Qlik sense websockets & using 3rd party software for authentication, access and single sign-on

dewan_abdullah — Thu, 01 Apr 2021 14:18:05 GMT

Hello everyone,

We're trying to access Qlik sense from external network through another server that has a published ip (redirects to the Qlik sense server) but this public ip is only accessible through a 3rd party software (iDenProtect) which does authentication, access and single sign on. The hub and the app are working fine but get stuck on the loading screen.

We added all IPs to the whitelist.

we checked the logs when the sheet doesn't open and this is the error message that we found.

Got msg: {"jsonrpc":"2.0","method":"OnClosed","params":{"qSessionState":"SESSION_ERROR_SECURITY_HEADER_CHANGED"}} in webs session 273aea4e-a960-41e0-9801-e53862998c60

17:33:24.452 1211069<tel:1211069>[HttpClient@629769605-235] INFO c.i.u.websocket.SocketHandler - Relaying message {"jsonrpc":"2.0","method":"OnClosed","params":{"qSessionState":"SESSION_ERROR_SECURITY_HEADER_CHANGED"}} for websocket session 5, to /app/a3fffb4d-38b5-43e4-ad53-9723db436098?reloadUri=https%3A%2F%2Fproxy.idenprotect.net<http://2fproxy.idenprotect.net/>%3A9999%2Fsense%2Fapp%2Fa3fffb4d-38b5-43e4-ad53-9723db436098

WebSocket Error: java.nio.channels.ClosedChannelException

This error seems to occur when the 2ndwebsocket connection is created. The two websocket connections are to.

wss://proxy.idenprotect.net:9999/app/a3fffb4d-38b5-43e4-ad53-9723db436098?reloadUri=https%3A%2F%2Fproxy.idenprotect.net%3A9999%2Fsense%2Fapp%2Fa3fffb4d-38b5-43e4-ad53-9723db436098

and

wss://proxy.idenprotect.net:9999/dataprepservice/app/a3fffb4d-38b5-43e4-ad53-9723db436098?reloadUri=https%3A%2F%2Fproxy.idenprotect.net%3A9999%2Fsense%2Fapp%2Fa3fffb4d-38b5-43e4-ad53-9723db436098

The error “SESSION_ERROR_SECURITY_HEADER_CHANGED” is a googlewhack, a google search that only returns one result. It seems to be related to connecting directly to the engine vs via a proxy and/or session sharing.

Re: Qlik sense websockets & using 3rd party software for authentication, access and single sign-on

Damien_V — Wed, 28 Jul 2021 15:03:15 GMT

Hello @dewan_abdullah

SESSION_ERROR_SECURITY_HEADER_CHANGED would basically happens if you have checked the option "Extended security environment" in the virtual proxy settings in the QMC and that something external is changing the header during your session.

The X-Qlik-Security header contains various information such as browser type, client IP, etc. If those information are changed by an external device during the user session, then the X-Qlik-Security header will change and this will cause an error.

https://help.qlik.com/en-US/sense-developer/May2021/Subsystems/RepositoryServiceAPI/Content/Sense_RepositoryServiceAPI/RepositoryServiceAPI-Injected-Request-Headers-X-Qlik-Security.htm

https://community.qlik.com/t5/Knowledge-Base/Qlik-Sense-quot-Extended-security-environment-quot-option/ta-p/1717411

topic Qlik sense websockets & using 3rd party software for authentication, access and single sign-on in Integration, Extension & APIs

Qlik sense websockets & using 3rd party software for authentication, access and single sign-on

Re: Qlik sense websockets & using 3rd party software for authentication, access and single sign-on