I have implemented Single sign on (Shibboleth) to authenticated user in my portal and in Qlik sense.
You can choose any auth mechanism. As long as the user is authenticated against Qlik ,then can use mash up without any problem. I have tried almost all including anonymous and it worked like a charm.
In case you are going for ticket auth , I think straight mashup can not work. You need to put forward proxy mechanism and add ticket to the URL dynamically.