Tutorial: Azure Active Directory integration with Qlik Sense Enterprise
In this tutorial, you learn how to integrate Qlik Sense Enterprise with Azure Active Directory (Azure AD).
Integrating Qlik Sense Enterprise with Azure AD provides you with the following benefits:
- You can control in Azure AD who has access to Qlik Sense Enterprise.
- You can enable your users to automatically get signed-on to Qlik Sense Enterprise (Single Sign-On) with their Azure AD accounts.
- You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see what is application access and single sign-on with Azure Active Directory.
To configure Azure AD integration with Qlik Sense Enterprise, you need the following items:
- An Azure AD subscription
- A Qlik Sense Enterprise single sign-on enabled subscription
To test the steps in this tutorial, we do not recommend using a production environment.
To test the steps in this tutorial, you should follow these recommendations:
- Do not use your production environment, unless it is necessary.
- If you don't have an Azure AD trial environment, you can get a one-month trial here: Trial offer.
In this tutorial, you test Azure AD single sign-on in a test environment. The scenario outlined in this tutorial consists of two main building blocks:
- Adding Qlik Sense Enterprise from the gallery
- Configuring and testing Azure AD single sign-on
Adding Qlik Sense Enterprise from the gallery
To configure the integration of Qlik Sense Enterprise into Azure AD, you need to add Qlik Sense Enterprise from the gallery to your list of managed SaaS apps.
To add Qlik Sense Enterprise from the gallery, perform the following steps:
In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
Navigate to Enterprise applications. Then go to All applications.
To add new application, click New application button on the top of dialog.
In the search box, type Qlik Sense Enterprise, select Qlik Sense Enterprise from result panel then click Add button to add the application.
Configure and test Azure AD single sign-on
In this section, you configure and test Azure AD single sign-on with Qlik Sense Enterprise based on a test user called "Britta Simon".
For single sign-on to work, Azure AD needs to know what the counterpart user in Qlik Sense Enterprise is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Qlik Sense Enterprise needs to be established.
In Qlik Sense Enterprise, assign the value of the user name in Azure AD as the value of the Username to establish the link relationship.
To configure and test Azure AD single sign-on with Qlik Sense Enterprise, you need to complete the following building blocks:
- Configure Azure AD Single Sign-On - to enable your users to use this feature.
- Create an Azure AD test user - to test Azure AD single sign-on with Britta Simon.
- Create a Qlik Sense Enterprise test user - to have a counterpart of Britta Simon in Qlik Sense Enterprise that is linked to the Azure AD representation of user.
- Assign the Azure AD test user - to enable Britta Simon to use Azure AD single sign-on.
- Test single sign-on - to verify whether the configuration works.
Configure Azure AD single sign-on
In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Qlik Sense Enterprise application.
To configure Azure AD single sign-on with Qlik Sense Enterprise, perform the following steps:
In the Azure portal, on the Qlik Sense Enterprise application integration page, click Single sign-on.
On the Single sign-on dialog, select Mode as SAML-based Sign-on to enable single sign-on.
On the Qlik Sense Enterprise Domain and URLs section, perform the following steps:
a. In the Sign-on URL textbox, type a URL using the following pattern:
https://<Qlik Sense Fully Qualifed Hostname>:443//samlauthn/
Note the trailing slash at the end of this URI. It is required.
b. In the Identifier textbox, type a URL using the following pattern:
https://<Qlik Sense Fully Qualifed Hostname>.qlikpoc.com
https://<Qlik Sense Fully Qualifed Hostname>.qliksense.com
These values are not real. Update these values with the actual Sign-On URL and Identifier, Which are explained later in this tutorial or contact Qlik Sense Enterprise Client support team to get these values.
On the SAML Signing Certificate section, click Metadata XML and then save the metadata file on your computer.
Click Save button.
Prepare the Federation Metadata XML file so that you can upload that to Qlik Sense server.
Before uploading the IdP metadata to the Qlik Sense server, the file needs to be edited to remove information to ensure proper operation between Azure AD and Qlik Sense server.
a. Open the FederationMetaData.xml file, which you have downloaded from Azure portal in a text editor.
b. Search for the value RoleDescriptor. There are four entries (two pairs of opening and closing element tags).
c. Delete the RoleDescriptor tags and all information in between from the file.
d. Save the file and keep it nearby for use later in this document.
Navigate to the Qlik Sense Qlik Management Console (QMC) as a user who can create virtual proxy configurations.
In the QMC, click on the Virtual Proxies menu item.
At the bottom of the screen, click the Create new button.
The Virtual proxy edit screen appears. On the right side of the screen is a menu for making configuration options visible.
With the Identification menu option checked, enter the identifying information for the Azure virtual proxy configuration.
a. The Description field is a friendly name for the virtual proxy configuration. Enter a value for a description.
b. The Prefix field identifies the virtual proxy endpoint for connecting to Qlik Sense with Azure AD Single Sign-On. Enter a unique prefix name for this virtual proxy.
c. Session inactivity timeout (minutes) is the timeout for connections through this virtual proxy.
d. The Session cookie header name is the cookie name storing the session identifier for the Qlik Sense session a user receives after successful authentication. This name must be unique.
