Collaborate with over 60,000 Qlik technologists and members around the world to get answers to your questions, and maximize success.Join Us
Configure AD FS - Click Manage in the Server Manager and finish the ADFS setup
Note: Notice that dc1.domain.local is available in the drop down. If this is a clean install of server and then ADFS is installed, there will be NO certificates there other than ones you install (or are on the default image of the server). This is why we are using the one we created and makes it easier to ensure that all the certificates will trust everyone without extra configurations.
Example of the View Script
Click Configure to start the installation process
You can ignore this message in a single ADFS test environment.
Configure the virtual proxy for ADFS
SAML attribute for user ID: http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
Note: The brackets around the SAML attribute for user directory. This will be needed for all directory names, even if linking to an established User Directory Connector.
IF you’re going to use a 3rd party SSL certificate and do NOT want to change the encryptioncertificaterevocationcheck and signingcertificaterevocationcheck settings (Step 12 below) for the Relaying Trust, review Step 5-A at the end of the document, then proceed.
Download the SP metadata for the ADFS virtual proxy in the QMC and move it to the ADFS server (or a shared folder)
Note: You mus link the Virtual Proxy to a Proxy or this will not be possible and the button will be grayed out.
Configure the Relaying Party Trust using the SP metadata from Sense
Note: Once completed, go back into the Properties for this Relaying Party Trust and change it rom SHA-256 to SHA-1 for this demonstration.
Add the Claim information for the Relaying Party Trust
Note: You can pass many different AD attributes, but for this we are just sending the Windows Account Name information as the UserID (as set in the virtual proxy)
Download the ADFS IdP Metadata
ADFS Metadata URL: https://<ADFS_server_name>/FederationMetadata/2007-06/FederationMetadata.xml
Note: Putting the link into Chrome/Firefox will download the .xml file, but you can copy and paste it into Notepad and save it as .xml
Once you get the metadata in a file, you will need to remove any and all sections containing RoleDescriptor.
Note: This step may not be needed depending on the version of Sense and AD FS. If you're in current builds (any 2018 or later), it will most likely be fine just using the full IdP metadata XML. You will get an error in the QMC when applying, if it's not valid.
Click at the start of the file and Find RoleDescriptor and the first entry.
Make a few returns / spaces so when you select from the bottom to the top you’ll know where to stop.
Scroll to the bottom of the file and click to move the cursor to the end of the file
Change the direction from Down to Up and Find Next
Once found, select the entire section between those two points and delete it. This will lower the size of the XML by more than half its original.
Note: You can use other text editors, but this one is default on Windows and just takes a few quick searches.
Import the ADFS IdP into the virtual proxy for ADFS
Note: At this point Sense and ADFS are configured. Follow Step 12 if you did not do 5-A.
Step 12: Removing the signingcertificaterevocationcheck and encryptioncertificaterevocationcheck on the ADFS server for the Relaying Trust in an elevated (run as Administrator) Windows PowerShell:
Reason: This is because ADFS and Sense do not have all the certificates trusted. This removes the need to have to deal with it.
This step is to be performed before getting the SP metadata for the virtual proxy in Qlik Sense. The reason for this is that the SP metadata has the certificate information for the Proxy that’s linked to it. By default it will use the self-signed certificate that’s created when Sense is installed. However, ADFS does not trust this chain and to make it easier, we will just use a 3rd party certificate that’s from the same CA as the one that’s used for ADFS.
Below is an example of a certificate from the same CA as the DC1.domain.local and is made for qlikserver1.domain.local. The thumbprint is placed in the proxy that the virtual proxy for ADFS is linked to, and will now use this certificate for trust.
Search Qlik's Support Knowledge database or request assisted support for highly complex issues.Submit a case
Experiencing a serious issue, please contact us by phone. View phone numbers and hours by region.