Qlik Sense SAML Certificate Information for Salesforce

Which type of SAML will be used SP (Service Provider) or IdP (Identity Provider)?

Identity provider initiated SSO

With identity provider initiated SSO, the user logs in directly to the identity provider, which performs the SSO authentication.

We recommend that you always set RelayState to https://<machine_name>/<vp_prefix>/hub, because if RelayState is empty, some identity providers will send a get request instead of a post request, which will cause a failure.

If RelayState is empty, misspelled, or not part of the host white list, the user will automatically be redirected to the hub.
For the IdP initiated SSO to work the assertions must be signed.

Service provider initiated SSO

With service provider initiated SSO, the user starts at the service provider site, but instead of logging in at the SP site, SSO authentication is initiated with the identity provider. In the authentication process, Qlik Sense plays the role of a service provider. When a user logs in to Qlik Sense, the login is transferred to the identity provider that handles the actual SSOauthentication.

 

As far as the Certificates, Salesforce has retired the Default Certificates.

"Due to the upcoming expiration of the default client certificate and for security best practices, we will retire the use of the proxy.salesforce.com client certificate with the Winter ‘18 release. During the Winter '18 release, your SAML Single Sign-On configurations that use the proxy.salesforce.com default certificate will be switched to a self-signed certificate automatically."

Service provider initiated SSO

If using the SP Initiated SAML method then further action will need to be followed found in the Salesforce Article:

https://help.salesforce.com/articleView?id=000265889&type=1&_ga=2.148809655.1806771827.1525703697-895858007.1522245230

Identity provider initiated SSO

As long as the user is authenticated before opening the iFrame then it will work. If the user is not authenticated then they will be redirected which will refuse to load in an iFrame. 
Login pages use the X-Frame-Options header to tell the browser not to load the page in an iFrame, this is done for security to prevent credentials being read by the outer page. 

One thing to try is to get the URL from the iFrame and try to access outside the Network. 
If it cannot be accessed then this would be an issue. 
Also if there are no Qlik errors, then at that point it would be an issue on the Network side of things. 
It could possibly be a DNS resolve issue which would require a Networking team to troubleshoot.