Qlik Community

Ask a Question

QlikView Integrations

Discussion Board for collaboration on QlikView Integration.

Announcements
Join us at the Cloud Data and Analytics Tour! REGISTER TODAY
cancel
Showing results for 
Search instead for 
Did you mean: 
Not applicable

QlikView Integration with SiteMinder

Hello,

I would like to provide external access to my QlikView Server via SiteMinder, but I am having trouble.  I am using AD authentication, but when I am connect trough the SiteMinder proxy, the QlikView server does not gets the username.

Anybody in the Community has made a similar integration ? any idea?

saludos

Mario

1 Solution

Accepted Solutions
Not applicable
Author

Hi Mario,

Using SiteMinder to do SSO with QlikView can be very straight forward. You basically need to be sure that the HTTP_SM_USER HTTP header is being populated correctly by SIteMinder and that the QlikView Web Server setting is set up to use HTTP Header Authentication and you have correctly specified the HTTP Header Name and the Prefix...

8-25-2011 1-34-27 PM.png

Be sure that the Header Name matches the HTTP Header that SiteMinder is populating the Authenticated User into.

If SiteMinder is writing usernames that match those in your AD (i.e. domain accounts) then just be sure your QVS is in NTFS mode. If site minder is writing in names that are not recognized by your AD then you should be in DMS mode (and you should have a strategy for populating the DMS, e.g. manual entry, ODBC DSP, ect.).

Assuming that you are using NTFS, then as far as Prefix, you may or may not need to add this, depending on exactly how SiteMinder is writing the name into the header. You can use Fiddler or a similar tool to take a peek into the HTTP Header that Site Minder is setting. If it looks like "MYDOMAIN\MYUSER" then leave prefix blank. If it looks like just "MYUSER" then put your AD Domain in this box. Or you can just ry it both ways and see what works.

Note: A single instance of the QlikView Web Server can either do Windows Integrated Authentication or HTTP Authentication. So if you will need to support both (instead of migrating all users to use SiteMinder) then you will likely need at least two instances of the QlikView Web Server.

I hope this helps.

Regards,

Dan

View solution in original post

6 Replies
Not applicable
Author

Hi Mario,

Using SiteMinder to do SSO with QlikView can be very straight forward. You basically need to be sure that the HTTP_SM_USER HTTP header is being populated correctly by SIteMinder and that the QlikView Web Server setting is set up to use HTTP Header Authentication and you have correctly specified the HTTP Header Name and the Prefix...

8-25-2011 1-34-27 PM.png

Be sure that the Header Name matches the HTTP Header that SiteMinder is populating the Authenticated User into.

If SiteMinder is writing usernames that match those in your AD (i.e. domain accounts) then just be sure your QVS is in NTFS mode. If site minder is writing in names that are not recognized by your AD then you should be in DMS mode (and you should have a strategy for populating the DMS, e.g. manual entry, ODBC DSP, ect.).

Assuming that you are using NTFS, then as far as Prefix, you may or may not need to add this, depending on exactly how SiteMinder is writing the name into the header. You can use Fiddler or a similar tool to take a peek into the HTTP Header that Site Minder is setting. If it looks like "MYDOMAIN\MYUSER" then leave prefix blank. If it looks like just "MYUSER" then put your AD Domain in this box. Or you can just ry it both ways and see what works.

Note: A single instance of the QlikView Web Server can either do Windows Integrated Authentication or HTTP Authentication. So if you will need to support both (instead of migrating all users to use SiteMinder) then you will likely need at least two instances of the QlikView Web Server.

I hope this helps.

Regards,

Dan

View solution in original post

Not applicable
Author

Thank you for your input Dan. Another quick question, Is this available in version 10?

Not applicable
Author

Yes, it is available in v10, and actually available in v9 and earlier, but there you have to edit a config file as there was no UI in the mgmt console to specify the HTTP header name to use in in v9 I think.

danielrozental
Master II
Master II

Mario,

Be aware that HTTP Headers are really easy to be messed around with, that could expose sensible information if any of your users figures that out.

Not applicable
Author

Daniel's point above is an important point with regards to HTTP Header authentication. The original post asked specifically about SiteMinder and one of SiteMinder's jobs is to prevent any type of HTTP Header spoofing. In general any correctly configured comercial SSO package (e.g. SiteMinder, WebSeal, Oblix) will prevent HTTP Header spoofing and so will be perfectly safe in this regard.

However, I do not recommend that you use HTTP Header authentication without one of these SSO packages. It is possible to configure a custom reverse proxy to provide some protection from HTTP Header spoofing, and some customers may be ok with that level of protection, but if it is my data, I would not go that route.

My thinking here is the following... The one thing I know for sure about SIteMinder is that the best hackers in the world have beat thier heads against this product for years and years. The one thing I know for sure about any custom security coding I do is that it's completely untested. Maybe I got it perfectly right, maybe I didn't. I'd rather not find out the hard way.

But you should NEVER use HTTP Header authentication with no protection against spoofing. HTTP Header Spoofing is taught on the first day of Hacker Kindergarden. It is trivaly easy to do with a tool like Fiddler or FIrebug. If you are using HTTP Header authentication but are not protecting against HTTP Header spoofing, then you must assume everyone can see everything (i.e. you are not proteted at all).

Not applicable
Author

Hello Dan,

I have tried the authentication the way you told me and it is not working...

The authentication is set in the following way:

auth_console.JPG

I have set the Prefix with the domain name (LA\) and niether works.

When I open the browser and go to the link got the following result:

qv_window.JPG

Any Idea why I am getting this window?

saludos