Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
partenope
Partner - Creator II
Partner - Creator II

Single Sign On (SSO) to access into Access Point

Hi all,

we work on a QlikView Enterprise Edition Server 11.2 running with IIS and NTFS (Active Directory) Authentication.

We have 2 kind of users:

  1. "Internal Users"
    They are inside the INTRANET. They log in to their PCs using Domain Users and they can access on the Access Point in Single Sign On: Qlik does not show any Login Pop-up and the User is identified Automatically.
  2. "External Users"
    They are users OUT of the Intranet. They log in to their PCs with a "Machine Users" and Access Point, obviously, CAN'T authenticate them automatically.

We, obviously, have SSO problems with the second type of Users.

They access to QlikView Documents through a Web Portal where they log in with an Active Directory User.

They reach QlikView Document using a dynamic link to "opendoc.htm" standard page.

I know "opendoc.htm" can receive USERID and PASSWORD parameters, but they are "Section Access" parameters.

The Web Portal could pass the Active Directory credentials to "opendoc.htm"... But I don't know how opendoc.htm can (if it can) receive the Active Directory User by parameters.

Someone had (and solved) same problem?

Thanks in advance!

13 Replies
Not applicable

I suppose we can try with Anonymous authentication, you can find the details in Server manual.

Thanks,

Sai

partenope
Partner - Creator II
Partner - Creator II
Author

Thanks Sai Vallapu, but we need authentication...

Not applicable

Did you tried with custom directory authentication?

partenope
Partner - Creator II
Partner - Creator II
Author

Thanks Rajesh Pillai, the problem is only how to pass to "opendoc.htm" the Active Directory User to open document without authentication popup when user is out of the intranet...

The only way (but not the best), I think, is manually customizing Authentication.aspx page...

ergustafsson
Partner - Specialist
Partner - Specialist

Hi,

The webserver can't authenticate them automatically as they are outside the domain. If the external users aren't AD users you need a second webserver and use DMS file authorization (for all users) as they do not have NTFS file permissions.

Also, I recommend you to try without the Section Access to see if it helps. Might want to use USERID on Section Access instead of NTNAME.

Regards,

Erik

partenope
Partner - Creator II
Partner - Creator II
Author

Hi Erik Gustafsson,

All the users are AD Users, but some of them access from outside the Intranet (SalesReps for example).

There is no Section Access problem: the only issue is the authentication pop-up when a user access from the Internet: my goal could be a way to pass the AD user name & password to the "direct" link, like Section Access USERID and PASSWORD parameters...

All the External Users access to the Qlik Documents by a direct link, like this:

http://<server_name>/QvAJAXZfc/opendoc.htm?document=document_name.qvw&host=<server_name>

ergustafsson
Partner - Specialist
Partner - Specialist

Hi Dario,

How can the domain trust the external users when they are not logged in from a secure place? You cannot pass the username and password in the URL as you need to be authenticated when entering the QlikView AccessPoint. So if the webserver can't automatically authenticate them, everything works as expected, as it shouldn't. They are outside the domain boundaries and thus is not to be automatically trusted, it would breach security. I would look into some kind of VPN solution or DirectAccess to configure a seamless login.

Regards,

Erik

partenope
Partner - Creator II
Partner - Creator II
Author

Hi Erik,

external users are logged in to a web portal with their credentials and they have a link to the QV Document on the homepage...

My hope is clicking the link and accessing to Document without entering again user & password...

Thanks in advance

D.

ergustafsson
Partner - Specialist
Partner - Specialist

Hi Dario,

If you indeed have a web portal passing credentials and a separate webserver to log these users in, then it is very possible. We have many customers using both Header and WebTicket solutions to make a SSO solutions possible. This might be a bit to in-depth to discuss here, but attached is some documentation on customized authentication. Essentially as long as the webserver can authenticate them automatically (by some server providing their credentials) it can work fine. Usually you need two webserver services as one handles the standard Active Directory NTLM login and one webserver handles customized header/WebTicket authentication. We do not have any features like virtual proxies or similar in the webserver, possibly this can be achieved by IIS, but not sure. There are no extra license costs for an extra webserver, so if there is a dedicated extra machine this should be viable.

Regards,

Erik