Solved: Single Sign On with Qlik Sense - Qlik Community

dgoehler · ‎2014-10-27

Hello,

doesn't anyone know how Single Sign On (e.g. Microsoft Office 365) with the Qlik Sense Server works. I only found very vague information about that: e.g.: https://help.qlik.com/sense/en-US/online/#../Subsystems/Server_deployment_and_configuration/Content/...

or https://help.qlik.com/sense/en-US/developer/#../Subsystems/Qlik_Sense_Proxy_Service_API/Content/QPS ...

Best regards,

Daniel

Fredrik_Lautrup · ‎2014-10-29

So in the response from OAuth you get a link to information about the logged in user. When you request a ticket you send in the information that you want Qlik Sense to use. If the user does not exist in Sense it will be created for you.

So for example, if the user is MMN you could request a ticket for userID=MMN and UserDirectory=Outlook365 and that would result in a user being created.

An alternative is to use some sort of database in the backend to pre-populate the users User Directory Connector.

https://help.qlik.com/sense/en-US/online/#../Subsystems/Qlik_Management_Console_help/Content/QMC_Res...

A round certificates there is an example here

https://help.qlik.com/sense/en-us/developer/#../Subsystems/Qlik_Sense_Proxy_Service_API/Content/QPS ...

If running the authentication module on the same machine as the Proxy service you dont have to do anything. If you want to run on the authentication module on another machine you need to export certificates from the QMC and install on the machine you want to use.

http://https://help.qlik.com/sense/en-US/online/#../Subsystems/Qlik_Management_Console_help/Content/...

View solution in original post

Michael_Tarallo · ‎2014-10-28

Hello Daniel - I am investigating this for you and will have someone respond to your inquiry,

Regards,

Mike

Qlik

Regards,
Mike Tarallo
Qlik

Fredrik_Lautrup · ‎2014-10-29

Can you give us some more information on what you want to achive? Out of the box Qlik Sense support windows integrated authentication using NTLM or Kerberos. But we also supply a set of API's that can be used to extend authentication support to other identity providers.

dgoehler · ‎2014-10-29

For example I like to Single Sign On via an Office 365 Account (Overview of single sign-on for Office 365)

Fredrik_Lautrup · ‎2014-10-29

This is not supported out of the box.

But the solution to use Outlook365 accounts would be to implement an OAuth 2.0 authentication module that uses the Proxy APIs for tickets to exchange the users.

https://help.qlik.com/sense/en-us/developer/#../Subsystems/Qlik_Sense_Proxy_Service_API/Content/QPS ...

If you look at Branch there is an example of an authentication module

http://branch.qlik.com/projects/showthread.php?285-Access-Control-Test-Module

If you are familiar with NodeJS you could use a library such as Passport which supports OAuth2.

It also looks at this link that AZure has an Authentication library that could probably be used.

OAuth 2.0 in Azure AD

Regards

Fredrik

dgoehler · ‎2014-10-29

Hi Fredrik,

two questions regarding your Access Control Test Module:

1. How do I link a Office 365 Account against a Qlik Sense User Account?

2. In the function requestticket, they use a client certificate instead of windows integrated authentication (NTLM or Kerberos). Is there any documentation about that? I found nearly nothing about that. Or in other word: Where should I setup the client certificate on the QMC?

Best regards,

Daniel

Fredrik_Lautrup · ‎2014-10-29

So in the response from OAuth you get a link to information about the logged in user. When you request a ticket you send in the information that you want Qlik Sense to use. If the user does not exist in Sense it will be created for you.

So for example, if the user is MMN you could request a ticket for userID=MMN and UserDirectory=Outlook365 and that would result in a user being created.

An alternative is to use some sort of database in the backend to pre-populate the users User Directory Connector.

https://help.qlik.com/sense/en-US/online/#../Subsystems/Qlik_Management_Console_help/Content/QMC_Res...

A round certificates there is an example here

https://help.qlik.com/sense/en-us/developer/#../Subsystems/Qlik_Sense_Proxy_Service_API/Content/QPS ...

If running the authentication module on the same machine as the Proxy service you dont have to do anything. If you want to run on the authentication module on another machine you need to export certificates from the QMC and install on the machine you want to use.

http://https://help.qlik.com/sense/en-US/online/#../Subsystems/Qlik_Management_Console_help/Content/...

dgoehler · ‎2014-10-29

I also created a Visual Studio Console Project and with the code as descripted here.

Qlik Support help me, because there is an error in that example:

The Line

string body = "{'UserDirectory':'" + userdirectory + "', 'UserId':'" + user + "'}";

should be changed into that line:

string body = "{'UserDirectory':'" + userdirectory + "', 'UserId':'" + user + "', 'Attributes': []}";

So I can issue a ticket:

"UserDirectory":"PI-QLIKSENSE"

"UserId":"sense_demo01"

"Attributes":[]

"Ticket":"z2GJ7dH5SsQ4sj6p"

"TargetUri":null

But what to do with that regading Single Sign On? There is no OAuth Documentation in the Qlik Sense or Qlik Sense Developer Help.

Fredrik_Lautrup · ‎2014-10-31

God that you get to aquire a ticket.

So the flow now will be

1 configure a virtual proxy in the proxy that uses your authentication code

2 in your code use a library to authenticate your user using Oauth to outlook365.

3 if successful request a ticket for the user

4 redirect the user back to Qlik sense with the ticket

As you see how you authenticate is independent of Qlik sense so here you will need to look in Microsofts dokumentation.

Fredrik

dgoehler · ‎2014-10-31

How do I Redirect the user back to Qlik Sense with that ticket?