5 Replies Latest reply: Oct 19, 2017 9:39 AM by Martijn Biesbroek RSS

    Authentication using session module.

      I have some problems setting up qlik sense server installation to use the session module for authentication.

       

      I want to be able to authenticate my users externaly, use the session api to create a session in the qps and then authenticate using the received token (as described here)

      https://help.qlik.com/sense/en-us/online/Subsystems/ServerDeploymentConfiguration/Content/Server/Server-Security-Authent…

       

      By using the example posted here (flautrup/SessionAPITestModule · GitHub) I've managed to create the session tokens that I need. But I don't understand how to configure qlik to use the tokens as authentication. After I set the cookie X-Qlik-Session to the token received I still get redirected to host:4244/windows_authentication/?targetID=a0aa.... i.e. windows authentication.

       

      How can I configure Qlik to use the session cookie as authentication instead.

       

      /Viktor

        • Re: Authentication using session module.
          Tanvi Madan

          hi,

          can please explain how are you able to get the session tokens with the help of sessionAPITestModule?? I am using the same code module but if i provide a url on selectuser.htm it gets redirected to that url without establishing the session. and if am not providing the url its give me error.

           

          Just wanted to know how are you able to get the session token ??

           

          Regards,

          Tanvi

          • Re: Authentication using session module.

            Hello Viktor,

             

            Did you solve your problem using the API Session Module approach?

             

            I tried playing with the SessionAPITestModule too, but ran into issues with "Error: socket hang up" in node.js.  I was able to read the node.js code and see the cookie get set for my localhost domain though.  So, my understanding is that the Qlik session wasn't created in their SessionModule.  This git demo may be broken?

             

            You said your issue was that you didn't know how to configure Qlik to use the API Session tokens (via cookies) as authentication.  What was your solution?

            • Re: Authentication using session module.

              Hi. Did you ever resolve this? We are in the process of deploying Qlik and we want to use the Session Module.

               

              While we did find the Session API information, we have a few questions about it:

              - We cannot find in the QMC where to enable or configure the Session Module. We don't know the [session_module_root]

              - What does ""UserDirectory" mean for the request?

              - When a user logs out, are you supposed to Delete the session?

               

              I would appreciate any help on any of these questions.

               

              Thanks,

               

              Facundo

                • Re: Authentication using session module.
                  Vegard Bakke

                  This is long overdue, but the Session Module is seriously mal-documented from Qlik. And the modules on GitHub are so fractured, it like putting together a jigsaw puzzle of a whiteout during an arctic blizzard.

                   

                  For anyone else that happens to be in this Qlik deserted spot, here are some of the latest clues I've managed to figure out.

                   

                  • Using Session Module, the client browser and the 3rd part Session Module MUST be on the same URL domain.
                    (You should be able to have them on different machines, behind a reverse proxy, but the browser must think it is on the same URL host, otherwise it simply won't pass on the session cookie. Obvious, maybe. But not well emphasised in the docs.)

                   

                  • Configure the virtual proxy to use Session Module (your question, Facundo) go to the QMC
                    In the Creating a virtual proxy ‒ Qlik Sense, under Integration, and insert a URL in Session module base URI (referred to as [session_module_root] in Get session ‒ Qlik Sense)

                  • CRUCIAL POINT (I think): The Session Module is not provided by Qlik! You have to provided implement in your 3rd party Session Module. As documented in the Qlik Sense' Session API (not to be confused with your Session Module API. But very similar, aren't they.  : )

                  • Unknown area I: I've just received slightly modified version of SessionAPITestModule which implements the GET method, only.
                    app.get('/session/*', function (req, res) {
                    And it does this by calling the POST method to the Qlik Sense Session API (basically the createSession() function in the SessionAPITestModule), and return this back to the original sender. (Which is Qlik Sense.)


                    The sample I received does not implement the POST and the DELETE method for the [session_module_root]. However, I do receive DELETE requests from the Qlik Sense engine when I a Qlik session expires.

                  • Unknown area II: GET and POST. After receiving an initial GET /session/<sessionID> from Qlik Sense, I get three new requests with POST /session and no body.
                    I get no indication of the actual user, so I'm a bit unsure of what to do, and respond.
                    Updated 2017-07-21: I forgot a 'app.use(bodyParser.json());' in the top of my code. Now, I receive session object for NONE\anonumousXXXXX before the client is given the font files and extensions/schema.


                  • Unknown area III: The ticket URI. My feedback from Qlik Support, leaves the QMC - Virtual proxy - Authentication - Authentication module redirect URI blank.

                    However, occasionally, my browser is redirected to the default Windows authentication URL. Or if I fill in the "Ticket redirect URL" (above), I get redirected to my ticket URL.  Not sure why.

                   

                   

                   

                  As for the UserDirectory, you may freely choose this, (e.g. 'SSO') to distinguish users logged in via this virtual proxy, from users logged in via other means. (I.e 'SSO\john', may not be the same user as 'MYDOMAIN\john'.)

                   

                   

                  Under QMC - Licenses and tokens - User access rules, you may create a new rule to allow SS users access to given documents.

                  (E.g. user.userDirectory="SSO")

                   

                   

                   

                   

                  If anyone has any more information, corrections, etc about the session module mystery in Qlik Sense, please update this thread, and we might be able to get this troll out in the open, so that it bursts....

                   

                   

                  Cheers,

                  Vegard Bakke