Qlik Community

Qlik Design Blog

All about product and Qlik solutions: scripting, data modeling, visual design, extensions, best practices, etc.

Employee
Employee

Authentication and Authorization

Authentication and Authorization are two important concepts in securing any application.  Let’s start with some simple definitions.  Authentication makes sure that the person accessing the system is the person he says he is.  Authorization only lets you access information and complete actions that you are allowed to, based on your identity.

In QlikView, these are two distinct activities performed independent of each other.  This often creates some confusion and configuration errors, so let me explain how it works.  When a user gets access to QlikView it is always done in these four steps:

Flow.png

One of the most common misunderstandings around this is what services are part of what step in the process.

The first two steps covering authentication are handled by the web layer (i.e. QVWS or IIS).  The third step is achieved by the web layer transferring the identity to the QlikView Server using the QVP protocol.  The fourth step is authorization and is handled by the QlikView Server using groups resolved by the Directory Service Connector.

There are some big benefits to this approach:

  1. QlikView does not have to store passwords; these are stored by an identity provider such as LDAP or AD.
  2. Normal procedures for user management can be applied, which enables that adherence to security policies are maintained.
  3. It is possible to customize authentication without affecting authorization, which gives us the option to use external identify providers such as Google and Salesforce.
  4. All Authorization is done in the backend, making it easier to protect.

The role of the Directory Service Connector in the flow is somewhat blurred by the fact that almost all QlikView components use it. The web layer, QlikView Server, QlikView Management Service, and the QlikView Publisher all use the Directory Service Connector for different things.

Most QlikView components use the Directory Service Connector for authorization or to get information about users except if custom users are used.  If you use custom users, these  get authenticated towards the Directory Service Connector, which in this special case stores identity and passwords for the users.

Achitecture.png

Remember, as a rule of thumb: the front end components handle authentication and the backend components handle authorization.  I hope this help gives you a clearer picture of how QlikView handles authentication and authorization and which components are used in which part of the flow.

Have further questions you’d like me to answer?  Leave me a comment!

38 Comments
rajeshvaswani77
Valued Contributor III

Hi Fredrik, thanks for the blog. Has been helpful.

1,204 Views
MVP & Luminary
MVP & Luminary

Hi Fredrik,

Consider a QV11 WebTicket user. If the user clicks the Ajax "Close" button on a document, can they reconnect using the same ticket/cookie? Or do they have to obtain a new ticket for the restore.

-Rob

1,204 Views
Employee
Employee

The ticket is only valid for a short period of time and can only be used once. So the same ticket can not be used to re-authenticate.

The session could be used if it is still valid. If you just click close the session is still valid and you will not have to re-authenticate using a ticket.

If you close the browser or the session time out then you would need to re-authenticate using a new ticket.

I hope this answers your question?

1,204 Views
MVP
MVP

Hi Fredrik, Thanks for sharing this useful information.

0 Likes
1,204 Views
Not applicable

Hi Fedrik,

Thanks for Info, We have purchased the QW SBE server license, but we don't have AD in our organization.

I have requested our partner to implement QW SBE Server with LDAP. Partner did some R & D but failed to integrate the QW SBE with LDAP for User Authentication and authorization. Request you to kindly provide some solution on implementing with QW SBE with LDAP. I hope you will surely have solution on the implementing QW with LDAP.

Regards,

Akiv Kandlekar.

0 Likes
1,204 Views
Partner
Partner

SBE does not support "DMS"-Mode (you can see this in your LEF file).

As SBE only works with file based NTFS Authentication you can only use:

- Active Directory

- local Windows users&groups

For NON-Windows Authentication (== LDAP) you need an QlikView Enterprise Server.

0 Likes
1,204 Views
Not applicable

Dear RVA,

Thanks for your quick response.

Do you mean to say that i can install and implement QW SBE with the help of local users & Groups on the same local server as well, since we don't have  AD. Is it possible?

0 Likes
1,204 Views
Partner
Partner

HI!

Yes, local user should work.

-Create a local administrator that run the QlikView Services.

-Create a local user for each of your QlikView users.

Drawback:

You don't get a single sign on for your endusers (they always have to type their local user+ password to enter QlikView Accesspoint).

