4 Replies Latest reply: May 15, 2013 5:04 PM by Minh Nguyen RSS

    SSO via Form Posting

    Jeremy Fourman

      Hi all,

       

      A client has a portal that they use as a SSO platform for other applications in their environment. The requirement is that AccessPoint allows the same.

       

      We currently are using Active Directory + IIS  + NTFS for authentication and authorization and this has been setup for a few weeks and working well. I only have begun to tackle this new requirement yesterday. The current way as far as I understand is that the client portal will do a form POST to AccessPoint with the username+password combo and that I will need to handle the authentication at AccessPoint .

       

      So with this in mind I have followed the instructions in the Expert Services document "Overwrite Authenticate.aspx in QV10"

      I have modified all the files and have them in place, my Authentication type is Ntlm and I am using an 'Alternate Login Page (web form)

       

      So after I did all this I created a form that posts to AccessPoint, but all I ever recieve back is an empty page from

      http://mysite.com/QVAjaxZfc/Authenticate.aspx

       

      I have placed some code that just writes out "im here" etc into Authenticate.aspx, which is telling me it is making it to and past a couple key areas within Page_Load

      IUser user = new QlikVIew.AccessPoint.NamedUser(username, null, true)

      QlikView.AccessPoint.User.GenericAuthentication(context, user)

       

       

      So with that said I have a couple questions.

      1. Anything blatantly obvious that I am doing wrong as to why I always get an empty page back when I would expect at the very leaast an AccessPoint header image.

      2. Where can I find documentation on the .Net functions I listed above (maybe I am calling them wrong or the document is incorrect?) I have been able to find next to nothing for this.

       

      Any advice or insight will help greatly!

       

      Thanks

       

      -Jeremy

        • SSO via Form Posting

          Hi Jeremy,

           

          What is the requirement ? user logon to the external portal and access the Qlikview document directly within the portal, the document is opened based on security defined in QlikView -> this requires to setup the ticketing system. 

           

          ticketing system requires IIS because it's basically an asp or C# page that is called from the external portal, we pass the username in parameter, and it returns a qvs ticket corresponding to the identity of the user. once you got the ticket, you display the opendoc url with the ticket in as a link or in an Iframe inside the portal.

           

          PS: as the user identity comes from an external portal and doesn not correspond to a windows account, you'll need to switch to DMS mode, which will let you manage security on documents for non windows accounts.   

           

          Regards,

          Ali    

            • SSO via Form Posting
              Jeremy Fourman

              Hi abo thank you for your response.The requirements  would be

              1. User logs into portal and clicks QlikView link or something similar (end result is Access Point document listing)

               

              2. I am given username, password via a form post from the portal

               

              3. I get username and password combination from prior form post and look them up in AD as described in the  QlikView Expert Services document "Overwrite Authenticate.aspx in QV10"

               

              4. User is shown Access Point with NTFS permissions applying authorization which is what I thought the following two snippets of C# code did

               

               

              IUser user = new QlikVIew.AccessPoint.NamedUser(username, null, true)

              QlikView.AccessPoint.User.GenericAuthentication(context, user)

               

              I have not deviated from the document which led to this posting. My testing has shown I am looking up accounts in AD and I succeding however the only result is a blank page.

               

              Thanks

              Jeremy

                • SSO via Form Posting

                  usually customers integrates QV documents directly into their external portal, otherwise they develop a custom portlet wich displays documents if some security roles within the portal are fully respected (ex: group membership, role ...).

                   

                  AccessPoint is not designed to be integrated into another portal, but anyway you can do it by 3 ways.

                   

                  1- using web authentication: AccessPoint does support natively other authentication providers like SiteMinder, Apache Reverse proxy (with LDAP / AD Auth ...). those systems manage authentication and acts as reverse proxies, and forward content to QV Web Server/IIS, AccessPoint will read a header variable containing the authenticated user.

                   

                  2- using web ticketing: you can develop your own ticketing provider, and use it to generates tickets directly in your portal, and pass the web ticket to Authenticate.aspx, which will validate the ticket against the tiketing provider, get the user identity and finally authenticate the user using the API:

                   

                  IUser user = new QlikVIew.AccessPoint.NamedUser(username, groups, true)

                  QlikView.AccessPoint.User.GenericAuthentication(context, user)

                   

                  -> this mecanism should be available in V11 GA

                   

                  3- if you are using Active directory as the authentication provider in your portal, you can integrate AccessPoint into an iframe, it'll silentlly reauthenticate the user using the NTLM ticket. no developpement is required.

                   

                  hope this help

                   

                  Ali BOUHADDOU

                  Senior Expert consultant

                  Qliktech France 

                    • Re: SSO via Form Posting

                      Hi Ali,

                       

                      Do you have any info on how to implement the item #3 in your post?

                       

                      Below is your post item #3

                       

                      3- if you are using Active directory as the authentication provider in your portal, you can integrate AccessPoint into an iframe, it'll silentlly reauthenticate the user using the NTLM ticket. no developpement is required.

                       

                      Thanks for any info.