https://community.qlik.com/t5/Integration-Extension-APIs/Sense-QAP-How-to-authenticate-external-users-with-certificates/m-p/1671613#M12258 <P>Correct, Certificate authentication would allow them to impersonate any user.&nbsp;</P> <P>Certificate authentication is NOT what you want to use.</P> <P>When they connect to Qlik Sense, they can connect either via the proxy service, or directly.</P> <P>To connect directly they need to use certificates. As this is not a valid option for your use case they will need to connect via the proxy.</P> <P>Have a look at "Authentication with proxy"</P> <P><A href="https://help.qlik.com/en-US/sense-developer/November2019/Subsystems/NetSDKAPI/Content/Sense_NetSDKAPI/GettingStarted/Getting-Started-Steps.htm" target="_blank">https://help.qlik.com/en-US/sense-developer/November2019/Subsystems/NetSDKAPI/Content/Sense_NetSDKAPI/GettingStarted/Getting-Started-Steps.htm</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>How are they trying to make the API calls? C#, Java, PowerShell?</P> <P>&nbsp;</P> <P>In the example:</P> <P><A href="https://help.qlik.com/en-US/sense-developer/November2019/Subsystems/RepositoryServiceAPI/Content/Sense_RepositoryServiceAPI/RepositoryServiceAPI-Example-Connect-Powershell.htm" target="_blank">https://help.qlik.com/en-US/sense-developer/November2019/Subsystems/RepositoryServiceAPI/Content/Sense_RepositoryServiceAPI/RepositoryServiceAPI-Example-Connect-Powershell.htm</A></P> <P>you can replace line 2 "<SPAN>$req.Credentials = [System.Net.CredentialCache]::DefaultCredentials"</SPAN></P> <P><SPAN>with a defined set of credentials.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 03 Feb 2020 03:59:09 GMT Marc 2020-02-03T03:59:09Z https://community.qlik.com/t5/Integration-Extension-APIs/Sense-QAP-How-to-authenticate-external-users-with-certificates/m-p/1670248#M12217 <P>We have a QAP system and we have external users A, B and C who are competitors.&nbsp; We have corresponding apps AppA, AppB and AppC for these users, and they should not be able to see each other's data.</P><P>These users have their user IDs and passwords in an Excel file and this is set up in QMC correctly.&nbsp;</P><P>External user A now wants to get to the data in his AppA using API calls to GetTableData().&nbsp; I am trying to figure out how to let him in, but only to his app.&nbsp; The first step in my prototype is to authenticate as user A.&nbsp; I thought that certificates may be a way to accomplish this.&nbsp; But the documentation and experimentation doesn't make sense to me.&nbsp; This is what I am reading:</P><P><A href="https://help.qlik.com/en-US/sense-developer/November2019/Subsystems/EngineAPI/Content/Sense_EngineAPI/GettingStarted/connecting-to-engine-api.htm" target="_blank">https://help.qlik.com/en-US/sense-developer/November2019/Subsystems/EngineAPI/Content/Sense_EngineAPI/GettingStarted/connecting-to-engine-api.htm</A></P><P>In Example 1 and 2, it seems that if the client provides the certificates and a header that looks like the following, he can assume ANY identity?</P><P><SPAN>headers</SPAN><SPAN class="token punctuation">:</SPAN> <SPAN class="token punctuation">{</SPAN> <SPAN class="token string">'X-Qlik-User'</SPAN><SPAN class="token punctuation">:</SPAN> <SPAN class="token string">'UserDirectory=internal; UserId=sa_engine'</SPAN> <SPAN class="token punctuation">}</SPAN></P><P>Perhaps I am misunderstanding this, but this seems to be me that providing the certificates and this header is sufficient to identify the user as&nbsp;<SPAN class="token string">sa_engine or any other user?</SPAN></P><P>Any ideas on how to authenticate external users without them gaining access to all the apps is appreciated.&nbsp; I am open to non-certificate solutions if they work without requiring witchcraft.</P> Sat, 16 Nov 2024 19:13:08 GMT https://community.qlik.com/t5/Integration-Extension-APIs/Sense-QAP-How-to-authenticate-external-users-with-certificates/m-p/1670248#M12217 kevinpintokpa 2024-11-16T19:13:08Z https://community.qlik.com/t5/Integration-Extension-APIs/Sense-QAP-How-to-authenticate-external-users-with-certificates/m-p/1671613#M12258 <P>Correct, Certificate authentication would allow them to impersonate any user.&nbsp;</P> <P>Certificate authentication is NOT what you want to use.</P> <P>When they connect to Qlik Sense, they can connect either via the proxy service, or directly.</P> <P>To connect directly they need to use certificates. As this is not a valid option for your use case they will need to connect via the proxy.</P> <P>Have a look at "Authentication with proxy"</P> <P><A href="https://help.qlik.com/en-US/sense-developer/November2019/Subsystems/NetSDKAPI/Content/Sense_NetSDKAPI/GettingStarted/Getting-Started-Steps.htm" target="_blank">https://help.qlik.com/en-US/sense-developer/November2019/Subsystems/NetSDKAPI/Content/Sense_NetSDKAPI/GettingStarted/Getting-Started-Steps.htm</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>How are they trying to make the API calls? C#, Java, PowerShell?</P> <P>&nbsp;</P> <P>In the example:</P> <P><A href="https://help.qlik.com/en-US/sense-developer/November2019/Subsystems/RepositoryServiceAPI/Content/Sense_RepositoryServiceAPI/RepositoryServiceAPI-Example-Connect-Powershell.htm" target="_blank">https://help.qlik.com/en-US/sense-developer/November2019/Subsystems/RepositoryServiceAPI/Content/Sense_RepositoryServiceAPI/RepositoryServiceAPI-Example-Connect-Powershell.htm</A></P> <P>you can replace line 2 "<SPAN>$req.Credentials = [System.Net.CredentialCache]::DefaultCredentials"</SPAN></P> <P><SPAN>with a defined set of credentials.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 03 Feb 2020 03:59:09 GMT https://community.qlik.com/t5/Integration-Extension-APIs/Sense-QAP-How-to-authenticate-external-users-with-certificates/m-p/1671613#M12258 Marc 2020-02-03T03:59:09Z