1,204 Views
Not applicable

Thanks for this very clear explanation. It is a topic that seems obvious when you understand it but often causes confusion so I will keep a note of your page to refer others to it.

1,204 Views
Not applicable

Thanks RVA.

I was initially thinking about the same, but here people are creating unnecessary confusion that Without AD, QW SBE Server cannot authenticate or authorize.

Now, i will try the option suggested by you i.e. local users and revert. I hope it works for sure ...!!

Regards,

Akiv Kandlekar

0 Likes
1,204 Views
Not applicable

Dear RVA,

I am trying to do the R&D with QW SBE V11 SR2 with local users on Windows server 2003 R2 Std.

Need your help if you can suggest the installation guide as well as deploying on the Named and DOC CAL licenses as we are using the local users and groups of the Qlikview server. It will be of great help.

Thanks,

Akiv Kandlekar

0 Likes
1,204 Views
Employee
Employee

A think the best solution for you as it is a implementation specific question is to contact support and let them guide you.

Regards

Fredrik

0 Likes
1,204 Views
Not applicable

Hey guys, 

I am given a task to calculate the frequency of calls across a territory. If the rep called a physician regarding the sale of the product 5 times, then frequency is 5 and HCP count is 1....I generated frequencies from 1 to 124 in my pivot table using a calculated dimension which is working fine. But my concern is :

My manager wants frequencies till 19 in order from 1..2..3..4...5..6.....19...

And from the frequency 21-124 as 20+.

I would be grateful if someone helps me with this.....Eager for the reply....

0 Likes
1,204 Views
thebestbrew
New Contributor

Hi Fredrik,

Good article, thanks. I have a scenario not specifically addressed in the documentation. We are implementing the Small Business Edition at this point.

We have a multi-domain environment without trusts and users will be in different domains - probably accessing different QV applications. We will want to use one of those domains for authenticating it's users (the majority of users) and that domain's AD is located on the same network as the QVS.

Reading the server guide and your article can you confirm if we can run 2 web sites, one using IWA and the other using custom users for authentication - as long as we can separate the documents? Are there any specific problems which we'll need to address for this configuration?

Thanks in advance

Frank

0 Likes
1,204 Views
Employee
Employee

So technically you can support multiple ways of authentication using multiple web servers. The limitation is that we can only support one authentication method per web server.

I'm not an expert in our licenses so there might be restrictions in the Small Business Edition that limit this but technically it is possible.

//Fredrik

0 Likes
1,204 Views
thebestbrew
New Contributor

Thanks for your prompt response, Fredrik.

I'll post separately on the license issue.

Frank

0 Likes
1,204 Views
Support
Support

Hey Frank,

I just wanted to answer you here, Customer Users will not work with Small Business Edition license due to the need to run QVServer in DMS Security Mode when using the Custom Directory DSP, and this is not allowed with Small Business Edition license. 

What you could do though is use the Local Directory DSP on the server to create accounts for the folks you were considering creating in Custom Directory and the license should be able to handle things, as Local and Active Directory are both supported in the Small Business Edition license.  Hope this helps.

Regards,

Brett

0 Likes
1,204 Views
thebestbrew
New Contributor

Thanks for the tip Brett. Appreciated.

Frank

0 Likes
1,204 Views
Luminary
Luminary

Hi Fredrik,

Fredrik Lautrup wrote:

The ticket is only valid for a short period of time and can only be used once. So the same ticket can not be used to re-authenticate.

The session could be used if it is still valid. If you just click close the session is still valid and you will not have to re-authenticate using a ticket.

If you close the browser or the session time out then you would need to re-authenticate using a new ticket.

I hope this answers your question?

Why do I see different tickets for the same user and same session in the Event Log? I'm not closing the session neither the browser. What is the time period for a single ticket? Can this be controlled by the Admin?

Thanks in advance.

Cheers,

DV

0 Likes
1,204 Views
Employee
Employee

I think that the timeout for a ticket is 1 minute and can not configurable. I'm unsure while you see more than one ticket. A ticket is only needed when you need to re-authenticate which should only happen if you don't have a session or the session is invalid.

