Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
dgoehler
Partner - Contributor III
Partner - Contributor III
‎2014-10-27 06:18 PM

Single Sign On with Qlik Sense

Hello,

doesn't anyone know how Single Sign On (e.g. Microsoft Office 365) with the Qlik Sense Server works. I only found very vague information about that: e.g.: https://help.qlik.com/sense/en-US/online/#../Subsystems/Server_deployment_and_configuration/Content/...

or https://help.qlik.com/sense/en-US/developer/#../Subsystems/Qlik_Sense_Proxy_Service_API/Content/QPS ...

Best regards,

Daniel

24,801 Views
1 Solution

Accepted Solutions
Fredrik_Lautrup
Employee
Employee
‎2014-10-29 07:39 AM

In response to dgoehler

So in the response from OAuth you get a link to information about the logged in user. When you request a ticket you send in the information that you want Qlik Sense to use. If the user does not exist in Sense it will be created for you.

So for example, if the user is MMN you could request a ticket for userID=MMN and UserDirectory=Outlook365 and that would result in a user being created.

An alternative is to use some sort of database in the backend to pre-populate the users User Directory Connector.

https://help.qlik.com/sense/en-US/online/#../Subsystems/Qlik_Management_Console_help/Content/QMC_Res...

A round certificates there is an example here

https://help.qlik.com/sense/en-us/developer/#../Subsystems/Qlik_Sense_Proxy_Service_API/Content/QPS ...

If running the authentication module on the same machine as the Proxy service you dont have to do anything. If you want to run on the authentication module on another machine you need to export certificates from the QMC and install on the machine you want to use.

http://https://help.qlik.com/sense/en-US/online/#../Subsystems/Qlik_Management_Console_help/Content/...

View solution in original post

10,348 Views
0 Likes
17 Replies
Michael_Tarallo
Employee
Employee
‎2014-10-28 08:49 AM

Hello Daniel - I am investigating this for you and will have someone respond to your inquiry,

Regards,

Mike

Qlik

Regards,
Mike Tarallo
Qlik
10,348 Views
0 Likes
Fredrik_Lautrup
Employee
Employee
‎2014-10-29 03:48 AM

Can you give us some more information on what you want to achive? Out of the box Qlik Sense support windows integrated authentication using NTLM or Kerberos. But we also supply a set of API's that can be used to extend authentication support to other identity providers.

10,348 Views
0 Likes
dgoehler
Partner - Contributor III
Partner - Contributor III
‎2014-10-29 03:51 AM
Author

In response to Fredrik_Lautrup

For example I like to Single Sign On via an Office 365 Account (Overview of single sign-on for Office 365)

10,348 Views
0 Likes
Fredrik_Lautrup
Employee
Employee
‎2014-10-29 06:25 AM

In response to dgoehler

This is not supported out of the box.

But the solution to use Outlook365 accounts would be to implement an OAuth 2.0 authentication module that uses the Proxy APIs for tickets to exchange the users.

https://help.qlik.com/sense/en-us/developer/#../Subsystems/Qlik_Sense_Proxy_Service_API/Content/QPS ...

If you look at Branch there is an example of an authentication module

http://branch.qlik.com/projects/showthread.php?285-Access-Control-Test-Module

If you are familiar with NodeJS you could use a library such as Passport which supports OAuth2.

It also looks at this link that AZure has an Authentication library that could probably be used.

OAuth 2.0 in Azure AD

Regards

Fredrik

10,348 Views
0 Likes
dgoehler
Partner - Contributor III
Partner - Contributor III
‎2014-10-29 06:39 AM
Author

In response to Fredrik_Lautrup

Hi Fredrik,

two questions regarding your Access Control Test Module:

1. How do I link a Office 365 Account against a Qlik Sense User Account?

2. In the function requestticket, they use a client certificate instead of windows integrated authentication (NTLM or Kerberos). Is there any documentation about that? I found nearly nothing about that. Or in other word: Where should I setup the client certificate on the QMC?

Best regards,

Daniel

10,348 Views
0 Likes
Fredrik_Lautrup
Employee
Employee
‎2014-10-29 07:39 AM

In response to dgoehler

So in the response from OAuth you get a link to information about the logged in user. When you request a ticket you send in the information that you want Qlik Sense to use. If the user does not exist in Sense it will be created for you.

So for example, if the user is MMN you could request a ticket for userID=MMN and UserDirectory=Outlook365 and that would result in a user being created.

An alternative is to use some sort of database in the backend to pre-populate the users User Directory Connector.

https://help.qlik.com/sense/en-US/online/#../Subsystems/Qlik_Management_Console_help/Content/QMC_Res...

A round certificates there is an example here

https://help.qlik.com/sense/en-us/developer/#../Subsystems/Qlik_Sense_Proxy_Service_API/Content/QPS ...

If running the authentication module on the same machine as the Proxy service you dont have to do anything. If you want to run on the authentication module on another machine you need to export certificates from the QMC and install on the machine you want to use.

http://https://help.qlik.com/sense/en-US/online/#../Subsystems/Qlik_Management_Console_help/Content/...

10,349 Views
0 Likes
dgoehler
Partner - Contributor III
Partner - Contributor III
‎2014-10-29 05:56 PM
Author

In response to Fredrik_Lautrup

I also created a Visual Studio Console Project and with the code as descripted here.

Qlik Support help me, because there is an error in that example:

The Line

string body = "{'UserDirectory':'" + userdirectory + "', 'UserId':'" + user + "'}";

should be changed into that line:

string body = "{'UserDirectory':'" + userdirectory + "', 'UserId':'" + user + "', 'Attributes': []}";

So I can issue a ticket:

"UserDirectory":"PI-QLIKSENSE"

"UserId":"sense_demo01"

"Attributes":[]

"Ticket":"z2GJ7dH5SsQ4sj6p"

"TargetUri":null

But what to do with that regading Single Sign On? There is no OAuth Documentation in the Qlik Sense or Qlik Sense Developer Help.

10,348 Views
0 Likes
Fredrik_Lautrup
Employee
Employee
‎2014-10-31 04:05 AM

In response to dgoehler

God that you get to aquire a ticket.

So the flow now will be

1 configure a virtual proxy in the proxy that uses your authentication code

2 in your code use a library to authenticate your user using Oauth to outlook365.

3 if successful request a ticket for the user

4 redirect the user back to Qlik sense with the ticket

As you see how you authenticate is independent of Qlik sense so here you will need to look in Microsofts dokumentation.

Fredrik

10,356 Views
dgoehler
Partner - Contributor III
Partner - Contributor III
‎2014-10-31 04:08 AM
Author

In response to Fredrik_Lautrup

How do I Redirect the user back to Qlik Sense with that ticket?

10,356 Views
0 Likes