Qlik Community

Ask a Question

Knowledge Base

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

QlikWorld Online 2021, May 10-12: Our Free, Virtual, Global Event REGISTER TODAY

Qlik Sense for Windows: All you need to know to start using iFrames/Mashups

Digital Support
Digital Support

Qlik Sense for Windows: All you need to know to start using iFrames/Mashups


This is a comprehensive guide of settings to be performed on Qlik Sense Enterprise for Windows in order to be able to use iFrames/Mashups.


  • Qlik Sense Enterprise for Windows April 2020 and later




Qlik Sense installs a self-signed certificate by default. This is not trusted by the browser by default.
When opening the Qlik Sense Hub/QMC in a browser directly, there will be an option to bypass the certificate warning.
However, when this is embedded, the connection to Qlik Sense will just fail due to certificates warnings, unless the certificate warning has been first by-passed in a separate tab in the same browser session.

When it comes to testing purposes, the self-signed certificate can be installed on the client machine and made trusted to remote the error.
For production use, it is recommended to have a third-party certificate applied so that it's trusted automatically by the browser. A company-delivered certificate that is pushed automatically to all machines on the domain via a domain policy will also work.


Different kinds of authentications can be used for Mashups/iFrame in Qlik Sense, however each kind has some considerations to take into account.

Authentication type     Skill
Windows  ! Doesn't work on non-Windows devices.
Is easily impacted by changes in domain policies/security policies, especially in an embedded context.
Ticket (QPS API)

Used by creating a ticket with the Qlik Proxy API and appending it to the URL embedded through a custom authentication module.
Qlik Sense: Generate a ticket with Qlik proxy API (Powershell)
Node js: Send a ticket request (Qlik Sense Proxy API)

Session (QPS API) Used by creating a session with the Qlik Proxy API and setting the cookie in the browser.
The javascript code setting the cookie must be running on the same domain as the Qlik Sense server. This method can be used independently of the authentication method set on the virtual proxy.
Qlik Sense: Call Session API with Postman/PowerShell
SAML This needs some special consideration, some javascript should be run on the parent web page where Qlik Sense is embedded to handle the redirection to the Identity provider page as the browser may block embedded Qlik Sense elements to perform the redirection.
Qlik Sense on Windows: How to use mashups with SAML authentication
JWT This needs header injection, inject headers from the parent website to the embedded object may be blocked by the browser.
Call directly one of the Qlik Sense URL from the parent webpage with the header so that Qlik Sense creates a session cookie, or use a reverse proxy for header injection into the embedded element.
Qlik Sense on Windows: Mashup sample for JWT authentication
Qlik Sense for Windows: iFrame sample using JWT authentication
Header Use a reverse proxy for header injection and to filter out which users are allowed to send headers to Qlik Sense, as there is no way to authorize headers only from specific IPs in Qlik Sense virtual proxy settings. ★★★★
!  not recommended
〇 recommended
◎ Optimal
★ very easy
★★ relatively easy
★★★ easy
★★★★ complicated


SameSite is an attribute set on the cookie and modern browsers will allow the cookie or not based on its value.
For Qlik Sense April 2020 and later, this setting is performed in the virtual proxy settings in the QMC. For earlier versions (November 2018 - February 2020), this is set in the proxy.exe.config file, it is not supported in Qlik Sense September 2018 and earlier.

When using Qlik Sense is an iFrame or a mashup, the settings should be the following:
HasSecure(https): true
SameSite(https): Lax (if the parent website is on the same domain) or None (if the parent website is on a different domain)

SameSite cannot be used with HTTP (non-secure connection), the setting provided for HTTP in the QMC is to facilitate integration with a reverse proxy using SSL offloading.
Qlik Sense: SameSite doesn't work with insecure sites (HTTP)

See more details about SameSite in Qlik Sense in the following article:
Missing SameSite attribute blocks requests in Chrome 80 and later - Too many sessions in parallel

Host white list

In Qlik Sense November 2019 and later, the host white list is also used for HTTP(S) requests, and this will return an error 400 is the host is not allowed.
The name of the web server hosting the mashup needs to be added in the host white list.

Multi-Pages Mashups

In a multi-pages mashup, when moving to a different page, the Qlik Sense engine session will be closed
EnableTTL needs to be set in the Engine Settings.ini file in order to define for how long the Engine session will be alive.
30 seconds is a good value as it generally won't take more than 30 seconds to move from one page to another.
Please also note that by default the session will be shared if the same user is logged it in different browsers, unless "Extended security environment" is checked in the virtual proxy settings.

Adjusting the Qlik Sense Engine TTL

Labels (1)
Version history
Revision #:
3 of 3
Last update:
‎2021-02-23 04:16 AM
Updated by: