How to create an internet facing Single Sign on solution
We need to securely expose our Qlikview documents to some of our customers over the internet.
We already have a custom authentication infrastructure where users login to other apps via the internet using a username and password that we store in a database, and it is these same credentials that we want to use for them to access Accesspoint. Out authentication environment also has groups that these users belong to.
Can anyone please provide some documentation on how we can get this done? Do we need to use the directory service connectors?
Not sure if your authentication infrastructure is utilizing http header information for SSO between web sites. If it do, you can utilize http header authentication when accessing Accesspoint. What you need to figure out is the name of the http header holding the authenticated user (or group).
Siteminder for example stores the logged on user in a http header named SM_USER. You can then set this header to be used for authentication when accessing Accesspoint. A very short explanation of the architecture and the steps involved when a user logs on in this case would be:
1. User is trying to access Accesspoint (anonymously) 2. An "agent" or ISAPI-filter is installed on the web server, which will check if the http header is present and if a value is set (which is not the case, as the user is currently not logged on) 3. The "agent" will redirect the user to the SSO authentication server and the user logs on 4. Once logged on, the user will be redirected back to Accesspoint, now with the correct http header info
1. A user already logged on through SSO is trying to access Accesspoint 2. Http header info is present, but the "agent" needs to verify that this header hasn't been tampered with (not very hard to spoof a http header) 3. The "agent" will send some info to the SSO authentication server to verify the header being legit/untampered 4. If OK, the "agent" will allow access to the AccessPoint, which can pick up the http header info
This is a very short explanation on how most SSO solutions work. You could of course also build a solution based on QlikView Server ticketing authentication (guess someone in here can provide an example), if you don't have a SSO solution in place. I will see if I can dig something up for you if no one else got something.
As you say, tampering with the header is not rocket science, and we need this to be as secure as possible. What we would ideally like to do, is assign our own custom groups to the different models (i.e group\finance models UK), and if a user is a member of that group in our internal security groups, then he automatically gets access to that model. What is the mechanism for this check of a users group membership (i.e the user that is logging on is a member of 20 groups, one of which applies to the Qlikview models.)
We also want to make sure that whatever development we do, it does not break other things down the line like iphone access etc.
Does this mean I need a directory service connector that will check group membership?