idea Re: Temporary access pass for QSD authentication in Suggest an Idea

Temporary access pass for QSD authentication

stamos2000 — Wed, 25 Nov 2020 08:56:29 GMT

Starting 1st of July 2020 Qlik Sense Desktop (QSD) can only be used if authenticated against Qlik Sense Enterprise (QSE) server with user access.

In our organization, the QSE installation is inside the internal network and, because of network policy, it cannot be exposed to public.

Thus, QSD cannot be used outside our network, whereas, we are expressly interested in using it outside our network!

Please note that the use cases in which we can benefit of Qlik Sense Desktop instead of the corporate client-server Qlik are indeed “outside office” situations where the connection to our corporate VPN is difficult or inconvenient.

Sometimes, further than “outside office” we have even “off-line” situations (while travelling, or in countries or contexts without sufficient band, etc..) so that we may just count on a minimal internet availability to authenticate at the beginning.

We are indeed strongly convinced that the new policy of allowing QSD for Qlik Customers makes sense exactly in these kind of situations.

Idea: A functionality for generating an offline "token" or "access pass" valid for 1 week on your Qlik Sense Enterprise server and then use this signed token as a way of authentication for QSD without actually having to connect to the Enterprise server. We can say that this is useful for people using QSD in airplanes or with devices that are not able to establish a connection to internal servers of the organisation.

Re: Temporary access pass for QSD authentication

cjgorrin — Fri, 03 Jul 2020 13:13:38 GMT

Indeed, authenticating against an internal server is a bad idea. In the past, authenticating against cloud.qlik.com was OK, because you only needed Internet. Now you need a VPN, exposing your corporate in-house server to Internet, etc.

I would highly recommend eliminating the need for communication between Qlik Sense Desktop and the Qlik Sense Enterprise server.

A token is a great compromise (no need for connection between servers, works offline, dies after a while) and honestly, you are already paying a very expensive licence for the in-house server. I don't think Qlik should make things so difficult so people in an organisation cannot benefit from the licences they already have.

I support this initiative 100%.

Re: Temporary access pass for QSD authentication

John_Teichman — Mon, 06 Jul 2020 05:17:37 GMT

Hello @stamos2000,

Thanks for your idea. Going forward, please use one, and only one, label per post. Please refer to the submission guidelines for more details.

Re: Temporary access pass for QSD authentication

rzenere_avvale — Wed, 08 Jul 2020 08:30:38 GMT

To be honest, as per your requirements I think this behaviour is already working.

Please refer to this KB article: https://support.qlik.com/articles/000097399

Before you can start using Qlik Sense Desktop, you need to authenticate yourself either with your Qlik Account or against a Qlik Sense Enterprise server. You need to have a working network connection to enable authentication.
After you have been authenticated once, internet access is not required to continue using Qlik Sense Desktop. However, you have to re-authenticate yourself if ten days have passed since you last authenticated, if you have logged out, or if your administrator has revoked your user access for Qlik Sense Enterprise server. If you are using SAML authentication and close the browser, the session ends and the cookie is deleted so you must re-authenticate yourself to start a new session.

I tried with QS Desktop June 2020 Patch 1 and for me this is still the working behaviour.
Anyway, I recall that in previous releases if you were connected to the same network as your QS Enterprise, authentication would be required again (even if you authenticated against QS Enterprise a few minutes ago).

In case you're working with QS SaaS (Enterprise/Business) or with the Mobile apps (Android/iOS/...), then you'll need to authenticate yourself each time as far as I know.

I hope this helps,
Riccardo

Re: Temporary access pass for QSD authentication

cjgorrin — Wed, 29 Jul 2020 13:49:27 GMT

Dear @rzenere_avvale,

What is being asked here is to be able to authenticate using a TOKEN generated in the Qlik Sense Enterprise server WITHOUT needing Qlik Sense Desktop (QDS) to connecto to the server. The current scheme requires connection between QSD and Qlik Sense Enterprise (QSE).

E.g: I go to my enterprise server, click on a button and generate a token (a big string representing a signed token valid for 1 week) that I can then copy and paste into Qlik Sense Desktop. No connection needed between the QSD machine and the QSE server.

This way, employees from companies that don't allow installing QSD on corporate computers could use QSD in their personal machines, for work purposes (because these organisations also don't allow you to connect to the internal network from a non-corporate computer). Also, some organisations work with very sensitive data and computers must be disconnected from any kind of network while dealing with such data. In this case, QSD would be ideal but then also the current authentication based on links and connections to QSE would not work.

We are already paying for the licence, which is not cheap. Would it really be so difficult to implement an alternative authentication mechanism?

I hope this clarifies a bit what is being asked.

Regards,

Celso.

Re: Temporary access pass for QSD authentication

qlikerman — Thu, 06 Aug 2020 09:20:57 GMT

I think what is asked here also applies to a significant percentage of users that use qlik sense desktop and whose company/organization for whatever reason does not / cannot expose their qlik sense server in the internet.

All these users are now left out of having the advantage to use qsd since they cannot authenticate. The token method suggested in the original post can provide a solution to the problem and sounds like the most appropriate fit as it would satisfy all of the following:

practicality
ease of implementation
security
keeping qlik sense customer and user base "happy"

Re: Temporary access pass for QSD authentication

cjgorrin — Thu, 06 Aug 2020 09:34:05 GMT

Dear @qlikerman, this is exactly our case. We have a QAP exposed to the Internet but not the Qlik Enterprise server.

