Customized Authentication in Qlik Sense

Sonja_Bauernfeind — Tue, 23 Feb 2021 09:13:11 GMT

If coming from QlikView, it is known that implementing custom authentication such as SAML, JWT, etc. requires specialized knowledge and the examples provided (as described in Customized Authentication in QlikView 11) are only provided as-is with no warranty.
Qlik Sense, however, largely improves on the ability to implement customized authentication as it is now configurable from within the Qlik Management Console (QMC) via Virtual Proxy configurations.

Environment:

Qlik Sense Enterprise for Windows, all versions

Supported customized authentication methods now include, as of June 2020:

Windows / NTLM - This is the authentication method used by default, a browser popup will appear so that the user inputs his Windows credentials or the user will be logged in automatically if the browser is set up to automatically pass Windows credentials (See Integrated Windows Authentication (IWA) with Qlik using Internet Explorer, Chrome and Firefox)

Alternatively, Windows authentication via Forms can also be used (See Logging out of Qlik Sense: Using Forms authentication to log in and out of the Sense Hub)
Note that for non-Windows devices, form authentication will be used by default even if the above setting has not been done on the virtual proxy.

Ticket - This consists in requesting a ticket to the Qlik Proxy API and consuming it by appending it to the Qlik Sense URL. This is generally the preferred method when integrating Qlik Sense in an iFrame as this does not require to set up headers or cookie, which may be blocked by browser cross-site scripting prevention policy.

Examples can be found below:
Node js: Send a ticket request (Qlik Sense Proxy API)
Qlik Sense: Generate a ticket with Qlik proxy API (Powershell)

Session - This consists of creating a session id with the Qlik Proxy API and then set the cookie with that same session id on the user side.

Example: Qlik Sense: Call Session API with Postman/PowerShell

Header - This consists of sending the username you want to authenticate as in an HTTP header. This is considered as unsafe if there is no reverse proxy or proxy between the clients and server that will filter who is able to send a header to get authenticated, so this is a point that should be considered when using Header authentication.

See below for setup example/troubleshooting:
Qlik Sense Header Authentication 401 Error "Could not authenticate the request: Expected an authentication header"

SAML - The authentication is accomplished by exchange of claims between the Identity Provider (IdP) and the Service Provider (Qlik Sense)

See below for setup examples:
How To Use SAML Authentication With Qlik Sense

JWT - The authentication is accomplished with a JSON formatted token signed with the private key of a specific certificate. Qlik Sense will check if the signature is correct based on the certificate provided in the virtual proxy configuration.

See Qlik Sense: How to set up JWT authentication

Anonymous Users - The user does not need to authenticate. Anonymous users may be allowed or not based on the type of license you are using, please check Which Qlik Sense Enterprise licenses support anonymous access?

Our Knowledge base has many articles available describing configuration of different authentication methods and related troubleshooting, for example:

More resources are available at http://help.qlik.com, as well as Qlik Community. Please keep in mind, however, that "how to" questions are generally outside the scope of technical support; if you need step-by-step help with setting up customized authentication please reach out to your Account Owner to inquire about Education Services or Consulting Services (see When and How to Contact the Consulting Team?).

article Customized Authentication in Qlik Sense in Official Support Articles

Customized Authentication in Qlik Sense