Qlik Sense: How to use the same certificate for SAML on different Qlik Sense Proxy nodes

Damien_Villaret · Oct 15, 2021 7:54:37 AM

When using SAML in Qlik Sense in a multi-nodes environment with an external load balancer in front and a unique DNS name to balance on the different Qlik Sense Proxy nodes, it is needed to unify the certificate used for SAML in order to be able to log in from any of the nodes.

Environments:

Qlik Sense Enterprise on Windows all versions

In order to use the same certificate for SAML on both Qlik Sense nodes, it is needed to apply the same certificate thumbprint in the Qlik Sense Proxy settings of each node.

Please see the procedure on how to do that at the following link: How to change the certificate used by the Qlik Sense Proxy to a custom third party certificate

jackykui · ‎2023-02-26

Hello Damien

Would you please clarify that in this case the external Load balancer should always points one of the proxy nodes?

We have done some tests as below.
Suppose we have
1 x Central node
1 x Proxy node
1 x Scheduler node

We create a new virtual proxy for SAML authentication in QMC and do the configurations on ADFS. And set the external LB IP points to proxy node. It works well in this situation.

Then we add another Proxy node(let's name it Proxy B, the original proxy node we name it Proxy A) into the Qlik Sense cluster. Now we have
1 x Central node
2 x Proxy node
1 x Scheduler node

We add Proxy B (we install the same cert as Proxy A and apply the same thumbprint in this proxy node setting in QMC) into the load balancing list (internal Load balancing) under the virtual proxy we use above. Then we turn off the engine service in Proxy A and keep the engine service running in Proxy B(Please notice that the external LB IP still points to Proxy A). It still works well. So this result can prove that the internal load balancing is working. For sure, we also can get a positive result when the engine service are running on both proxy nodes.

After we add Proxy B into external LB IP list, we have the possibility to get the error:
400 Bad Request
Contact your system administrator. The user cannot be authenticated or logged out by the SAML response through the following virtual proxy: SAML authentication with ADFS.
And we can see the link block at this step https://<external LB IP>/adfs/samlauthn/

I'm not sure if I add proxy B into the SAML virtual proxy load balancing list in QMC, does the SP metadata need to be re-upload to ADFS?

For the failed cases, we assume that the SAML authentication request is generated by one of the Proxy Nodes, but the SAML response is redirected to another. As a result, the SAML verification fails.

Please share your opinion on our assumption. If there is the case, would you please advise any solution?

Besides, we spot an attribute named "Load balancing module base URI" under integration setting in virtual proxy. Currently we leave it blank, not sure if there is any linkage with current topic.

Sonja_Bauernfeind · ‎2023-03-08

Hello @jackykui

For more in-depth and detailed assistance regarding this, I would recommend to either post about your requirements and challenges in the forums (Integration, Extensions, and APIs ) or contact our professional services for hands-on assistance.

All the best,
Sonja

Qlik Sense: How to use the same certificate for SAML on different Qlik Sense Proxy nodes

Qlik Sense: How to use the same certificate for SAML on different Qlik Sense Proxy nodes

Environments:

Integration and Embedding