Do you have more than one webserver that you load balance between? A session is only valid within a webserver so if you en up on another you will need to re-authenticate.

0 Likes
1,204 Views
Luminary
Luminary

Many thanks for the quick response. Here is what I get in event log:

Ticket Lookup: Ticket xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx was found.

Does this mean it's assigning a new ticket or just looking up? Because I've tried to search with the ticket ID and it's not available in the event (i.e. unique ticket each time) but it says "Ticket Lookup" in the event log message. This is confusing me.

Also, another question - We don't need a new ticket when we switch from AJAX to IE-Plugin or vice-versa, is this right?

Thanks again for your assistance.

Cheers,

DV

0 Likes
1,204 Views
Employee
Employee

So there might be some confusion here. So I wrote a blog about just this confusion

What is a QlikView session?

So what I think you are referring to is the backend ticket that is used to create a connection between the server and the web server, rich client or plugin. These are created for every new session which in the server is defined as a user to a document. So in these cases is is you should get multiple tickets for a user.

The other scenario and the one I refer to above is about web ticketing which is a way to integrate with authentication solutions.

1,204 Views
Luminary
Luminary

Okay. That makes sense now. So these multiple tickets shown in the even log are related to the connection between the Web Server/QVP and QVS (Basically, 2nd leg compared to 1st leg which is AJAX Client and Web Server).

Also, another question - We don't need a new ticket when we switch from AJAX to IE-Plugin or vice-verse, is this right?


Many thanks for clarification.


0 Likes
1,204 Views
Employee
Employee

I'm unsure if a new ticket is needed when you move between AJAX and IE-Plugin.

If both go through the web server there should be no new ticket needed. But as I said I'm not sure.

0 Likes
1,204 Views
Not applicable

HI Fredrik,

I saw your post and its really helpful, I have a scenario.

1) we have customer portal which is built on Oracle framework manager, all the users access are maintaining in Oracle Identity manager(OID) which is nothing but LDAP.

2) I have qlikview 11 enterprise setup with Qlikview Web server configured , I can successfully import the users which are in OID by using LDAP directory in qlikview management console, however, I need to integrate those users so that user need not to pass his credentials to log in again in qlikview access point . currently we don't have any SSO software's in between.

Any suggestion how can I integrate LDAP and Qlikview access point with out SSO? if no how can I use SSO software  to enable Single sign on from customer portal to qlikview server.

your suggestions will help in my setup. Let me know if you need further details on the same pls.

if you have good documents so that I can refer, pls forward to suleman.imrankhan@gmail.com

Set up

OID(LDAP) on Solaris Box

Qlikview 11.2 Enterprise with Qlikview Webserver on Windows BOX with 64 GB of RAM

Regards

Imran Khan

0 Likes
1,204 Views
Employee
Employee

The most frequent solution I see in these cases is the use of a reverse proxy to solve SSO. Most SSO solutions have this type of tool that can be deployed in front of QlikView and handle the authentication of the user before they are sent to QlikView.

In QlikView we have the concept of header authentication so that the reverse proxy once they have authenticated the user can forward the user information through the HTTP header.

I hope this guide you towards finding a solution that works in your specific case.

Regards

Fredrik

0 Likes
1,204 Views
raajeshn
Contributor

Hi Imran,

I have a similar situation - do you have any pointers on how you addressed this issue? Thanks for your support.

Thanks & Regards,


Raajesh N

0 Likes
1,204 Views
Not applicable

Hi,

I have a doubt ,In the authentication and authorization process the  qlikview services work is that because of  Section Access?   If not then is Section Access completely a second layer of security.

-Thanks

0 Likes
1,204 Views
Employee
Employee

So there is one authentication process in QlikView which is done in the web server.

Then there are multiple access control systems

  • Section access for data
  • NTFS authorisation for those running with Windows Users
  • DMS mode for those running non-Windows users

The different Access control systems will work together to add security to the data and resources (QVW's)

Regards

Fredrik

1,204 Views
Support
Support

Hi,

To state you need to change the above to always. Then on the client you need to put the QV Webserver into trusted sites or enable the Intranet zone.

Bill

0 Likes
1,204 Views