Beginning with Qlik Sense Enterprise on Windows 2024, Qlik has extended CSRF protection to WebSockets. For reference, see the Release Notes.

In the case of mashups, extensions,and or other cross-site domain setups, the following two steps are necessary: 

1. Add additional response headers. These headers help protect against Cross-Site Forgery (CSRF) attacks.
2. Change the applicable code in your mashup or extension.

Content

• Add the Response Headers
• Adapt your Mashup or Extension code
• Workflow
• Verification

Add the Response Headers

The three additional response headers are:

Access-Control-Allow-Origin: https://localhost:8080
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: qlik-csrf-token

Localhost and port 8080 are examples. Replace them with the appropriate hostname. Defining the port is optional. 

If you have multiple origins, seperate them by comma.

Example:

For more information about adding response headers to the Qlik Sense Virtual proxy, see Creating a virtual proxy. Expand the Advanced section to access Additional response headers.

Adapt your Mashup or Extension code

In certain scenarios, the additional headers on the virtual proxy will not be enough and a code change is required. In these cases, you need to request the CSRF token and then send it forward when opening the session on the WebSocket. See Workflow for a visualisation of the process.

An example written in Enigma.js is available here:

• Authentication: Qlik Sense JSON Web Token (JWT) 
• Code Sample 

The information and example in this article are provided as-is and are not directly supported by Qlik Support. More assistance can be found on the Qlik Integration forum. Professional Services are available to help where needed.

Workflow

Workflow

Verification

To verify if the header information is correctly passed on, capture the web traffic in your browser's debug tool.

Environment

• Qlik Sense Enterprise on Windows November 2024 and later

Is it possible to use a SAML attribute for the display name in Qlik Sense Enterprise on Windows? 

Environments:

• Qlik Sense Enterprise on Windows 

It is not possible to use a SAML attribute for the display name.

A user directory connector needs to be used to synchronize the display name for the user, it will add up the information to the same user as long as User Directory and User ID match.

Another alternative would be to use OIDC authentication instead of SAML authentication. Fetching Display name through OIDC claims is supported in Qlik Sense.

Please also note that an outgoing connection to the Identity Provider is needed for OIDC authentication while it's not required for SAML.

Content

• Chapters
• Environment overview
• Zabbix Server set-up
• Clone the Zabbix docker repository
• Setting up environment variables
• Re-link compose.yaml to our preferred compose file
• Logging in for the first time
• Zabbix Agent installation on Windows Server
• Zabbix Server Configuration
• Adding the first Server
• Importing Qlik Sense Enterprise for Windows templates
• Linking templates to hosts
• Engine Healthcheck Monitoring with HTTP Agent example
• Steps to configure a new HTTP Agent for QSE Health monitoring
• Defining the Virtual Proxy prefix for Zabbix HTTP Agent
• Resources & Links

Chapters

• 01:33 - Why use Zabbix
• 02:35 - Architecture for demo
• 03:41 - Downloading the installer
• 04:36 - Installing Zabbix Server
• 08:37 - Installing the Zabbix agent
• 12:17 - Applying Qlik specific templates
• 14:28 - Reviewing Qlik-specific Dashboards
• 16:49 - Configuration details
• 18:42 - How to create a dashboard
• 20:30 - Q&A: Can Zabbix run on Windows?
• 21:16 - Q&A: Is Zabbix supported by Qlik?
• 21:36 - Q&A: Can this monitor data capacity?
• 22:45 - Q&A: Can the Zabbix agents affect performance?
• 23:20 - Q&A: Can it monitor bookmark size?
• 24:02 - Q&A: Can this monitor amount of data being used?
• 24:19 - Q&A: Can this monitor sheets, and objects in apps?
• 24:49 - Q&A: Is there a similar tool for Cloud?
• 25:36 - Q&A: Would this work with QlikView?
• 26:11 - Q&A: Does this read the app data?
• 26:26 - Q&A: Can this help measure how long to open an app?

Environment overview

The environment being demonstrated in this article consists of one Central Node and Two Worker Nodes. Worker 1 is a Consumption node where both Development and Production apps are allowed. Worker 2 is a dedicated Scheduler Worker node where all reloads will be directed. Central Node is acting as a Scheduler Manager.

