6 Replies Latest reply: Sep 14, 2011 4:35 PM by mariosaldana RSS

    QlikView Integration with SiteMinder



      I would like to provide external access to my QlikView Server via SiteMinder, but I am having trouble.  I am using AD authentication, but when I am connect trough the SiteMinder proxy, the QlikView server does not gets the username.


      Anybody in the Community has made a similar integration ? any idea?




        • QlikView Integration with SiteMinder
          Dan English

          Hi Mario,


          Using SiteMinder to do SSO with QlikView can be very straight forward. You basically need to be sure that the HTTP_SM_USER HTTP header is being populated correctly by SIteMinder and that the QlikView Web Server setting is set up to use HTTP Header Authentication and you have correctly specified the HTTP Header Name and the Prefix...

          8-25-2011 1-34-27 PM.png

          Be sure that the Header Name matches the HTTP Header that SiteMinder is populating the Authenticated User into.


          If SiteMinder is writing usernames that match those in your AD (i.e. domain accounts) then just be sure your QVS is in NTFS mode. If site minder is writing in names that are not recognized by your AD then you should be in DMS mode (and you should have a strategy for populating the DMS, e.g. manual entry, ODBC DSP, ect.).


          Assuming that you are using NTFS, then as far as Prefix, you may or may not need to add this, depending on exactly how SiteMinder is writing the name into the header. You can use Fiddler or a similar tool to take a peek into the HTTP Header that Site Minder is setting. If it looks like "MYDOMAIN\MYUSER" then leave prefix blank. If it looks like just "MYUSER" then put your AD Domain in this box. Or you can just ry it both ways and see what works.


          Note: A single instance of the QlikView Web Server can either do Windows Integrated Authentication or HTTP Authentication. So if you will need to support both (instead of migrating all users to use SiteMinder) then you will likely need at least two instances of the QlikView Web Server.


          I hope this helps.





            • QlikView Integration with SiteMinder

              Thank you for your input Dan. Another quick question, Is this available in version 10?

                • QlikView Integration with SiteMinder
                  Dan English

                  Yes, it is available in v10, and actually available in v9 and earlier, but there you have to edit a config file as there was no UI in the mgmt console to specify the HTTP header name to use in in v9 I think.

                    • QlikView Integration with SiteMinder
                      Daniel Rozental



                      Be aware that HTTP Headers are really easy to be messed around with, that could expose sensible information if any of your users figures that out.

                        • Re: QlikView Integration with SiteMinder
                          Dan English

                          Daniel's point above is an important point with regards to HTTP Header authentication. The original post asked specifically about SiteMinder and one of SiteMinder's jobs is to prevent any type of HTTP Header spoofing. In general any correctly configured comercial SSO package (e.g. SiteMinder, WebSeal, Oblix) will prevent HTTP Header spoofing and so will be perfectly safe in this regard.


                          However, I do not recommend that you use HTTP Header authentication without one of these SSO packages. It is possible to configure a custom reverse proxy to provide some protection from HTTP Header spoofing, and some customers may be ok with that level of protection, but if it is my data, I would not go that route.


                          My thinking here is the following... The one thing I know for sure about SIteMinder is that the best hackers in the world have beat thier heads against this product for years and years. The one thing I know for sure about any custom security coding I do is that it's completely untested. Maybe I got it perfectly right, maybe I didn't. I'd rather not find out the hard way.


                          But you should NEVER use HTTP Header authentication with no protection against spoofing. HTTP Header Spoofing is taught on the first day of Hacker Kindergarden. It is trivaly easy to do with a tool like Fiddler or FIrebug. If you are using HTTP Header authentication but are not protecting against HTTP Header spoofing, then you must assume everyone can see everything (i.e. you are not proteted at all).

                            • Re: QlikView Integration with SiteMinder

                              Hello Dan,


                              I have tried the authentication the way you told me and it is not working...


                              The authentication is set in the following way:


                              I have set the Prefix with the domain name (LA\) and niether works.


                              When I open the browser and go to the link got the following result:



                              Any Idea why I am getting this window?