Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
kevinpintokpa
Creator II
Creator II
‎2020-01-28 06:38 PM

Sense / QAP: How to authenticate external users with certificates

We have a QAP system and we have external users A, B and C who are competitors.  We have corresponding apps AppA, AppB and AppC for these users, and they should not be able to see each other's data.

These users have their user IDs and passwords in an Excel file and this is set up in QMC correctly. 

External user A now wants to get to the data in his AppA using API calls to GetTableData().  I am trying to figure out how to let him in, but only to his app.  The first step in my prototype is to authenticate as user A.  I thought that certificates may be a way to accomplish this.  But the documentation and experimentation doesn't make sense to me.  This is what I am reading:

https://help.qlik.com/en-US/sense-developer/November2019/Subsystems/EngineAPI/Content/Sense_EngineAP...

In Example 1 and 2, it seems that if the client provides the certificates and a header that looks like the following, he can assume ANY identity?

headers: { 'X-Qlik-User': 'UserDirectory=internal; UserId=sa_engine' }

Perhaps I am misunderstanding this, but this seems to be me that providing the certificates and this header is sufficient to identify the user as sa_engine or any other user?

Any ideas on how to authenticate external users without them gaining access to all the apps is appreciated.  I am open to non-certificate solutions if they work without requiring witchcraft.

Labels (4)
Labels
868 Views
0 Likes
1 Reply
Marc
Employee
Employee
‎2020-02-02 10:59 PM

Correct, Certificate authentication would allow them to impersonate any user. 

Certificate authentication is NOT what you want to use.

When they connect to Qlik Sense, they can connect either via the proxy service, or directly.

To connect directly they need to use certificates. As this is not a valid option for your use case they will need to connect via the proxy.

Have a look at "Authentication with proxy"

https://help.qlik.com/en-US/sense-developer/November2019/Subsystems/NetSDKAPI/Content/Sense_NetSDKAP...

 

 

How are they trying to make the API calls? C#, Java, PowerShell?

 

In the example:

https://help.qlik.com/en-US/sense-developer/November2019/Subsystems/RepositoryServiceAPI/Content/Sen...

you can replace line 2 "$req.Credentials = [System.Net.CredentialCache]::DefaultCredentials"

with a defined set of credentials.

 

 

818 Views