- Prefix: saml
This value needs to be unique across all your Virtual Proxies. Note the character restrictions as documented in the visual guide.
- Session cookie header name: X-Qlik-saml
The cookie header name must be unique across all your virtual proxies used by the same proxy service.
- We move on to the Authentication settings.
- Anonymous access mode: No anonymous user
- Authentication method: SAML
This is where we choose what module the Virtual Proxy uses
- SAML single logout checkbox
We leave this unticked. Our IdP metadata file does not include a logout URL.
- SAML host URI: https://qlikserver2.domain.local/
This is our Qlik Sense Proxy URL. You will need this URL for the remaining SAML setup in Google Workspace.
- SAML entity ID: GoogleSAML
This is the entity ID that we choose. You will need this ID for the remaining SAML setup in Google Workspace.
- SAML idP metadata: Upload the GoogleIDPMetadata.xml file.
- SAML attribute for userID: email
Choose what attribute to use for the userID. We choose email.
- SAML attribute for user directory: [DOMAIN]
The static attribute must be enclosed in brackets. We choose DOMAIN
- SAML signing algorithm: SHA-1
We leave this unchanged.
- Move on to the Load Balancing settings and click Add new server node to choose the Engine nodes the Virtual Proxy should be using.
- We move on to the Advanced settings
- These depend on your setup. We choose to use Lax SameSite attribute (https)
- Add any required hosts to the Host white list
These are the names or IP addresses your users use to connect to the Virtual Proxy with. Eg: domainname.com or machinename.domain.com.
- Click Apply
- You will be alerted that the Proxy Services associated with this Virtual Proxy will restart
- Now we will associate a Proxy to the Virtual Proxy. You will notice a new menu available in the right-hand corner: Associated items - Proxies
- Click Proxies
- Click Link
- Follow the on-screen instructions to link the Proxy
- The Proxy will restart.
- Return to the Virtual Proxies overview and select your SAML virtual proxy
- In the menu at the bottom of the screen click Download SP metadata
This will give you a saml_metadata_sp.xml including the remaining details you need for the setup.
Finalizing the SAML Setup in Google Workspace
- Return to your SAML App in Google Workspace. We will be filling out the bare minimum. Depending on your requirements, this may vary. Our examples are shown below.
- Based on the information in your saml_metadata_sp.xml and settings, fill out:
- ACS URL: https://qlikserver2.domain.local:443/saml/samlauthn/
- Entity ID: GoogleSAML
- Signed response is not supported in Qlik Sense.
- Name ID format: EMAIL
- Name ID: Basic Information > Primary eMail
- Click Continue
- Click Add mapping and fill out the Attributes
Note that these are case sensitive. We used email in Qlik Sense, so we do the same here.
- Click Finish
This concludes the setup!
To test, access the Qlik Sense hub using the prefix defined in the setup. In our case, the URL is: https://qlikserver2.domain.local/saml
You will be redirected to a Google Account signing page.