NPrinting: How to setup SAML authentication with Azure

This article explains how to implement SAML for NPrinting with Azure as the IdP.

Environments:

• NPrinting April 2018 and later

 

If issues are found with the implementation, among other reasons the following may be related:

The email address attribute needs to be the full URL path, not just “emailaddress”
The XML from AD/idp needs to have reference to only one certificate
Irrelevant information in the XML from the idp needs to be removed as NP does not support and can cause errors;

To implement Azure SAML in Nprinting, the following needs to be done:

1) Create your own application in Azure from this menu and choose a name for it.



2) In Azure, generate Metadata XML file from this button

Federation Metadata XML
Download

3) Configure SAML in NPrinting and upload your metadata file 

See instructions on the following link for NPrinting June 2019 :
https://help.qlik.com/en-US/nprinting/June2019/Content/NPrinting/DeployingQVNprinting/Configuring-SAML.htm

Below an example of a working metadata file with only the needed fields, the simpler is to copy the corresponding elements (Azure EntityID, certificate for signing, SingleSignOnService for HTTP-POST and HTTP-Redirect) from the IdP metadata file downloaded from Azure and paste it in each of the red parts below, save the file as .xml and upload it to NPrinting:

<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://sts.windows.net/b26e23cf-787a-40e8-9d17-f0c9f9ad0821/">
  <IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>           
<ds:X509Certificate>MIIC8DCCAdigAwIBAgIQFUUu6ZQHg5FJ...Ud8tf9A/4A6+2SZm34gf8gcVPTXT/a</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>    
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/b26e23cf-787a-40e8-9d17-f0c9f9ad0821/saml2"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.microsoftonline.com/b26e23cf-787a-40e8-9d17-f0c9f9ad0821/saml2"/>
  </IDPSSODescriptor>
</EntityDescriptor>

Alternatively, when you upload the Azure metadata file as is to NPrinting, check the Webengine log file to remove unwanted tags from the Azure metadata file (As there are many tags that are not supported by Azure, it may take some time)


4) In Azure, configure your Enterprise application created in step 1

The fields that need to be filled in on the Azure side are the 2 below, others are optional.

Identifier (Entity ID)  (The Entity ID set up in NPrinting in step 3)
Reply URL (Assertion Consumer Service URL) (The correct value can be found in the SP metadadata file downloaded from NPrinting)





5) Make sure you give the correct permissions to the Azure AD users you want to authorize to connect with SAML 




The settings is now completed and SAML authentication should work.

Remember that the user that logs in must already exist in NPrinting identified by either his email address or DOMAIN\Username (Based on the settings in step 3)

If the authentication fails, the error will be logged in the webengine logs in C:\Programdata\Nprinting\Logs\