SAML Proof of concept – Part 1

by | Feb 23, 2016

The minimal proof of concept for any SAML solution is to secure two different websites with SAML. For this I decided to secure an off the shelf SAML ready product we had already installed (Qlik Sense) and a simple bespoke application running on Apache. This blog cover the first part consisting on installing a Gluu Server on AWS and setting up SAML with Qlik Sense.

Prerequisites for this are:

  • Qlik Sense has been installed. Instructions can be found here as to how to do this
  • Ubuntu server is available to install Gluu Server. I used a t2.medium EC2 instance running Ubuntu on AWS for this purpose. I did try to use AWS Linux for this and the Apache server but found that the Sibboleth component isn’t tested against AWS Linux would require a manual build.

Installing Gluu:

You can follow the official instructions here. If you are doing this properly you should be using fully qualified host names for all servers and not IP addresses as I have done for the POC.
The steps I used are below. SSH to server then run the following commands. All Linux commands assume you are running as root.
sudo su
apt-get upgrade
echo
"deb https://repo.gluu.org/ubuntu/ trusty main" > /etc/apt/sources.list.d/gluu-repo.list
curl https://repo.gluu.org/ubuntu/gluu-apt.key | apt-key add -
apt-get updateqlik
apt-get install gluu-server-2.4.1
service gluu-server-2.4.1 start
service gluu-server-2.4.1 login
cd /install/community-edition-setup/
./setup.py
The following are the example values you could use for the setup.py script. If I’ve left it blank then just press enter to take accept the default value
Enter IP Address [10.0.101.8] : 10.0.101.8 (This must be the private IP address id deploying into AWS)
Enter hostname [localhost] :  52.62.46.159 (Use public facing IP address if you do not have a domain name for the server) 
Enter your city or locality : Wellington
Enter your state or province two letter code : NA
Enter two letter Country Code : NZ
Enter Organization Name : OptimalBI
Enter email address for support at your organization : ben.lee@optimalbi.com
Enter maximum RAM for tomcat in MB [1536] :
Optional: enter password for oxTrust and LDAP superuser [XXXXXXXXXX] :
Install oxAuth OAuth2 Authorization Server? [Yes] :
Install oxTrust Admin UI? [Yes] :
Install Gluu OpenDJ LDAP Server? [Yes] :
Install Apache HTTPD Server [Yes] :
Install Shibboleth 2 SAML IDP? [No] : Yes
Install Asimba SAML Proxy? [No] :
Install CAS? [No] :
Install oxAuth RP? [No] :
The script will take a while to run. I’ve not timed it, but it’s more than 10 minutes.
Once complete the script will provide you a message with the server URL to log into in my case https://52.62.46.159. Login with the user/password admin/XXXXXXXXXX (The password is the one set for oxTrust) 

Setup Qlik Intergration:

Official instructions are here if your interested.
Configuring the virtual proxy.

  1. Select Virtual proxies on the Qlik management console (QMC) start page.
  2. Click Create new. You cannot add a virtual proxy to more than one proxy at a time.
  3. Edit the properties in the Virtual proxy edit

Under identification set the values to the following
Description: SAMLTest
Prefix: SAML
Session inactivity timeout (minutes): 30
Session cookie header name: X-Qlik-SAML-Session
Under Authentication set the values to the following
Anonymous access mode: No anonymous user
Authentication method: SAML
SAML host URI: https://52.62.46.160 This should be the domain name/IP address of your Qlick server
SAML entity ID: GLUU
SAML metadata:  This is the file you can find on http://<IdP Server>/idp/shibboleth e.g. https://52.62.46.159/idp/shibboleth
SAML attribute for user ID: uid
SAML attribute for user directory: [WIN-8EJD3FANIMH] If you set this and existing Qlik User Directory then this will map matching users from Gluu to Qlik Users
SAML attribute mapping:
Under Load Balancing
Add a new server node and pick an available one
Under Advanced set the values to the following
Websocket origin white list: Same as what was entered for the default virtual Proxy
Click apply then click apply in the action bar to save your changes.
Next to link the virtual

