Qlik Sense: ADFS SAML authentication stopped working after changing certificate

After updating the certificate, ADFS SAML authentication stopped working.

Environment:

• Qlik Sense Enterprise on Windows 
• ADFS 3.0 and higher

First, it is important to note which certificate was updated to take appropriate actions.
 

Qlik Sense proxy certificate was changed

If the certificate used on the Qlik Sense Proxy service was updated (Imported in Windows and thumbprint changed in the Qlik Sense QMC), then the following actions need to be done:

• Update the Service Provider certificate in ADFS, the new certificate can be known by downloading the SP metadata from the virtual proxy in the QMC. This can be done by changing the certificate in the properties of the Relying party in ADFS or by recreating the Relying party from the SP metadata file.

In ADFS, the SP certificate is used to verify the signature on the SAML AuthnRequest and to encrypt the SAML Assertion in the SAML response.

 

ADFS certificate was changed

If the certificate in ADFS was changed:

• Generate the IdP metadata in ADFS and download it again
• Update the IdP metadata in the virtual proxy settings in the Qlik Sense QMC.

The IdP certificate is used by Qlik Sense to verify the signature on the SAML Assertion.