Qlik Sense for Windows: All you need to know to start using iFrames/Mashups
This is a comprehensive guide of settings to be performed on Qlik Sense Enterprise for Windows in order to be able to use iFrames/Mashups.
Qlik Sense Enterprise for Windows April 2020 and later
Qlik Sense installs a self-signed certificate by default. This is not trusted by the browser by default. When opening the Qlik Sense Hub/QMC in a browser directly, there will be an option to bypass the certificate warning. However, when this is embedded, the connection to Qlik Sense will just fail due to certificates warnings, unless the certificate warning has been first by-passed in a separate tab in the same browser session.
When it comes to testing purposes, the self-signed certificate can be installed on the client machine and made trusted to remote the error. For production use, it is recommended to have a third-party certificate applied so that it's trusted automatically by the browser. A company-delivered certificate that is pushed automatically to all machines on the domain via a domain policy will also work.
Different kinds of authentications can be used for Mashups/iFrame in Qlik Sense, however each kind has some considerations to take into account.
Doesn't work on non-Windows devices. Is easily impacted by changes in domain policies/security policies, especially in an embedded context.
Use a reverse proxy for header injection and to filter out which users are allowed to send headers to Qlik Sense, as there is no way to authorize headers only from specific IPs in Qlik Sense virtual proxy settings.
Legend ! not recommended 〇 recommended ◎ Optimal
★ very easy ★★ relatively easy ★★★ easy ★★★★ complicated
SameSite is an attribute set on the cookie and modern browsers will allow the cookie or not based on its value. For Qlik Sense April 2020 and later, this setting is performed in the virtual proxy settings in the QMC. For earlier versions (November 2018 - February 2020), this is set in the proxy.exe.config file, it is not supported in Qlik Sense September 2018 and earlier.
When using Qlik Sense is an iFrame or a mashup, the settings should be the following: HasSecure(https): true SameSite(https): Lax (if the parent website is on the same domain) or None (if the parent website is on a different domain)
In Qlik Sense November 2019 and later, the host white list is also used for HTTP(S) requests, and this will return an error 400 is the host is not allowed. The name of the web server hosting the mashup needs to be added in the host white list.
In a multi-pages mashup, when moving to a different page, the Qlik Sense engine session will be closed EnableTTL needs to be set in the Engine Settings.ini file in order to define for how long the Engine session will be alive. 30 seconds is a good value as it generally won't take more than 30 seconds to move from one page to another. Please also note that by default the session will be shared if the same user is logged it in different browsers, unless "Extended security environment" is checked in the virtual proxy settings.