Qlik Catalog May 2023 Single Node Installation Guide 26
# this will log out of Qlik Catalog and MS AAD
# replace <tenant-id> and <HOSTNAME> (and possibly 8443 and qdc)
logout.url=https://login.windows.net/<tenant-
id>/oauth2/logout?post_logout_redirect_uri=https%3A%2F%2F<HOSTNAME>%3A8443%2Fqdc%
2Flogged-out
# replace <tenant-id> and <app-id>
saml.metadata.provider=https://login.microsoftonline.com/<tenant-
id>/federationmetadata/2007-06/federationmetadata.xml?appid=<app-id>
Notes on core_env properties:
• property "saml.metadata.provider" is taken from MS AAD setup, "App Federation Metadata
Url"
• property "logout.url" was formerly "saml.logout.url" – it applies to both manually initiated
logout via the menu, as well as session timeout
• property "logout.url", when configured for login.windows.net, now supports
"post_logout_redirect_uri" to allow redirection from MS back to the Catalog logged-out page
• property "saml.entity.baseurl" is no longer set (May 2021 change)
• property "saml.keystore.path" is no longer set, and there is no longer a need to download the
Base64 Certificate and add it to samlKeystore.jks – in fact, samlKeystore.jks is no longer
present (May 2021 change)
• do NOT copy "Logout URL" from MS AAD into the core_env property "logout.url"
• there are only two valid choices for “logout.url”: /logged-out (log out of only Qlik Catalog) or
https://login.windows.net/<tenant-id>/oauth2/logout (log out of MS AAD and Qlik Catalog)
• IMPORTANT: when logging in to the UI, use URL "https://<HOSTNAME>:8443/qdc" and not
"https://<HOSTNAME>:8443/qdc/login"
5.1.2 Enabling SAML using Okta
Instructions below are a reference with examples. Modifications will be required for client-specific
SAML authentication and client environment. In this example setup, Okta is used as the Identity
Provider (IdP) while Catalog is the Service Provider (SP).
1. Log in to your Okta organization as a user with administrative privileges. You can create a free
Okta Developer Edition organization with your own email
here: https://www.okta.com/developer/signup/.
2. Click on the blue Admin button on the top right corner.
3. Click on the Add Applications shortcut in the right panel.
4. Click on the green Create New App button.
5. In the dialog that opens, select the SAML 2.0 option, then click the green Create button
6. In Step 1 General Settings, enter the application name (e.g., HostName SAML Application) in App
name field, then click the green Next button.
7. In Step 2 Configure SAML, paste the URL below into the “Single Sign On URL" field – replace
<HOSTNAME> with the Qlik Catalog hostname:
https://<HOSTNAME>:8443/qdc
Then, paste the URL below into the “Audience URI (SP Entity ID)” [old] or “Audience Restriction”
[new] field:
https://<HOSTNAME>:8443/qdc/saml2/service-provider-metadata/catalog