Click on the Authentication menu option to make it visible. The Authentication screen appears.
a. The Anonymous access mode drop down determines if anonymous users may access Qlik Sense through the virtual proxy. The default option is No anonymous user.
b. The Authentication method drop-down determines the authentication scheme the virtual proxy will use. Select SAML from the drop-down list. More options appear as a result.
c. In the SAML host URI field, input the hostname users enter to access Qlik Sense through this SAML virtual proxy. The hostname is the uri of the Qlik Sense server.
d. In the SAML entity ID, enter the same value entered for the SAML host URI field.
e. The SAML IdP metadata is the file edited earlier in the Edit Federation Metadata from Azure AD Configuration section. Before uploading the IdP metadata, the file needs to be edited to remove information to ensure proper operation between Azure AD and Qlik Sense server. Please refer to the instructions above if the file has yet to be edited. If the file has been edited click on the Browse button and select the edited metadata file to upload it to the virtual proxy configuration.
f. Enter the attribute name or schema reference for the SAML attribute representing the UserID Azure AD sends to the Qlik Sense server. Schema reference information is available in the Azure app screens post configuration. To use the name attribute, enter
g. Enter the value for the user directory that will be attached to users when they authenticate to Qlik Sense server through Azure AD. Hardcoded values must be surrounded by square brackets . To use an attribute sent in the Azure AD SAML assertion, enter the name of the attribute in this text box without square brackets.
h. The SAML signing algorithm sets the service provider (in this case Qlik Sense server) certificate signing for the virtual proxy configuration. If Qlik Sense server uses a trusted certificate generated using Microsoft Enhanced RSA and AES Cryptographic Provider, change the SAML signing algorithm to SHA-256.
i. The SAML attribute mapping section allows for additional attributes like groups to be sent to Qlik Sense for use in security rules.
Click on the LOAD BALANCING menu option to make it visible. The Load Balancing screen appears.
Click on the Add new server node button, select engine node or nodes Qlik Sense will send sessions to for load balancing purposes, and click the Add button.
Click on the Advanced menu option to make it visible. The Advanced screen appears.
The Host white list identifies hostnames that are accepted when connecting to the Qlik Sense server. Enter the hostname users will specify when connecting to Qlik Sense server. The hostname is the same value as the SAML host uri without the https://.
Click the Apply button.
Click OK to accept the warning message that states proxies linked to the virtual proxy will be restarted.
On the right side of the screen, the Associated items menu appears. Click on the Proxies menu option.
The proxy screen appears. Click the Link button at the bottom to link a proxy to the virtual proxy.
Select the proxy node that will support this virtual proxy connection and click the Link button. After linking, the proxy will be listed under associated proxies.
After about five to ten seconds, the Refresh QMC message will appear. Click the Refresh QMC button.
When the QMC refreshes, click on the Virtual proxies menu item. The new SAML virtual proxy entry is listed in the table on the screen. Single click on the virtual proxy entry.
At the bottom of the screen, the Download SP metadata button will activate. Click the Download SP metadata button to save the metadata to a file.
Open the sp metadata file. Observe the entityID entry and the AssertionConsumerService entry. These values are equivalent to the Identifier and the Sign on URL in the Azure AD application configuration. Paste these values in the Qlik Sense Enterprise Domain and URLs section in the Azure AD application configuration if they are not matching, then you should replace them in the Azure AD App configuration wizard.
You can now read a concise version of these instructions inside the Azure portal, while you are setting up the app! After adding this app from the Active Directory > Enterprise Applications section, simply click the Single Sign-On tab and access the embedded documentation through the Configuration section at the bottom. You can read more about the embedded documentation feature here: Azure AD embedded documentation
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
To create a test user in Azure AD, perform the following steps:
In the Azure portal, in the left pane, click the Azure Active Directory button.
To display the list of users, go to Users and groups, and then click All users.
To open the User dialog box, click Add at the top of the All Users dialog box.
In the User dialog box, perform the following steps:
a. In the Name box, type BrittaSimon.
b. In the User name box, type the email address of user Britta Simon.
c. Select the Show Password check box, and then write down the value that's displayed in the Password box.
d. Click Create.
Create a Qlik Sense Enterprise test user
In this section, you create a user called Britta Simon in Qlik Sense Enterprise. Work with Qlik Sense Enterprise Client support team to add the users in the Qlik Sense Enterprise platform. Users must be created and activated before you use single sign-on.
Assign the Azure AD test user
In this section, you enable Britta Simon to use Azure single sign-on by granting access to Qlik Sense Enterprise.
To assign Britta Simon to Qlik Sense Enterprise, perform the following steps:
In the Azure portal, open the applications view, and then navigate to the directory view and go to Enterprise applications then click All applications.
In the applications list, select Qlik Sense Enterprise.
In the menu on the left, click Users and groups.
Click Add button. Then select Users and groups on Add Assignment dialog.
On Users and groups dialog, select Britta Simon in the Users list.
Click Select button on Users and groups dialog.
Click Assign button on Add Assignment dialog.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Qlik Sense Enterprise tile in the Access Panel, you should get automatically signed-on to your Qlik Sense Enterprise application.