Qlik Community

QlikView Management

Discussion Board for collaboration on QlikView Management.

Highlighted
Partner
Partner

Single Sign On (SSO) to access into Access Point

Hi all,

we work on a QlikView Enterprise Edition Server 11.2 running with IIS and NTFS (Active Directory) Authentication.

We have 2 kind of users:

  1. "Internal Users"
    They are inside the INTRANET. They log in to their PCs using Domain Users and they can access on the Access Point in Single Sign On: Qlik does not show any Login Pop-up and the User is identified Automatically.
  2. "External Users"
    They are users OUT of the Intranet. They log in to their PCs with a "Machine Users" and Access Point, obviously, CAN'T authenticate them automatically.

We, obviously, have SSO problems with the second type of Users.

They access to QlikView Documents through a Web Portal where they log in with an Active Directory User.

They reach QlikView Document using a dynamic link to "opendoc.htm" standard page.

I know "opendoc.htm" can receive USERID and PASSWORD parameters, but they are "Section Access" parameters.

The Web Portal could pass the Active Directory credentials to "opendoc.htm"... But I don't know how opendoc.htm can (if it can) receive the Active Directory User by parameters.

Someone had (and solved) same problem?

Thanks in advance!

13 Replies
Not applicable

Re: Single Sign On (SSO) to access into Access Point

I suppose we can try with Anonymous authentication, you can find the details in Server manual.

Thanks,

Sai

Partner
Partner

Re: Single Sign On (SSO) to access into Access Point

Thanks Sai Vallapu, but we need authentication...

Not applicable

Re: Single Sign On (SSO) to access into Access Point

Did you tried with custom directory authentication?

Partner
Partner

Re: Single Sign On (SSO) to access into Access Point

Thanks Rajesh Pillai, the problem is only how to pass to "opendoc.htm" the Active Directory User to open document without authentication popup when user is out of the intranet...

The only way (but not the best), I think, is manually customizing Authentication.aspx page...

Partner
Partner

Re: Single Sign On (SSO) to access into Access Point

Hi,

The webserver can't authenticate them automatically as they are outside the domain. If the external users aren't AD users you need a second webserver and use DMS file authorization (for all users) as they do not have NTFS file permissions.

Also, I recommend you to try without the Section Access to see if it helps. Might want to use USERID on Section Access instead of NTNAME.

Regards,

Erik

Partner
Partner

Re: Single Sign On (SSO) to access into Access Point

Hi Erik Gustafsson,

All the users are AD Users, but some of them access from outside the Intranet (SalesReps for example).

There is no Section Access problem: the only issue is the authentication pop-up when a user access from the Internet: my goal could be a way to pass the AD user name & password to the "direct" link, like Section Access USERID and PASSWORD parameters...

All the External Users access to the Qlik Documents by a direct link, like this:

http://<server_name>/QvAJAXZfc/opendoc.htm?document=document_name.qvw&host=<server_name>

Partner
Partner

Re: Single Sign On (SSO) to access into Access Point

Hi Dario,

How can the domain trust the external users when they are not logged in from a secure place? You cannot pass the username and password in the URL as you need to be authenticated when entering the QlikView AccessPoint. So if the webserver can't automatically authenticate them, everything works as expected, as it shouldn't. They are outside the domain boundaries and thus is not to be automatically trusted, it would breach security. I would look into some kind of VPN solution or DirectAccess to configure a seamless login.

Regards,

Erik

Partner
Partner

Re: Single Sign On (SSO) to access into Access Point

Hi Erik,

external users are logged in to a web portal with their credentials and they have a link to the QV Document on the homepage...

My hope is clicking the link and accessing to Document without entering again user & password...

Thanks in advance

D.

Partner
Partner

Re: Re: Single Sign On (SSO) to access into Access Point

Hi Dario,

If you indeed have a web portal passing credentials and a separate webserver to log these users in, then it is very possible. We have many customers using both Header and WebTicket solutions to make a SSO solutions possible. This might be a bit to in-depth to discuss here, but attached is some documentation on customized authentication. Essentially as long as the webserver can authenticate them automatically (by some server providing their credentials) it can work fine. Usually you need two webserver services as one handles the standard Active Directory NTLM login and one webserver handles customized header/WebTicket authentication. We do not have any features like virtual proxies or similar in the webserver, possibly this can be achieved by IIS, but not sure. There are no extra license costs for an extra webserver, so if there is a dedicated extra machine this should be viable.

Regards,

Erik