Qlik NPrinting SAML authentication with Azure

This article explains how to implement SAML for NPrinting with Azure as the IdP.

Environments:

Qlik NPrinting  

To implement Azure SAML in Nprinting, the following needs to be done:

1. Create your own application in Azure from this menu and choose a name for it.
   
   
   
   

2. Generate a Metadata XML file 
   
   Federation Metadata XML: Download
   
   

3. Configure SAML in NPrinting and upload your metadata file 
   
   See instructions on the following link: Confguring SAML
   
   Below is an example of a working metadata file with only the needed fields, the simpler is to copy the corresponding elements (Azure EntityID, certificate for signing, SingleSignOnService for HTTP-POST and HTTP-Redirect) from the IdP metadata file downloaded from Azure and paste it into the corresponding parts of the code.
   
   Then save the file as .xml and upload it to NPrinting:
   

   <?xml version="1.0"?>
   <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://sts.windows.net/b26e23cf-787a-40e8-9d17-f0c9f9ad0821/">
     <IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
       <KeyDescriptor use="signing">
         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
           <ds:X509Data>           
   <ds:X509Certificate>MIIC8DCCAdigAwIBAgIQFUUu6ZQHg5FJ...Ud8tf9A/4A6+2SZm34gf8gcVPTXT/a</ds:X509Certificate>
           </ds:X509Data>
         </ds:KeyInfo>
       </KeyDescriptor>    
   <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/b26e23cf-787a-40e8-9d17-f0c9f9ad0821/saml2"/>
   <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.microsoftonline.com/b26e23cf-787a-40e8-9d17-f0c9f9ad0821/saml2"/>
     </IDPSSODescriptor>
   </EntityDescriptor>​

   
   Alternatively, when you upload the Azure metadata file as is to NPrinting, check the Webengine log file to remove unwanted tags from the Azure metadata file (As there are many tags that are not supported by Azure, it may take some time)
   
   
4. In Azure, configure your Enterprise application created in step 1
   
   The fields that need to be filled in on the Azure side are the 2 below, others are optional.
   
   Identifier (Entity ID):  The Entity ID set up in NPrinting in step 3
   Reply URL (Assertion Consumer Service URL): The correct value can be found in the SP metadata file downloaded from NPrinting
   
   
   
   
5. Make sure you give the correct permissions to the Azure AD users you want to authorize to connect with SAML
   
   
   
   The settings is now completed and SAML authentication should work.
   
   

Potential Troubleshooting Steps

• Remember that the user that logs in must already exist in NPrinting identified by either his email address or DOMAIN\Username (Based on the settings in step 3).
  
  If the authentication fails, the error will be logged in the web engine logs in C:\Programdata\Nprinting\Logs\.
  
  
• If issues are found with the implementation, among other reasons the following may be related:
  1. The email address attribute needs to be the full URL path, not just “emailaddress”
  2. The XML from AD/idp needs to have reference to only one certificate
  3. Irrelevant information in the XML from the idp needs to be removed as NP does not support and can cause errors.