Find Answers
Qlik Community
Collaborate with over 60,000 Qlik technologists and members around the world to get answers to your questions, and maximize success.
Join Us
Contact
Find Answers
Join Qlik Community
Collaborate with over 60,000 Qlik technologists and members around the world to get answers to your questions, and maximize success.
Join Us
Get Support
Have a Question?
Search Qlik's Support knowledge database or request assisted support for your highly complex issues.
Submit a Case
Talk with a Representative
Critical Issues
Experiencing a serious product issue? Please Contact us by phone. Click here to view phone numbers and hours by region.
Contact UsWelcome Guest
Installed Qlik Products
My Environments
Log your environments to ensure faster and more targeted troubleshooting.
View Available Licenses
My Licenses
Understand your licenses to help you maximize your experience.
Knowledge
SAML assertion was not signed properly with any of the certificates provided in the IdP metadata
Article Number: 000052406 | Last Modified: 2019/06/13Description
When trying to authenticate with SAML, Error 400 Bad request is displayed in the browser.
When looking into the Qlik Sense Proxy (Trace/Audit_proxy) the following WARN message: SAML assertion was not signed properly with any of the certificates provided in the IdP metadata
Looking at the SAML response and at the IDP metadata, we can however see that the same certificate is used for signing.
Environments:
When looking into the Qlik Sense Proxy (Trace/Audit_proxy) the following WARN message: SAML assertion was not signed properly with any of the certificates provided in the IdP metadata
Looking at the SAML response and at the IDP metadata, we can however see that the same certificate is used for signing.
Environments:
- Qlik Sense Enterprise 3.0 and higher
Cause
Feature Request ID:
- QLIK-89285
Resolution
Due to a known issue in the third party library used to implement SAML in Qlik Sense (ComponentSpace v2.6.10.0), Qlik Sense will not be able to validate a SAML response if it does not contain the following:
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi" /> </ds:Transforms>
Below is an example of response that will NOT validate correctly in Qlik Sense:
<ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_1e1ed6a7c84fb5787ff829b0ba7a23b4"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> </ds:Transforms>
In order for the above to validate correctly, it will need to be altered in the following way:
<ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_1e1ed6a7c84fb5787ff829b0ba7a23b4"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi" /> </ds:Transforms> </ds:Transforms>
- Most of third-party SAML providers include this tag so it should not be much of a concern in the case you use one of those SAML IDP.
- However, if you have built your own SAML IDP, you must be aware of this and generate the SAML Response with the tag in it.
Get Answers
Find Answers
Get Support
Have a Question?
Search Qlik's Support Knowledge database or request assisted support for highly complex issues.
Submit a case
Talk with a Representative
Critical Issues
Experiencing a serious issue, please contact us by phone. View phone numbers and hours by region.