topic Re: Qlik sense SSO logout API in Integration, Extension & APIs

Qlik sense SSO logout API

Tue, 22 Mar 2016 13:52:39 GMT

We have integrated Qlik Sense Hub into our application via Virtual Proxy with SAML based authentication.

I am able to log on to hub and able to view apps and do actions as per security rule perfectly good. Now when I logout on my application,I would like to logout the session from Qlik sense as well.

Is there any api that I can make use of to logout.

We also support multiple session for a single login. i.e., Same user can login from different location

How do I get to logout the user from Qlik in such cases?

Thanks

Re: Qlik sense SSO logout API

adnan_rafiq — Wed, 23 Mar 2016 09:39:11 GMT

Hi Mahendra,

Sorry to put an unwanted comment, but I have some issue where i feel you can help me.

I have been trying to apply SAML integration for while but was unable to do so other than onelogin.

did you performed SAML integration on standard application like sales force etc or customized application?

Thanks alot in advance.

Re: Qlik sense SSO logout API

Mon, 28 Mar 2016 08:37:58 GMT

Hi Adnan,

I have performed SAML integration with our In-house application.

Let me know what can I help you with?

Thanks

Re: Qlik sense SSO logout API

Anonymous — Mon, 28 Mar 2016 12:44:00 GMT

I am in the same boat. Though I am thinking of using Qlik sense Proxy API.

https://help.qlik.com/en-US/sense-developer/2.0/Subsystems/ProxyServiceAPI/Content/ProxyServiceAPI/ProxyServiceAPI-ProxyServiceAPI-Logout-Delete-User.htm

Re: Qlik sense SSO logout API

adnan_rafiq — Mon, 28 Mar 2016 13:00:49 GMT

Thanks a lot Mahendra for showing support.

Can I send you log from system on email. if you can send me a personal message with email id that will be great.

Re: Qlik sense SSO logout API

Tue, 29 Mar 2016 06:12:25 GMT

Hi,

You should use the Qlik Sense Proxy API, but be sure to use the same session.

https://help.qlik.com/en-US/sense-developer/2.0/Subsystems/ProxyServiceAPI/Content/ProxyServiceAPI/ProxyServiceAPI-ProxyServiceAPI-Logout-Delete-User.htm?_ga=1.53820072.1056473090.1456404673

Here some C# code that might help.

var serverPath = this.ServerUri + "/qps";

if (!string.IsNullOrEmpty(this.VirtualProxyPath))

serverPath += this.VirtualProxyPath;

var request = (HttpWebRequest)HttpWebRequest.Create(serverPath + "/user");

request.CookieContainer = new CookieContainer();

foreach (var cookie in allCookies)

request.CookieContainer.Add(new Uri(serverPath), cookie);

request.Method = "DELETE";

Best Regards

Lars-Göran Book

Re: Qlik sense SSO logout API

konrad_mattheis — Tue, 29 Mar 2016 13:56:07 GMT

Hi Lars,

thanks for you code snippet, but this is only correct if you really use a virtual proxy. The Qlik Sever don't want for example 2 slahes in the URI. You have to set the / in the check of the VirtualproxyPath

Here is my Extensionmethod for the location class:

    public static class LocationExtensions_akquinet
    {
        private static Logger logger = LogManager.GetCurrentClassLogger();

        public static bool LogoutUser(this ILocation location)
        {
            try
            {
                var serverPath = location.ServerUri + "qps";

                if (!string.IsNullOrEmpty(location.VirtualProxyPath))
                    serverPath += "/"+location.VirtualProxyPath;

                var request = (HttpWebRequest)HttpWebRequest.Create(serverPath + "/user");

                request.CookieContainer = new CookieContainer();
                foreach (var cookie in location.CustomUserCookies)
                    request.CookieContainer.Add(new Uri(serverPath), new Cookie(cookie.Key, cookie.Value));
                var sc = location.SessionCookie().Split(new char[] { '=' });
                request.CookieContainer.Add(new Uri(serverPath), new Cookie(sc[0], sc[1]));
                request.Method = "DELETE";
                request.GetResponse();

                return true;
            }
            catch (Exception ex)
            {
                logger.Info(ex);
                return false;
   catch (Ex
            }
        }
    }

bye

Konrad

Re: Qlik sense SSO logout API

Anonymous — Mon, 04 Apr 2016 12:33:16 GMT

Thanks for the snippet Konrad. I assume this code has to be executed from a server where qlik client certificate is already installed.

Lets assume we have a web socket connection , already authenticated. Can we direct call qps api from javascript for terminating the user session.

Thanks

-Vishal

Re: Qlik sense SSO logout API

jp_golay — Tue, 12 Apr 2016 12:43:43 GMT

Hi Lars

Konrad advice me to contact you about a question:

I want to pass a X.509 client certificate to the .NET api in order to avoid having to register the root certificate in certmgr.

