When a user authenticates with SAML/JWT/Ticket, security rules based on the attributes from the SSO provider do not work and the attributes are not visible in the QMC under the User record.Environments:
- Qlik Sense Enterprise, all versions
When a user authenticates with SAML, a list of attributes will be given to Qlik Sense based on what is set up in the virtual proxy.
However, these User attribute(s) returned from the SSO provider are only kept for the user session
and are not stored/persisted in the Qlik Sense Repository Database
. Therefore, they do not appear in the QMC like attributes synchronized via a UDC connection (data which is
persisted to the database).
1. Reference the attributes via user.environment.[attribute name]
(not user.[attribute name]
2. View the exact attributes returned from the SSO provider by examining the logs:
a. Set the Proxy Audit Logs to the DEBUG level
b. After enabling debug logging, the (Trace/Audit) Proxy logs will reveal the extracted attribute(s). The default Proxy log location is in C:\ProgramData\Qlik\Sense\Log\Proxy. Example:Headers that will be injected:
[X-Qlik-Security, OS=Windows; Device=Default; Browser=Firefox 50.0; IP=fe80::f0bf:12cb:47cd:2086%14; ClientOsVersion=6.3; SecureRequest=true; Context=AppAccess; role=Domain+Users; role=group5; ] || [X-Qlik-User, UserDirectory=DOMAIN; UserId=user5] || [X-Qlik-ProxySession, b29118dd-4539-4742-ad65-fe307eb10b54] || [X-Qlik-ProxyId, ProxyId=38daa8e0-5330-4581-9f40-49d7418b858f; Prefix=adfs] || [X-Qlik-Trace, cf2e0117-ee82-4d26-bba8-b781fc4ef19e:::]