Qlik Community

QlikView Documents

Documents for QlikView related information.

An introduction to QlikView Security using Web Tickets

Employee
Employee

An introduction to QlikView Security using Web Tickets

QlikView provides a range of features to allow users to login and view documents using Single Sign On with a range of different technologies. A high level document detailing all of the various security options in QlikView can be found here this article covers the “Web Ticketing” approach and provides an example to get started from.

This document is intended for QlikView professionals and requires some understanding of security technologies and a small amount of programming and web technologies.

So what is a Web Ticket and when would I use one? 

At a high level a QlikView Ticket is a way to seamlessly transfer the identity of a user from one system into QlikView.  This however can be useful approach in a number of scenarios so lets look at where you could use it.

Please note: Web Ticket was added to QlikView in version 11, an older version of a similar method was available prior to this but carried a number of limitations. From this point forward we will focus on QlikView 11 and Web Ticket.

          Scenario 1 – im already logged into a portal or website and now want to use QlikView


Let’s say you are logged into your company’s in-house built sales portal, when you logged in your gave this portal your user ID and password and the portal checked these against a database to be validated. Once logged in it creates a session for you and lets you look at all the pages you are permitted to.   This application now trusts who you are.

Now your company has added QlikView and they want users to be able to navigate between content on the portal server and content on the QlikView server but they want it to be seamless and you shouldn’t need to log in again, only the applications know nothing about each other and QlikView doesnt know about the database with user IDs in.

QlikView needs a way to trust the users session from portal when being passed over.  Using a the QlikView web ticket mechanism it is possible to set up a hand shake between the portal and QlikView so the portal can securely transfer a users session over.  QlikView has established a trust between itself and the Portal application to be able to identify the user when they browse to QlikView content.

          Scenario 2 – QlikView used in isolation, users stored in a database or LDAP


Lets assume we have list of user IDs and passwords held in a database or LDAP directory. QlikView doesn’t provide a “custom” login page that can handle the authentication of these users.

In this scenario a login page can be build which handles the user authentication part and then uses the Web Ticket mechanism to pass that user identitity into QlikView.  In this case QlikView has still set up a Trust with an application, as in the above case, only here that application is just a single web page.

          Other Scenarios

     There are a range of other scenarios where this approach could be used such as those listed below. Of course there is more than one way of           achieving security integration and using Web Ticket is just one method of achieving them:

      • Login with Group information/SAML – Web Ticket allows you to not only send the username but the membership of groups too.  This can make administration of what the user can subsequently see much easier
      • Login from dozens of online systems – eg Login with your Facebook ID, Google account, Salesforce.com account.  If you do not wish to hold any user credentials for QlikView you could rely on online sources for identity also

How does Web Ticket work

Below are the steps that typically occur when using ticketing, sometimes there can be more or less steps depending on the scenario.

    1. A new login page is created and its first task is to obtain the Identify of the user
      • If the page is being added to a web Portal or application this can easily get the current user ID from their active session
      • If the page is standalone it might provide a form to enter a user id and password and validate them first (this is the example provided below)
      • In either case a range of technologies could be used to do this.
    2. QlikView is set up so that it trusts this login page to pass over validated users (see below for options)
    3. The login page now makes a request to QlikView which says “I have a user I Trust called FRED, can I have a ticket for him”
    4. QlikView returns a ticket to the login page which takes the form of a long string and internally records the user that is represented by that ticket
    5. The login page now builds a URL to the QlikView server address adding the ticket into the URL, the user is then redirected to that URL
    6. When the user hits the QlikView server, it extracts the ticket checks its list of approved tickets and if its valid, the user is then sucessfully logged into QlikView as FRED

A couple of notes on web tickets

    1. A ticket once created it valid for 2 minutes, if it is not used in that time is destroyed
    2. Once a ticket is used to establish a session it cannot be used again.  Within that session a user can open several documents
    3. A web ticket can be used to open a single document or the QlikView Access Point
    4. Web Tickets can be used with features such as Clustering and Document chaining
    5. For information QlikView 10 and prior ticketing had the following limitations that are NOT present when using Web Ticket.
      1. Could only open one document, and could not use the Access Point
      2. Could not use clustering
      3. Could not support document chaining

How to implement Security using Web Tickets

To use web tickets there are two area that need to be address The Code in your login page and the Server Configuration.

