Hi Rob,
I hope you’re doing well.
My client purchased an enterprise license with 100 users.
We were on version 2 and we upgraded to version 3.0.3 a few days ago, the API engine was used a lot on quite a few endpoints, after the upgrade our pipeline remained functional, almost nothing was wrong and that’s great.
Sorry if this post looks like a duplicate of the one I created before, but quite a few details have changed, like the license, the version, etc.
We are on a qliksense enterprise cluster (August 2023 version), with four servers, two front servers (consumer0 and consumer1), two back servers (central and failover). exposed by a load balancer (ALB on aWS).
All our clients connect with a SAML virtual proxy, and all authorization is managed by SAML attributes (groups).
QSDA Pro worked very well for us, since we only used it with a technical account and we only used the API calls to create an automatic analysis pipeline for each deployment.
Now that my client has purchased an enterprise license with 100 users, the work in progress is opening the GUI to developers and the solution that interests us is that developers needs to be limited on QSDA Pro only to applications on which they have access on qliksense, hence the interest of the QLIKLOGIN connector.
Our access URL (which corresponds to the fully qualified domain name is staging.qls-nprd.cloud.xxxx.fr) it’s a DNS that goes through a load balancer (ALB on AWS).
For the moment, the connectors (certificate, QLIKLOGIN) only work with DNS that points directly to the machines (without load balancer), example: consumer0.staging.qls-nprd.cloud.xxxx.fr
When I started configuring the QLIKLOGIN connector (using the main DNS), I had error messages which said that the QLIKLOGIN connector could not reach the QLIK clusters, and by reading the logs I understood that the API call made by the QLIKLOGIN goes through port 4747, we therefore opened all the network flows and added a listener on port 4747, since then we have failed authentication…
On the QLIKLOGIN configuration, the main DNS does not work and I therefore I cannot save the connector, so I tried to modify the ServerConnection.json file to force the modification of the host to staging.qls-nprd.cloud.xxx. fr/saml (saml is the virtual proxy header), when I did that, as a QSDA user on the GUI, when I use the QLIKLOGIN connector, it opened a SAML session on qliksense and returned to QSDA, but it remained blocked on “connection to Qlik is in progress”… I saw that there is an intermediate URL that displays a “requestToken” before it returns to QSDA, does it mean that is works only with “ticket” virtual proxy ?
My question is to know if QLIKLOGIN is compatible with a SAML virtual proxy ?
Otherwise, to give developers graphical access only to their Qliksense application scope, is there another way to implement this ?
The QLIKLOGIN works when used on subdomain that points directly on the servers, but we cannot use it like that, because it opens NTLM sessions directly on consumers nodes and don’t use oour main SAML virtual proxy…
Maybe I need to ask the support ?
Sorry for this long topic.
-Youssef