Online Help

SafeNet Trusted Access for Qlik Sense

Overview

The application template provides the ability to enable single sign-on for users accessing the Qlik Sense application through SafeNet Trusted Access.

The following use cases can be configured for Qlik Sense:

SP-initiated SSO

IdP-initiated SSO

Single Logout

Just-in-Time (JIT) provisioning

Configuring SafeNet Trusted Access for Qlik Sense is a three-step process:

1.Qlik Sense setup

2.SafeNet Trusted Access setup

3.Verify authentication

Qlik Sense Setup

As prerequisites,

Download the Identity Provider metadata from the SafeNet Trusted Access console by clicking the Download metadata file button. You will need this metadata in one of the steps below.

Copy the Qlik Sense Signing Certificate from the C:\ProgramData\Qlik\Sense\Repository\Exported Certificates\Local Certificates\server.pem path.

Perform the following steps to configure SafeNet Trusted Access as your Identity Provider in Qlik Sense:

1.Log in to Qlik Sense as an administrator using the Qlik Sense login URL, https://<hostname>/qmc, where <hostname> is the machine name on which Qlik Sense is installed.

2.On the Qlik Sense Management Console, in the left pane, under CONFIGURE SYSTEM, click Virtual proxies.

3.Under Virtual proxies, at the bottom, click Create new.

4.On the Edit virtual proxy window, under IDENTIFICATION, perform the following steps:

a.In the Description field, enter safenet.

b.In Prefix field, enter safenet

c.In the Session cookie header name field, modify the existing value from X-Qlik-Session to X-Qlik-Session-safenet.

5.In the right pane, under properties, click Authentication.

6.Under AUTHENTICATION, perform the following steps:

a.In the Anonymous access mode field, ensure that No anonymous user selected.

b.In the Authentication method field, select SAML.

c.In the SAML single logout check box.

d.In the SAML host URI field, enter the hostname, https://<hostname>/ , where <hostname> is the machine name on which Qlik Sense is installed.

e.In the SAML entity ID field, enter Qlik_Sense.

f.Next to the SAML IdP metadata field, click Choose File to search and select the IdP metadata that you have downloaded form the SafeNet Trusted Access console.

g.In the SAML attribute for user ID field, enter emailaddress.

h.In the SAML attribute for user directory field, enter Qlik_Sense inside rectangular brackets (for example, [Qlik_Sense]).

i.In the SAML signing algorithm field, ensure that SHA-1 is selected.

7.In the right pane, click Load balancing.

8.Under LOAD BALANCING perform the following steps:

a.Under Server node, click Add new server node.

b. On the Add server nodes to load balance window, in the Name column, select default Central node, and click Add.

9.In the right pane, under properties, click Advanced.

10.Under ADVANCED > Host white list, perform the following steps:

a.Click Add new value.

b.In the field, enter the SAML host URI that you entered in step 6(d).

c.Click Apply.

d.Click OK to restart the proxy server.

11.In the right pane, under Associated items, click Proxies, and perform the following steps:

a.At the bottom, click Link.

b.The Select proxy services window is displayed. Under Node, click Central, and then click Link.

12.On the Qlik Sense Management Console, on the top left-hand side corner, click Virtual proxies.

13.Select your proxy (for example, safenet) that you created earlier in step 4(a) and click Download SP metadata. The Qlik Sense metadata will be automatically downloaded. Save it on your local machine. You will need this metadata while configuring Qlik Sense in STA.

14.In the left pane, at the top, click Start.

15.Under MANAGE RESOURCES, click License management.

16.In the right pane, under License management, select Professional access rules.

17.At the bottom, click Create new.

18.On the Edit professional access rule window, in the right pane, click BASIC.

19.Under Basic > Actions, perform the following steps:

a.For the user field, select userDirectory.

b.For the value field, enter the machine name, where you have deployed your Qlik Sense setup.

c.Click .

d.For the user field, select userDirectory.

e.For the value field, enter the Virtual proxy name (for example, safenet) that you created earlier in step 4(a).

f.Click Apply.

SafeNet Trusted Access Setup

After completing the first step of configuring SafeNet Trusted Access in Qlik Sense, the second step is to activate the Qlik Sense application in SafeNet Trusted Access by performing the following steps:

1.In the Applications pane, the Qlik Sense application you added earlier is in the inactive state by default. To configure and activate this application, click the application (for example, Qlik Sense) and proceed to the next step.

2.Under STA Setup, perform the following steps:

a.Complete the following fields using the Qlik Sense metadata that you downloaded earlier in step 13 of Qlik Sense Setup:

Field Value to be Set
ENTITY ID Enter the entityID that exists in the EntityDescriptor tag.

For example,
<md:EntityDescriptor entityID="Qlik_Sense" ID="_ac2fe696-b1d2-4d2b-9444-e2130690ac69" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
SINGLE LOGOUT SERVICE URL Enter the Location URL that exists in the SingleLogoutService tag.

For example,
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<hostname>:443/<virtual_proxy>/samlauthn/slo/" />
ASSERTION CONSUMER SERVICE URL Enter the Location URL that exists in the AssertionConsumerService tag.

For example,
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<hostname>:443/<virtual_proxy>/samlauthn/" index="2" />

b.Under SAML Certificates, under Encryption Certificate, click Upload Certificate to upload the Qlik Sense Signing certificate that you saved earlier in Qlik Sense Setup.

c.Under User Login ID Mapping, in the NAME ID field, ensure that Email address is selected.

3.Click Save Configuration to save the details and activate the Qlik Sense application in SafeNet Trusted Access.

Verify Authentication

Using STA Console

Navigate to Qlik Sense login URL, https://<hostname>/<virtual_proxy>/hub.

You will be redirected to your SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the Qlik Sense hub after authentication.

Using STA User Portal

Navigate to the User Portal URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click the Qlik Sense application icon. You should be successfully logged in to the Qlik Sense hub after authentication.

 

© 2019 SafeNet Trusted Access. Various trademarks are held by their respective owners.