The configuration of QlikView:

    • First of all, while not mandatory it can be easier to use IIS for the QlikView Web Server when working with ticketing. It may be required to host your login page anyway.
    • QlikView needs to be an Enterprise Edition Licence
    • QlikView needs to be running in DMS mode for security (see manual)
    • The QlikView web site in IIS needs to be set up to use Anonymous permissions – it will be expecting windows permissions by default – specifically it is the QVAJAXZFC directory that needs its permission changing.
    • QlikView needs to trust the code asking for the ticket.  There is a web page within the QlikView web server called GetWebTicket.aspx which handles requests for tickets, this will only return a ticket to a trusted user/process and this is identified using one of two options
      • Option 1 – use windows permissions
        • The code or process asking for a ticket needs to run as or provide a windows user identity. The user ID must be a member of the QlikView Administrators windows group on the QlikView server.
        • As the GetWebTicket page runs under the QVAJAXZFC directory on the web server and one of the above steps made the directory work with Anonymous users – for this page only – enable windows authentication in IIS
        • Now the Login page must authenticate itself when requesting a ticket as a windows user and that user must be a QlikView Administrator. In the attached example the login is hardcoded, however this could be configured in other ways
      • Option 2 – use an IP address white list
        • For some code technologies NTLM is not available or it may just not be appropriate to use it. For these scenarios a “white list” of approved IP addresses can be used rather than a named user.  Using this approach the GetWebTicket page will only return a ticket to code running from a specific IP address
        • To configure this option:
          • Open the web server config file from C:\ProgramData\QlikTech\WebServer\config.xml
          • Locate the line  <GetWebTicket url="/QvAjaxZfc/GetWebTicket.aspx" />
          • Replace it with the following specifying the IP address(s) of the web server(s) running the code

<GetWebTicket url="/QvAjaxZfc/GetWebTicket.aspx">

      <TrustedIP>192.168.0.1</TrustedIP>

</GetWebTicket>

          • Save and restart the web server

The Code & Example:


The function to request a ticket is a fairly simple HTTP post command which returns a ticket as a string, this method can be used by a wide range of technologies.  The examples provided here use asp.net but it can easily be adapted for PHP, Java and others.

In its raw form the HTTP Post entry to the getwebticket.aspx page on the QlikView server looks like this:

     <Global method="GetWebTicket">

               <UserId>FRED</UserId>

               <GroupList><string></string></GroupList>

               <GroupsIsNames>true</GroupsIsNames>

     </Global>

The response containing the ticket should look like this:   <Global><_retval_>ABC123XYZ567FGH456</_retval_></Global>

The above raw commands need to be embedded into the code for the login form, the attached example is intended to be a basic demonstration of how to use these commands using asp.net.  The example provides no actual logic to authenticate the user against anything but provides the framework to add it in.   The example takes the form of a simple login page asking for a user ID, password and optional groups, for cases where you already have the identity of the user then the UI from the example could be removed to give a seamless login from one system to another.

The first part of the example is the login form, this is just a simple form with three boxes.

login.PNG

Once the login button is clicked there is a Login function that is called.  This function in the example does nothing and always says the user is valid: here you would need to provide code to suit your environment, the example just trusts the entry automatically.

                loginOK = ValidateUser(username, password);

Following user validation the next function makes the HTTP post to request a web ticket.  The code requires the input of the URL of the QlikView server and in this case embeds a userid and password which has permissions to ask for a ticket (see notes on setting up QV trusts).

  ticket = getTicket(username, groups, ticketinguser, ticketingpassword);

Once the ticket irs retuned a URL is build and the user is redirected to either the access point or to a single document.