Zabbix Server set-up

The Zabbix Monitoring appliance can be downloaded and configured in a number of ways, including direct install on a Linux server, OVF templates and self-hosting via Docker or Kubernetes. In this example we will be using Docker. We assume you have a working docker engine running on a server or your local machine. Docker Desktop is a great way to experiment with these images and evaluate whether Zabbix fits in your organisation.

Clone the Zabbix docker repository

This will include all necessary files to get started, including docker compose stack definitions supporting different base images, features and databases, such as MySQL or PostgreSQL. In our example, we will invoke one of the existing Docker compose files which will use PostgreSQL as our database engine.

Source: https://www.zabbix.com/documentation/current/en/manual/installation/containers#docker-compose

git clone https://github.com/zabbix/zabbix-docker.git

Setting up environment variables

Here you can modify environment variables as needed, to change things like the Stack / Composition name, default ports and many other settings supported by Zabbix.

cd ./zabbix-docker/env_vars
ls -la #to list all hidden files (.dotfiles)
nano .env_web

In this file, we will change the value for ZBX_SERVER_NAME to something else, like "Qlik STT - Monitoring". Save the changes and we are ready to start up Zabbix Server.

Re-link compose.yaml to our preferred compose file

./zabbix-docker folder contains many different docker compose templates, either using public images or locally built (latest and local tags).

You can run your chosen base image and database version with:

docker compose -f compose-file.yaml up -d && docker compose logs -f --since 1m

Or unlink and re-create the symbolic link to compose.yaml, which enables managing the stack without specifying a compose file. Run the following commands inside the zabbix-docker folder to use the latest Ubuntu-based image with PostgreSQL database:

1. unlink compose.yaml
2. ln -s ./docker-compose_v3_ubuntu_pgsql_latest.yaml compose.yaml
3. Start the Zabbix stack in detached mode with docker compose up -d

If you skip the -d flag, the Docker stack will start and your command line will be connected to the log output for all containers. The stack will stop if you exit this mode with CTRL+C or by closing the terminal session. Detached mode will run the stack in background. You can still connect to the live log output, pull logs from history, manage the stack state or tear it down using docker compose down.

Pro tip: you will be using docker compose commands often when working with Docker. You can create an alias in most shells to a short-hand, such as "dc = docker compose". This will still accept all following verbs, such as start|stop|restart|up|down|logs and all following flags. docker compose up -d && docker compose logs -f --since 1m would become dc up -d && dc logs -f --since 1m.

Logging in for the first time

• By default, the Zabbix Web GUI will be exposed on ports 80/443
• Using tools like Portainer makes Docker stack management easier

Use the IP address of your Docker host: http://IPADDRESS or https://IPADDRESS.

The Zabbix server stack can be hosted behind a Reverse Proxy.

The default username is Admin and the default password is zabbix. They are case sensitive.

Zabbix Agent installation on Windows Server

Download link: https://www.zabbix.com/download_agents, in this case download the Windows installer MSI.

1. Run the installer .msi
2. Leave components unchanged
3. Hostname = your machine hostname, we will have to use the same hostname when adding a Host in Zabbix Server.
4. Zabbix server IP/DNS: IP address or DNS name of your Zabbix Server
5. Agent listening port, the same port will be used when when adding a Host in Zabbix Server.
6. Enable "Add agent location to the PATH" for convenience in the command line
7. Finish installation

Zabbix Server Configuration

Adding the first Server

After Agent is installed, in Zabbix go to Data Collection > Hosts and click on Create host in the top right-hand corner. Provide details like hostname and port to connect to the Agent, a display name and adjust any other parameters. You can join clusters with Host groups. This makes navigating Zabbix easier.

Fig 1: Adding a Host

 

Note: Remember to change how Zabbix Server will connect to the Agent on this node, either with IP address or DNS. Note that the default IP address points to the Zabbix Server.

Importing Qlik Sense Enterprise for Windows templates

In the Zabbix Web GUI, navigate to Data Collection > Templates and click on the Import button in the top right-hand corner. You can find the templates file at the following download link:

LINK to zabbix templates

Linking templates to hosts

Once you have added all your hosts to the Data Collection section, we can link all Qlik Sense servers in a cluster using the same templates. Zabbix will automatically populate metrics where these performance counters are found. From Data Collection > Hosts, select all your Qlik Sense servers and click on "Mass update". In the dialog that comes up, select the "Link templates" checkbox. Here you can link/replace/unlink templates across many servers in bulk.

