Skip to main content
Announcements
Global Transformation Awards! Applications are now open. Submit Entry
cancel
Showing results for 
Search instead for 
Did you mean: 
AshwathRaj_26
Employee
Employee

Wont User credentials stored in PGSQL get exposed?

Hi,

My understanding is user credentials are stored in PGSQL which is used for validating login with external IdP

But if credentials are stored as-is in PGSQL wont they get exposed?

 

Labels (1)
1 Solution

Accepted Solutions
Levi_Turner
Employee
Employee

As @Anonymous mentioned, when doing authentication, Qlik Sense Enterprise neither stores nor really knows the credentials of the end user. Qlik Sense Enterprise leverages existing authentication systems (Active Directory, a SAML IdP, etc). Those systems evaluate the credentials (or usually a hash of the credentials, see https://security.stackexchange.com/questions/129832/understanding-ntlm-authentication-step-by-step) then send a token to Qlik Sense Enterprise signaling that a given user (domain\userId) has successfully authenticated.

View solution in original post

2 Replies
Anonymous
Not applicable

Hey @AshwathRaj_26 ,

as per my knowledge no, user credentials (username and password) are not stored into postgreSQL.
The only credentials that are stored there are the ones of technical users used inside postgreSQL itself (see users postgresql and qliksenserepository).

For 'regular' end users, only a reference of their user directory ("domain", if you're working with active directory) and user id ("username", if you're working with active directory) are kept.
Once the IdP has verified your identity, will let you proceed to Qlik Sense. Only at this point the IdP will tell Qlik who you are (user directory + user id).

Let me know if this makes any sense for you

Riccardo

Levi_Turner
Employee
Employee

As @Anonymous mentioned, when doing authentication, Qlik Sense Enterprise neither stores nor really knows the credentials of the end user. Qlik Sense Enterprise leverages existing authentication systems (Active Directory, a SAML IdP, etc). Those systems evaluate the credentials (or usually a hash of the credentials, see https://security.stackexchange.com/questions/129832/understanding-ntlm-authentication-step-by-step) then send a token to Qlik Sense Enterprise signaling that a given user (domain\userId) has successfully authenticated.