              

             Response.Redirect(RedirectLink);

You should now be redirected to the QlikView AccessPoint and be logged in at the user specified in the form and see the documents that user is permitted to see.

AP.PNG

This is a basic example of how to using the web ticket function.  I have written comments into the code example so that you may be able to follow through what is happening. I have also left the example as a single aspx file so you can edit it and use it with Notepad rather than visual studio.

I hope it is helpful in building you own login pages to QlikView using Web Ticket!!

Labels (2)
Attachments
Comments
Not applicable

Hi,

Nice post.

although can you tell me how can I do the same in JAVA with QVWS instead of IIS.

Thanks

Ankit

0 Likes
Employee
Employee

Hi Ankitsawa,

So Java cant use NTLM so you would be looking at using the IP white list for security as described above.

Im not great at Java coding so i cant directly translate the code but the objective you needs to achieve is to do a HTTP Post command from Java and that post needs to contain

   <Global method="GetWebTicket">

               <UserId>FRED</UserId>

               <GroupList><string></string></GroupList>

               <GroupsIsNames>true</GroupsIsNames>

     </Global>


0 Likes
Partner
Partner

Thanks it's working fine.

0 Likes
Not applicable

Hi Joe,

The code is working. However, when I implemented SSL on the website, it throws me an error (403) Forbidden. Do I need to disable the SSL on the GetWebTicket.aspx file? I had done that but it return null for the ticket. Which settings that I had missed?

I had tried to disable certificate for the whole QVAJAXZFC virtual folder. No luck too. Return null for the ticket. The i tried to removed the certificate from the website. Now its not working anymore. Is this a bug on the server?

Thanks and Regards,

YSL

0 Likes
danielrozental
Honored Contributor II

Funny, I just had a similar situation today.

No need to disable SSL or certificates. How are you doing the getwebticket.aspx request? Make sure you're accepting all certificates in that call, something like this http://stackoverflow.com/questions/526711/using-a-self-signed-certificate-with-nets-httpwebrequest-r....

Also, authentication to web folders should be set to anonymous enabled, windows authentication disabled but the getwebticket.aspx file should be set to anonymous disabled, windows authentication enabled.

And make sure the user doing the call is a qlikview administrators group member.

At least that's what worked for me.

0 Likes
danielrozental
Honored Contributor II

Joe, is it possible to access an application through a direct link including the webticket information to be open in Plugin?

It was possible with plain tickets but I've not been able to find out how to do it with webtickets.

0 Likes
Employee
Employee

Yes it should work fine.  In the attached example you will see a URL and one of the parameters is the "Try URL" this is where the user is directed after login is completed.  In the example it is "...try=/qvajaxzfc/opendoc.htm..."  just swap qvajaxzfc for qvplugin and it should work.

I dont have test environment to hand right now but i think that is all you need.

0 Likes
danielrozental
Honored Contributor II

Yes, I figured it should be something like that, tried

/qvajaxzfc/authenticate.aspx?type=html&try=/qvplugin/opendoc.htm?document=SAMPLE.QVW&webticket=EbF2DpsruhFYzbRna/ceC/Jd8PVsLOU8Ymh0CX/8

But it didn't work. Ajax works fine though.

If you run into the correct syntax please post it here. Many thanks.


0 Likes
Employee
Employee

OK, so i had a quick look at a V11 server but didnt have time to set up ticketing all the way.

Try putting this in the Try URL

      /QvAJAXZfc/AccessPoint.aspx?open=&id=QVS@servername|Folder/appname.qvw&client=Plugin

The QVS@servername is the lable you apply to your QVS in the QMC

0 Likes
danielrozental
Honored Contributor II

Thanks Joe, but I still can't get it to work, must be doing something wrong.

I added the webticket parameter to the link you posted and it completely disregards it.

0 Likes
Version history
Revision #:
1 of 1
Last update:
‎2012-11-05 12:24 PM
Updated by: