Qlik Community

Ask a Question

Integration, Extension & APIs

Discussion board where members can learn more about Integration, Extensions and API’s for Qlik Sense.

Announcements
Become an analytics expert with Qlik's new 15 week course: Applied Data Analytics using Qlik Sense. READ MORE
cancel
Showing results for 
Search instead for 
Did you mean: 
kevinpintokpa
Creator II
Creator II

Sense / QAP: How to authenticate external users with certificates

We have a QAP system and we have external users A, B and C who are competitors.  We have corresponding apps AppA, AppB and AppC for these users, and they should not be able to see each other's data.

These users have their user IDs and passwords in an Excel file and this is set up in QMC correctly. 

External user A now wants to get to the data in his AppA using API calls to GetTableData().  I am trying to figure out how to let him in, but only to his app.  The first step in my prototype is to authenticate as user A.  I thought that certificates may be a way to accomplish this.  But the documentation and experimentation doesn't make sense to me.  This is what I am reading:

https://help.qlik.com/en-US/sense-developer/November2019/Subsystems/EngineAPI/Content/Sense_EngineAP...

In Example 1 and 2, it seems that if the client provides the certificates and a header that looks like the following, he can assume ANY identity?

headers: { 'X-Qlik-User': 'UserDirectory=internal; UserId=sa_engine' }

Perhaps I am misunderstanding this, but this seems to be me that providing the certificates and this header is sufficient to identify the user as sa_engine or any other user?

Any ideas on how to authenticate external users without them gaining access to all the apps is appreciated.  I am open to non-certificate solutions if they work without requiring witchcraft.

Labels (4)
1 Reply
Marc
Employee
Employee

Correct, Certificate authentication would allow them to impersonate any user. 

Certificate authentication is NOT what you want to use.

When they connect to Qlik Sense, they can connect either via the proxy service, or directly.

To connect directly they need to use certificates. As this is not a valid option for your use case they will need to connect via the proxy.

Have a look at "Authentication with proxy"

https://help.qlik.com/en-US/sense-developer/November2019/Subsystems/NetSDKAPI/Content/Sense_NetSDKAP...

 

 

How are they trying to make the API calls? C#, Java, PowerShell?

 

In the example:

https://help.qlik.com/en-US/sense-developer/November2019/Subsystems/RepositoryServiceAPI/Content/Sen...

you can replace line 2 "$req.Credentials = [System.Net.CredentialCache]::DefaultCredentials"

with a defined set of credentials.