  1. To the right on the Virtual proxy edit page, under Associated items, click Proxies.
  2. In the action bar, click Link.
  3. Select the node to link to and click Link.
  4. Restart the QMC.
  5. Open the virtual proxy overview page and select the proxy whose metadata that you want to download.
  6. Click Download metadata. Save file as this is needed on the Gluu Server

 
In Gluu Server, create a trust relationship by performing the following steps in the web console.
Under  SAML -> Select Add Trust Relationship
The use the following settings
Display Name: Qlik
Description: Qlik Sense
Metadata Type: File
Sp Metadata File: Browse and upload the file saved when you downloaded the metadata file from Qlik
SP Logout URL:
Configure specific RelyingParty:
Enable InCommon R&S:

Released: Username
Click Add
Gluu_add_trust_relationship_Qlik

Testing:

Create a user in Gluu that matches the username of a user in Qlik which has a user access token. If you don’t you will get the following error.
Qlik_token_error
 
 
 
 
Accessing Qlik Sense by using the virtual proxy prefix. In this case we set it to SAML so the full URL will be in the following format https://<QLIK IP>/SAML/
This will redirect you to the Gluu login screen and the send you back to click after a successful authentication.
Gluu_login
Job done.
Qlik_success
All the code, all the fun – Ben
Ben writes blogs about the technical side of BI the code, all the code and not much other than the code.
You can read SAML Proof of concept – Part 2 or all of Ben’s blogs here.
We run regular business intelligence courses in both Wellington and Auckland. Find out more here.

3 Comments
  1. Swapnil Kulkarni

    Hi Optimal BI / Ben,
    I am trying to implement above scenario on our local environment where I have QlikSense Server and Gluue server created as per above instructions.
    When I am https:///SAML/ URL in browser I am getting error as below
    ———————————————————————————————————————————————————————
    ERROR
    An error occurred while processing your request. Please contact your helpdesk or user ID office for assistance.
    This service requires cookies. Please ensure cookies are enabled in your browser, then go back to your desired resource and try to login again.
    Use of your browser’s back button may cause specific errors that can be resolved by going back to your desired resource and trying to login again.
    If you think you were sent here in error, please contact technical support
    Error Message: Message did not meet security requirements
    ———————————————————————————————————————————————————————
    PLease let me know what could be reason behind this.

    Reply
  2. Ben Lee

    Hi Swapnil,
    It’s exactly as the error states. Shibboleth uses session cookies to hold SAML session information. You can not use a browser that has cookies disabled is you wish to use this implementation of SAML. Change your browser settings to allow cookies if you want to see if your configuration is working.
    Regards,
    Ben

    Reply
  3. Frank Vogler

    Hi Ben Lee,
    I successfully set up an Gluu Server. But communication between Qlik and Gluu doesn’t work. I get: The application you have accessed is not registered for use with this service. On both sides I uploaded the metafile and whitelisted all IP’s.
    What lies behind config specific relying party?
    What log Files are important to look at?

    Reply

Trackbacks/Pingbacks

  1. SAML Proof of concept – Part 2 | OptimalBI - […] on from my previous blog this is where things get harder, well more typing and less clicking anyway. The next piece of…
  2. SAML Proof of concept – Part 3 | OptimalBI - […] is the third blog of a series on SAML, these are the first and second […]
  3. What’s The Best Restful Web API Framework? – Part 4 | OptimalBI - […] Welcome back to Part 4 of the great RESTful framework showdown! If you have not read the previous blogs…
  4. SAML PROOF OF CONCEPT – IAMaaS | OptimalBI - […] year I wrote a series of posts going through a working example of getting SAML working with a group of…
Submit a Comment

Your email address will not be published. Required fields are marked *