This is a comprehensive guide of settings to be performed on Qlik Sense Enterprise for Windows in order to be able to use iFrames/Mashups.
Environments:
- Qlik Sense Enterprise for Windows April 2020 and later
Certificates:
Qlik Sense installs a self-signed certificate by default. This is not trusted by the browser by default.
When opening the Qlik Sense Hub/QMC in a browser directly, there will be an option to bypass the certificate warning.
However, when this is embedded, the connection to Qlik Sense will just fail due to certificates warnings, unless the certificate warning has been first by-passed in a separate tab in the same browser session.
When it comes to testing purposes, the self-signed certificate can be installed on the client machine and made trusted to remote the error.
For production use, it is recommended to have a third-party certificate applied so that it's trusted automatically by the browser. A company-delivered certificate that is pushed automatically to all machines on the domain via a domain policy will also work.
Authentication
Different kinds of authentications can be used for Mashups/iFrame in Qlik Sense, however each kind has some considerations to take into account.
| Authentication type |
|
|
Skill
Level |
| Windows |
! |
Doesn't work on non-Windows devices.
Is easily impacted by changes in domain policies/security policies, especially in an embedded context. |
★ |
| Ticket (QPS API) |
◎ |
Used by creating a ticket with the Qlik Proxy API and appending it to the URL embedded through a custom authentication module.
Qlik Sense: Generate a ticket with Qlik proxy API (Powershell)
Node js: Send a ticket request (Qlik Sense Proxy API)
|
★★ |
| Session (QPS API) |
〇 |
Used by creating a session with the Qlik Proxy API and setting the cookie in the browser.
The javascript code setting the cookie must be running on the same domain as the Qlik Sense server. This method can be used independently of the authentication method set on the virtual proxy.
Qlik Sense: Call Session API with Postman/PowerShell |
★★ |
| SAML |
〇 |
This needs some special consideration, some javascript should be run on the parent web page where Qlik Sense is embedded to handle the redirection to the Identity provider page as the browser may block embedded Qlik Sense elements to perform the redirection.
Qlik Sense on Windows: How to use mashups with SAML authentication |
★★★ |
| JWT |
〇 |
This needs header injection, inject headers from the parent website to the embedded object may be blocked by the browser.
Call directly one of the Qlik Sense URL from the parent webpage with the header so that Qlik Sense creates a session cookie, or use a reverse proxy for header injection into the embedded element.
Qlik Sense on Windows: Mashup sample for JWT authentication
Qlik Sense for Windows: iFrame sample using JWT authentication |
★★★ |
| Header |
〇 |
Use a reverse proxy for header injection and to filter out which users are allowed to send headers to Qlik Sense, as there is no way to authorize headers only from specific IPs in Qlik Sense virtual proxy settings. |
★★★★ |
Legend
! not recommended
〇 recommended
◎ Optimal |
★ very easy
★★ relatively easy
★★★ easy
★★★★ complicated |
SameSite
SameSite is an attribute set on the cookie and modern browsers will allow the cookie or not based on its value.
For Qlik Sense April 2020 and later, this setting is performed in the virtual proxy settings in the QMC. For earlier versions (November 2018 - February 2020), this is set in the proxy.exe.config file, it is not supported in Qlik Sense September 2018 and earlier.
When using Qlik Sense is an iFrame or a mashup, the settings should be the following:
HasSecure(https): true
SameSite(https): Lax (if the parent website is on the same domain) or None (if the parent website is on a different domain)
SameSite cannot be used with HTTP (non-secure connection), the setting provided for HTTP in the QMC is to facilitate integration with a reverse proxy using SSL offloading.
Qlik Sense: SameSite doesn't work with insecure sites (HTTP)
See more details about SameSite in Qlik Sense in the following article:
Missing SameSite attribute blocks requests in Chrome 80 and later - Too many sessions in parallel
Host white list
In Qlik Sense November 2019 and later, the host white list is also used for HTTP(S) requests, and this will return an error 400 is the host is not allowed.
The name of the web server hosting the mashup needs to be added in the host white list.
Multi-Pages Mashups
In a multi-pages mashup, when moving to a different page, the Qlik Sense engine session will be closed
EnableTTL needs to be set in the Engine Settings.ini file in order to define for how long the Engine session will be alive.
30 seconds is a good value as it generally won't take more than 30 seconds to move from one page to another.
Please also note that by default the session will be shared if the same user is logged it in different browsers, unless "Extended security environment" is checked in the virtual proxy settings.
Adjusting the Qlik Sense Engine TTL
