Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Feb 1, 2023 3:20:47 AM
May 2, 2018 4:41:03 PM
The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.
Note: This documentation is only to used to validate and test ADFS SAML while using Apache as a Reverse Web Server and HTTPS/SSL is enabled. This example is under the assumption there's an understanding of the environment and having the proper permissions to perform the actions shown. Accounts used are all Local Administrators and the servers are open, with nothing blocked and no other programs installed on them.Read the entire documentation to verify access and understanding of all actions stated within prior to starting the install and configuration. Any other versions or configurations of any software may need other steps/options/settings/etc ... that are not documented here. Use this at your own discretion as Qlik does NOT support Apache/OpenSSL/ADFS in their installation/configuration or use.
Download (Recommended to verify the zip file is not Blocked: Right click on the zip file -> Properties -> General -> Click Unblock -> Apply), Extract the Zip file and Read the "readme_first.html" then use the instructions to Install Apache Web Server as Service on a separate machine from Sense and ADFS - https://httpd.apache.org/docs/2.4/platform/windows.html. Verify Apache is running under HTTP/HTTPS.
Location Installed: C:\Apache24\
Note: Tested with http://www.apachehaus.com version Apache 2.4.33 x64 Distribution File: httpd-2.4.33-o110h-x64-vc14-r2.zip
Place a valid certificates .crt and .key files on the Apache Web Server.
Location used: C:\Apache24\conf\ssl
Note: Process used: How to convert a certificate for NPrinting to the .key and .crt files for HTTPS/SSL in the Web Conso...
Navigate to the location and Edit the "httpd.conf" file (Location used: C:\Apache24\conf\). Then uncomment certain modules used in this example and save the file.
Search for and then uncomment the following modules:
Find and uncomment the following line so that the reverse proxy will use the configuration that will be written later:
Include conf/extra/httpd-vhosts.conf
Note: To uncomment the option/module remove the pound ( # ) symbol in front of the line and save the file.
Navigate to and Edit the file "httpd-vhosts.conf" under the directory (Location used: C:\Apache24\conf\extra) to add the virtual host that will used for Qlik Sense and save the file.
Example "httpd-vhosts.conf":
# Virtual Hosts
#
# Required modules: mod_log_config
# If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs/2.4/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#
# Qlik Sense configuration needed:
#
# - Create a new virtual proxy with SAML called adfsapache
# - Add reverse proxy name and IP address to whitelist of virtual proxy
#Put IP address of reverse proxy as LOCAL_ADDR
#Put IP address of Qlik Sense server as REMOTE_ADDR
#Put your virtual proxy prefix as VIRTUAL_PROXY
Define LOCAL_ADDR 172.16.16.102
Define REMOTE_ADDR 172.16.16.100
Define VIRTUAL_PROXY adfsapache
<VirtualHost *:443>
ServerAdmin name@qlik.com
DocumentRoot "${SRVROOT}/htdocs"
ServerName ${LOCAL_ADDR}:443
ServerAlias qlikserver3.domain.local
SSLProxyEngine on
SSLEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
#Location of the SSL certificate used for this virtual host in their .crt and .key file format
SSLCertificateFile "${SRVROOT}/conf/ssl/QlikServer3Certificate.crt"
SSLCertificateKeyFile "${SRVROOT}/conf/ssl/QlikServer3Certificate.key"
ProxyRequests Off
ProxyPreserveHost On
KeepAlive On
RewriteEngine On
# If it is a websocket request forward as websocket traffic
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule ^/(.*) wss://${REMOTE_ADDR}%{REQUEST_URI} [P]
<Proxy *>
Require all granted
</Proxy>
<Location /${VIRTUAL_PROXY}>
ProxyPass https://${REMOTE_ADDR}/${VIRTUAL_PROXY} connectiontimeout=5 timeout=300
ProxyPassReverse https://${REMOTE_ADDR}/${VIRTUAL_PROXY}
</Location>
</Virtualhost>
Note: Some parameters/options may need to be turned off or on depending on your certificates and other configuration items.
For Steps 5 & 6, refer to Article Quick Guide to installing ADFS for testing SAML starting from Step 5 until Step 11 and apply where needed
Configure a Virtual Proxy in Qlik Sense called "adfsapache"
Note: Verify the Host allow list has the correct IPs/DNS (FQDN/Servername/Alias) added to it,
Create the Relaying Party Trust for the "adfsapache" Virtual Proxy in ADFS
Restart the Apache Web Server service and attempt to log into a URL from a machine that's NOT the Apache Server. Example URL: https://qlikserver3.domain.local/adfsapache
Note: Reason for attempting it outside the Apache Web Server is that certain OS level settings may not allow access to the FQDN/Servername locally to the machine. Review this article if you're able to connect to it locally with IP/Localhost: Authentication failed repeatedly when using external DNS alias locally on the server
One of our client is using Apache reverse proxy configuration and while using above code they noticed issue loading Qlik Sense hub on Firefox browser specifically, but it would work fine on the Chrome/Edge.
As per Our Client , The fix is sort of explained in this article. https://stackoverflow.com/a/
Changes are like The "httpd-vhosts.conf" example file should be modified from:
Before:
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
After:
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
Feel free to test it out and update the post as needed.
Thanks
Ravi
Thank you for the input, @RaviGinqo