Qlik Community

Ask a Question

Suggest an Idea

Vote for your favorite Qlik product ideas and add your own suggestions.

Announcements
May 18th, Changes to the way you login: using email vs. username. READ DETAILS/WATCH VIDEO

Temporary access pass for QSD authentication

stamos2000
Contributor II
Contributor II

Temporary access pass for QSD authentication

Starting 1st of July 2020 Qlik Sense Desktop (QSD) can only be used if authenticated against Qlik Sense Enterprise (QSE) server with user access.
In our organization, the QSE installation is inside the internal network and, because of network policy, it cannot be exposed to public.
Thus, QSD cannot be used outside our network, whereas, we are expressly interested in using it outside our network!
Please note that the use cases in which we can benefit of Qlik Sense Desktop instead of the corporate client-server Qlik are indeed “outside office” situations where the connection to our corporate VPN is difficult or inconvenient.
Sometimes, further than “outside office” we have even “off-line” situations (while travelling, or in countries or contexts without sufficient band, etc..) so that we may just count on a minimal internet availability to authenticate at the beginning.
We are indeed strongly convinced that the new policy of allowing QSD for Qlik Customers makes sense exactly in these kind of situations.
 
Idea: A functionality for generating an offline "token" or "access pass" valid for 1 week on your Qlik Sense Enterprise server and then use this signed token as a way of authentication for QSD without actually having to connect to the Enterprise server. We can say that this is useful for people using QSD in airplanes or with devices that are not able to establish a connection to internal servers of the organisation.
16 Comments
cjgorrin
Contributor II
Contributor II

Indeed, authenticating against an internal server is a bad idea. In the past, authenticating against cloud.qlik.com was OK, because you only needed Internet. Now you need a VPN, exposing your corporate in-house server to Internet, etc.

I would highly recommend eliminating the need for communication between Qlik Sense Desktop and the Qlik Sense Enterprise server.

A token is a great compromise (no need for connection between servers, works offline, dies after a while) and honestly, you are already paying a very expensive licence for the in-house server. I don't think Qlik should make things so difficult so people in an organisation cannot benefit from the licences they already have.

I support this initiative 100%.

John_Teichman
Employee
Employee

Hello @stamos2000,

Thanks for your idea. Going forward, please use one, and only one, label per post. Please refer to the submission guidelines for more details.

rzenere_methode
Partner
Partner

To be honest, as per your requirements I think this behaviour is already working.

Please refer to this KB article: https://support.qlik.com/articles/000097399

  1. Before you can start using Qlik Sense Desktop, you need to authenticate yourself either with your Qlik Account or against a Qlik Sense Enterprise server. You need to have a working network connection to enable authentication.
  2. After you have been authenticated once, internet access is not required to continue using Qlik Sense Desktop. However, you have to re-authenticate yourself if ten days have passed since you last authenticated, if you have logged out, or if your administrator has revoked your user access for Qlik Sense Enterprise server. If you are using SAML authentication and close the browser, the session ends and the cookie is deleted so you must re-authenticate yourself to start a new session.

 

I tried with QS Desktop June 2020 Patch 1 and for me this is still the working behaviour.
Anyway, I recall that in previous releases if you were connected to the same network as your QS Enterprise, authentication would be required again (even if you authenticated against QS Enterprise a few minutes ago).

In case you're working with QS SaaS (Enterprise/Business) or with the Mobile apps (Android/iOS/...), then you'll need to authenticate yourself each time as far as I know.

I hope this helps,
Riccardo

 

cjgorrin
Contributor II
Contributor II

Dear @rzenere_methode,

What is being asked here is to be able to authenticate using a TOKEN generated in the Qlik Sense Enterprise server WITHOUT needing Qlik Sense Desktop (QDS) to connecto to the server. The current scheme requires connection between QSD and Qlik Sense Enterprise (QSE).

E.g: I go to my enterprise server, click on a button and generate a token (a big string representing a signed token valid for 1 week) that I can then copy and paste into Qlik Sense Desktop. No connection needed between the QSD machine and the QSE server.

This way, employees from companies that don't allow installing QSD on corporate computers could use QSD in their personal machines, for work purposes (because these organisations also don't allow you to connect to the internal network from a non-corporate computer). Also, some organisations work with very sensitive data and computers must be disconnected from any kind of network while dealing with such data. In this case, QSD would be ideal but then also the current authentication based on links and connections to QSE would not work.

We are already paying for the licence, which is not cheap. Would it really be so difficult to implement an alternative authentication mechanism?

I hope this clarifies a bit what is being asked.

Regards,

Celso.

qlikerman
Contributor II
Contributor II

I think what is asked here also applies to a significant percentage of users that use qlik sense desktop and whose company/organization for whatever reason does not / cannot expose their qlik sense server in the internet. 

All these users are now left out of having the advantage to use qsd since they cannot authenticate. The token method suggested in the original post can provide a solution to the problem and sounds like the most appropriate fit as it would satisfy all of the following:

  • practicality
  • ease of implementation
  • security
  • keeping qlik sense  customer and user base  "happy" 
cjgorrin
Contributor II
Contributor II

Dear @qlikerman, this is exactly our case. We have a QAP exposed to the Internet but not the Qlik Enterprise server.

All of us were left hanging by Qlik and I think there should be a solution for it. The signed token seemed to me like a good idea because it eliminates the need for connection between QSD and QSE server.

Thank you for supporting this initiative. Don't forget to "Like" it.

cjgorrin
Contributor II
Contributor II

BTW, what we are asking is exactly the same approach Qlik is using to provide Qlik Sense Desktop to developers (Qlik Branch) using an "unlock file". We would like to be able to generate "unlock files" with our Qlik Sense Enterprise server so they are valid for a limited period of time, without requiring any connection to the server.

morenoju
Partner
Partner

This idea is really good. Looking forward to it.

Caique_Zaniolo
Employee
Employee

Authentications on Qlik Sense Desktop can be used for 30 days in offline mode

Status changed to: Delivered
morenoju
Partner
Partner

Hi @Caique_Zaniolo I may have understood the feature differently then. I thought this was meant for those Qlik Sense Enterpises behind a firewall or VPN where the Qlik Sense Desktop can't reach (not even once).

I see the status marked as delivered. @cjgorrin were you referring to make the authentications last longer or eliminating the need to reach the QSE completely?

Thanks!