My idea is to store the certificates in the Version Manager repos database and distribute them through the http web requests. In Rest it is possible (restClient.ClientCertificates.Add(mQsHub.QsX509certificate);) but in .NET is there a hack in the api to allow this?
Thanks

Re: Qlik sense SSO logout API

Tue, 12 Apr 2016 13:28:57 GMT

Hi,
In the current version there is no way to supply the certificate to the SDK. A possible solution is to write an extension method that take the certificate as an parameter an stores it as a root certificate. See Working with Certificates

Best regards
Lars-Göran Book

Re: Qlik sense SSO logout API

konrad_mattheis — Fri, 23 Sep 2016 12:23:31 GMT

Hi Lars-Göran,

please have a look at this Support Case: 00891931 - Docu BUG for

I think that the Docu is wrong, if you check what the sense web client is doing.

1. this reflects in a wrong behauvior of the .NET SDK because you implemented this like documented

2. I found out it is even more easy

(location as IDisposable).Dispose() is doing at least since .NET SDK 3.0.1 the same thing, if it would implemented right.

ebiexperts‌ you can not read the bug ticket, but the right order is:URL/virtualproxy/qps/user/

This is the new corrected function:

public static class LocationExtensions_akquinet  
{  
    private static Logger logger = LogManager.GetCurrentClassLogger();  

    public static bool LogoutUser(this ILocation location)  
    {  
        try  
        {  
            var serverPath = location.ServerUri.AbsoluteUri;

            if (!string.IsNullOrEmpty(location.VirtualProxyPath))
                serverPath += location.VirtualProxyPath+@"/";

            var request = (HttpWebRequest)HttpWebRequest.Create(serverPath + @"qps/user");

            request.CookieContainer = new CookieContainer();  
            foreach (var cookie in location.CustomUserCookies)  
                request.CookieContainer.Add(new Uri(serverPath), new Cookie(cookie.Key, cookie.Value));  
            var sc = location.SessionCookie().Split(new char[] { '=' });  
            request.CookieContainer.Add(new Uri(serverPath), new Cookie(sc[0], sc[1]));  
            request.Method = "DELETE";  
            request.GetResponse();  

            return true;  
        }  
        catch (Exception ex)  
        {  
            logger.Info(ex);  
            return false;  
catch (Ex  
         }  
     }  
 }

bye Konrad

Re: Qlik sense SSO logout API

Anonymous — Mon, 26 Sep 2016 08:10:15 GMT

Hi Lars,

I have used qps personal api (https://help.qlik.com/en-US/sense-developer/2.0/Subsystems/ProxyServiceAPI/Content/ProxyServiceAPI/ProxyServiceAPI-ProxyServiceAPI-Personal-Delete.htm) and called /{virtual proxy}/qps/user after setting the cookie named which is set up in the virtual proxy (X-Qlik-Session).

Its tearing down all sessions of the user and behaving like Logout API (https://help.qlik.com/en-US/sense-developer/2.0/Subsystems/ProxyServiceAPI/Content/ProxyServiceAPI/ProxyServiceAPI-ProxyServiceAPI-Logout-Delete-User.htm)

I don;t have session Id of the user and can not call the session module API to tear down the specific user session.

Can you help me with this. I just want to terminate the particular session.

Re: Qlik sense SSO logout API

Mon, 26 Sep 2016 10:49:33 GMT

Hi,

there is no API to delete thru the Proxy. If you want to delete specific session you will have to write a component or service that is in the trusted zone and call DELETE on the following endpoint qps/{virtualproxy}/session/{id} (port 4243). {id} should contain the session cookie header (X-Qlik-Session). Not if you are using load balancing you will need to call all nodes.
To write a component or service that is in the trusted zone see ConnectDirect* examples on GitHub - AptkQlik/PublicExamples

Best regards

Lars-Göran Book

Re: Qlik sense SSO logout API

Anonymous — Mon, 26 Sep 2016 11:46:38 GMT

Awesome !!! Thanks a lot.

I wasn't aware that {id} can be the session cookie header (X-Qlik-Session). Its not mentioned in the documentation.

Thanks

-Vishal

Re: Qlik sense SSO logout API

konrad_mattheis — Mon, 26 Sep 2016 14:01:34 GMT

Hi Vishal,

please raise a docu bug against qlik so this can be fixed in the documentation.

Even if this is work, it will help a lot of programmers after you.

bye Konrad

Re: Qlik sense SSO logout API

Anonymous — Tue, 27 Sep 2016 08:11:49 GMT

Sure konrad.mattheis‌ , I will do that,

My portal and qlik are running on different sub domains and this is restricting me from accessing the qlik cookie. Need to figure out some alternate method now.

Re: Qlik sense SSO logout API

Anonymous — Thu, 07 Sep 2017 18:59:09 GMT

Hi Konrad,

Does this function prevent you from LicenseAccessDenied exception? I'm still getting error after 5 connections to API.

Many thanks!

BRs,

Michal