All of us were left hanging by Qlik and I think there should be a solution for it. The signed token seemed to me like a good idea because it eliminates the need for connection between QSD and QSE server.

Thank you for supporting this initiative. Don't forget to "Like" it.

Re: Temporary access pass for QSD authentication

cjgorrin — Fri, 21 Aug 2020 12:39:55 GMT

BTW, what we are asking is exactly the same approach Qlik is using to provide Qlik Sense Desktop to developers (Qlik Branch) using an "unlock file". We would like to be able to generate "unlock files" with our Qlik Sense Enterprise server so they are valid for a limited period of time, without requiring any connection to the server.

Re: Temporary access pass for QSD authentication

morenoju — Thu, 22 Oct 2020 18:49:08 GMT

This idea is really good. Looking forward to it.

Re: Temporary access pass for QSD authentication - Status changed to: Delivered

Caique_Zaniolo — Thu, 22 Oct 2020 18:59:23 GMT

Authentications on Qlik Sense Desktop can be used for 30 days in offline mode

Re: Temporary access pass for QSD authentication

morenoju — Thu, 22 Oct 2020 19:02:48 GMT

Hi @Caique_Zaniolo I may have understood the feature differently then. I thought this was meant for those Qlik Sense Enterpises behind a firewall or VPN where the Qlik Sense Desktop can't reach (not even once).

I see the status marked as delivered. @cjgorrin were you referring to make the authentications last longer or eliminating the need to reach the QSE completely?

Thanks!

Re: Temporary access pass for QSD authentication

cjgorrin — Thu, 22 Oct 2020 22:14:45 GMT

Dear @morenoju and @Caique_Zaniolo,

What I am asking here is to be able to generate an unlock file, just like the one you can get at the branch, but linked to your corporate licence. You log into your Qlik server, you click a button and download an unlock file or some sort of token valid for a period of time.

Our Qlik server is unreachable from outside and that will not change. I'm not able to validate using the authentication link even once. That's why I'm asking for a solution that works without any need of connection to the server.

So, to summarize, no. What I requested hasn't been "delivered". I would like to kindly ask you to reopen the petition.

Thanks and regards.

Re: Temporary access pass for QSD authentication

morenoju — Fri, 23 Oct 2020 12:20:50 GMT

@cjgorrin , what you described is exactly the situation I have: my Qlik server is unreachable from outside and that can't be changed.

So far, I've bypassed this problem by downloading temporary unlock files form Qlik Branch, however depending on it is not ideal. Especially when have several Qlik Server instances we could be using to authenticate.

How can we reopen the petition?

Re: Temporary access pass for QSD authentication

cjgorrin — Fri, 13 Nov 2020 12:07:05 GMT

Dear @Caique_Zaniolo,

Could you please read the latest comments and reopen the idea?

Thanks!

Re: Temporary access pass for QSD authentication

Caique_Zaniolo — Wed, 09 Dec 2020 22:35:21 GMT

Hi @cjgorrin and @morenoju

We understand that the network configuration of your server is not ideal for the authentication of the Qlik Sense Desktop. Currently, we don't have plans to generate an alternative form of unlocking QSD, other than the existing ones you already mentioned.

Re: Temporary access pass for QSD authentication

morenoju — Tue, 15 Dec 2020 20:01:36 GMT

Hi @Caique_Zaniolo , it's a pity that there are no plans to address this at this moment. However, can we leave the idea open with the description provided by @cjgorrin ?

Looks like it stayed marked as "Delivered" by mistake.

Thanks!

Re: Temporary access pass for QSD authentication

cjgorrin — Tue, 05 Jan 2021 09:20:31 GMT

Dear @Caique_Zaniolo ,

I understand you currently have no plans to implement this feature, but... Isn't that what ideas here are for? To propose things that are not available but we -as users- want?

I think marking the idea as delivered is wrong because what we are asking hasn't been delivered. It should be left open and, at some point in the future, either implemented or discarded.

Could you please unmark it as delivered?

Thank you very much for your understanding.

Re: Temporary access pass for QSD authentication - Status changed to: Delivered

Meghann_MacDonald — Mon, 02 Aug 2021 16:38:19 GMT

Hi all, just to explain the status change, the inital response from Caique defines the idea as delivered using authentication in QSD, and that there are no further plans to generate an alternative form other than the existing. Therefore if the status were to change it would be not planned or partially delivered. @cjgorrin @morenoju

Meghann

Re: Temporary access pass for QSD authentication

cjgorrin — Tue, 03 Aug 2021 08:35:53 GMT

Dear @Meghann_MacDonald,

Thank you for the explanation. However, I think what we are asking here has not been implemented yet, so it should not be marked as "delivered".

We are asking for the possibility of generating an "unlock file" like the one from the Qlik garden, but generating it from our own Qlik Sense server. This way, people would be covered by our licence even if they cannot establish a connection between QSD and the Qlik Sense server (air-gapped devices for sensitive data, no VPN, a long flight, etc.).

I think if there are no plans to implement this in the future (so far), it is better to leave the idea as open. Maybe more people will ask for it and you could consider implementing it at some point.

I still think that marking it as "delivered" makes people believe that what we are asking has been implemented, which is not true.

Thanks a lot for your explanation, your time and your kindness.

Re: Temporary access pass for QSD authentication - Status changed to: Open - Not Planned

Meghann_MacDonald — Wed, 04 Aug 2021 16:07:05 GMT

Hi all, I will change this to Not Planned as it will be the most accurate status to keep the idea open but be clear about our current plans.

Meghann