When using SAML authentication in Qlik Sense, error 400 appears in the browser and in the Qlik Sense proxy logs (Trace > Audit_Proxy), there is an error:
SAML assertion must be encrypted on an unsecured connection.
Environment:
This is a requirement that the SAML assertion is encrypted (This can be set up in the Identity provider configuration) when running on an unsecure (HTTP) connection.
Please also note that "Signing" and "Encryption" are 2 different things in SAML.
Qlik Sense requires the SAML assertion to be encrypted on an HTTP connection.
This error will also happen when using a reverse proxy in front of Qlik Sense, with the connection between the reverse proxy and Qlik Sense using HTTP connection instead of HTTPS, which makes Qlik Sense thinks that HTTP is used, despite from the end user perspective HTTPS is used (between end users and the reverse proxy).
In order to fix this, it will be needed to either encrypt the SAML assertion in the Identity Provider settings, or set up the reverse proxy to rewrite to HTTPS instead of HTTP.
There is no change of settings needed on the Qlik Sense side for this issue, everything is to be done on the Identity Provider side.
The certificate that needs to be used for the encryption is the one in the SP metadata.
The procedure may be slightly different based on the Identity provider used, for Azure, please see link below:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/howto-saml-token-encryption
