Skip to main content
Announcements
Qlik Connect 2025: 3 days of full immersion in data, analytics, and AI. May 13-15 | Orlando, FL: Learn More
Fredrik_Lautrup
Employee
Employee

For those of you who are interested in how tickets can be used in Qlik Sense to integrate authentication with identity providers, you should continue reading.

Tickets as a means to give users access to things was used long before the invention of computers. When you go to the cinema, you first need to buy a ticket from a cashier or from the Internet – a ticket that is valid for one movie at a certain time. The ticket is later validated by the person letting you into the correct theatre for the movie for which the ticket is valid.

One benefit of a ticket system is that it is independent of how you get the ticket. The ticket is valid for access to the movie, no matter what.

So how can we use the same concept to gain the same flexibility when we authenticate users in Qlik Sense? We use tickets, but this time the tickets are digital.

In QlikView 11.0 we introduced a concept that called Web Tickets. In Qlik Sense we have developed this idea further and this is now the normal way to make the authentication.

So how does this work in Qlik Sense?

  1. You connect to Qlik Sense Proxy and try to gain access, but as you don’t have a session yet the proxy will ask you to go to an authentication module.
  2. You go to the authentication module that can validate that you are who you say you are.
  3. You get validated by the authentication module based on something you are, something you have, or something you know.
  4. If successfully validated, the authentication module will request a ticket from the proxy. As the proxy trust the authentication module it will grant a ticket. The ticket is special in that it is only valid for the person you say you are for a short period of time.
  5. You can now return to the proxy with the ticket. The proxy will validate the ticket and grant you access to Qlik Sense.

Tickets.png

So how do this look in real life if we wanted to integrate with Salesforce?

  1. You enter https://[Server name]/hub in your browser
  2. You get redirected to an authentication module  by the proxy with an identifier of where the module can request a ticket, the proxyRestUri,  and a token that can be used to get the proxy to tell you where it should send you back, the targetId
  3. You get validated by the authentication module that uses Salesforce to authenticate the user based on something you are, something you have or something you know.
  4. The authentication module sends a request (HTTP POST) for a ticket to the proxyRestUri/ticket in JSON format like this.
    {
    "UserDirectory":"SalesForce",
    "UserId":"hkp",
    "Attributes":[
       
    {
          
    "org":"Qlik"
       
    }
    ],
    "TargetId":"7f9c12ab-d656-4dbe-8d14-a2d55fa52f6c"  
    }
    And gets a response like this
    { 
    "UserDirectory":" SalesForce",
    "UserId":"hkp",
    "Attributes":[ 
       
    { 
          
    "org":"Qlik"
       
    }
    ],
    "Ticket":"iokrVXS-IndQgEON",
    "TargetUri":"https://testsrv.test.com/hub"
    }
  5. You redirect the user back to the targetUri with the ticket (https://testsrv.test.com/hub/?QlikTicket=iokrVXS-IndQgEON) and the user will be granted access to Qlik Sense

But for this to be secure, there are two requirements:

  1. The call to the proxy is only allowed if the authentication module is trusted by the proxy. This is achieved by the use of certificates (which can be exported from the QMC).
  2. The request for a ticket to the proxy must contain a Cross Site Request key in the header (X-Qlik-Xrfkey) and the same key must exist in the URL (Xrfkey).

If you would like to get your hands dirty, you will find examples on ticketing on Qlik Branch and more documentation on the Qlik Sense help site

17 Comments
Not applicable

Hi, vegard.bakke‌ !

I have the same authentication problem as yours:  IdP SSO and third-party PHP front-end.

Could you please share how did you solve it eventually ?

Thanks in advance,

Max.

0 Likes
3,548 Views
Not applicable

Man, sorry for resurrecting the topic. I've already the token, may I reuse it in another url request or just using targetUri? If possible, where must I put it? Should I send it as a cookie?

0 Likes
3,548 Views
Not applicable

hi, make sure you also checkout http://integration.qlik.com where we created a complete demo environment where you can checkout all the API calls via the API logs, and see videos around ticketing. You can also check both high and low level stuff about security integration at the slide generator (Based on the Qlik Sense Engine API). slide generator - security workshop screenshot.png

0 Likes
3,586 Views
Anonymous
Not applicable

Hello. Neither of the links are working - the following error is given.


Network Error (tcp_error)

A communication error occurred: "Operation timed out"
The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.
0 Likes
3,586 Views
mbj
Employee
Employee

‌hi, it should work again...

0 Likes
3,586 Views
Anonymous
Not applicable

Is there a way to invalidate the ticket issued??

0 Likes
3,586 Views
marcohadiyanto
Partner - Specialist
Partner - Specialist
Hi, i have question about 2. You get redirected to an authentication module by the proxy with an identifier of where the module can request a ticket, the proxyRestUri, and a token that can be used to get the proxy to tell you where it should send you back, the targetId Where can i get/define targetid and proxyRestUri? Thanks
0 Likes
1,841 Views