Select "Link" and click on the "Select" button. This new panel will let us search for Template groups and make linking a bit easier. The Template Group we provided contains 4 individual templates.

Fig 2: Mass update panel

Fig 3: Search for Template Group

Once you Select and Update on the main panel, all selected Hosts will receive all items contained in the templates, and populate all graphs and Dashboards automatically.

To review your data, navigate to Monitoring > Hosts and click on the "Dashboards" or "Graphs" link for any node, here is the default view when all Qlik Sense templates are linked to a node:

Fig 4: Host Dashboards

 

Fig 5: Repository Service metrics - Example

Engine Healthcheck Monitoring with HTTP Agent example

We will query the Engine Healthcheck end-point on QlikServer3 (our consumer node) and extract usage metrics from by parsing the JSON output.

Steps to configure a new HTTP Agent for QSE Health monitoring

We will be using a new Anonymous Access Virtual Proxy set up on each node. This Virtual Proxy will only Balance on the node it represents, to ensure we extract meaningful metrics from the Engine and we won't be load-balanced by the Proxy service across multiple nodes. There won't be a way to determine which node is responding, without looking at DevTools in your browser. You can also use Header or Certificate authentication in the HTTP Agent configuration.

Once the Virtual Proxy is configured with Anonymous Only access, we can use this new prefix to configure our HTTP Agent in Zabbix.

Defining the Virtual Proxy prefix for Zabbix HTTP Agent

In the Zabbix web GUI, go to Data collection > Hosts. Click on any of your hosts. On tabs at the top of the pop-up, click on Macros and click on the "Inherited and host macros" button. Once the list has loaded, search for the following Macro: {$VP_PREFIX}. This is set by default to "anon". Click on "Change" and set Macro value to your custom Virtual Proxy Prefix for Engine diagnostics, and click Update. The Virtual Proxy prefix will have to be changed on each node for the "Engine Performance via HTTP Agent" item to work. Alterantively, you can modify the MACRO value for the Template, this will replicate the changes across all nodes associated to this Template.

To make this change at the Template level, go to Data collection > Templates. Search for the "Engine Performance via HTTP Agent" and click on the Template. Navigate to the Macros tab in the pop-up and add your Virtual Proxy Prefix here to make this the new default for your environment. No further changes to Node configuration are required at this point.

The Zabbix templates provided in this article contain the following Engine metric JSONParsers:

• Memory: Allocated, Committed, Free, Total Physical
• Calls, Selections
• Saturation status (true/false)
• Sessions: Active/Total
• Users: Active/Total

These are the same performance counters that you can see in the Engine Health section in QMC.

Stay tuned to new releases of the Monitoring Templates. Feel free to customise these to your needs and share with the Community.

Resources & Links

• Zabbix home page
• Zabbix Installation from containers documentation
• Zabbix Docker repository on GitHub
• Install Docker Engine on Ubuntu

Environment

• Qlik Sense Enterprise on Windows

Connect to a REST API connection using the Qlik Data Data Gateway Rest API functionality may fail with: 

Status(StatusCode="Internal", Detail="Command testconnection returned non-success: URL is not allowed. Please check your allowed urls in configuration file.")"

Environment

• Qlik Data Gateway

Resolution

Enter the URL you want to use in the %ProgramData%\Qlik\Gateway\restconnector_allowed_urls.txt file. You'll need to use an administrator-level instance of a file editing tool (Notepad++), and restart the Qlik Data Gateway - Direct Access service in the Windows Services applet. 

The configuration file to enter allowed URLs is restconnector_allowed_urls.txt and is located in %ProgramData%\Qlik\Gateway. To update this file, perform the following steps:

1. Using a file editing tool such as Notepad++ as an administrator, navigate to %ProgramData%\Qlik\Gateway
2. Open restconnector_allowed_urls.txt
3. Enter the URLs you want to allow, with a line break between them (enter * to allow any URL)
4. Save the file
5. Restart the Qlik Data Gateway - Direct Access service in the Windows Services applet

Refer to Qlik Cloud Help entry Preparing a list of URLs that Direct Access gateway can access for more information.

Cause

REST connection URLs are required to be entered into the restconnector_allowed_urls.txt file.

After distributing the Consumption Report app from Qlik Cloud Administration > Settings, scheduled reloads of the app fail with the following error: 

Error: $(MUST_INCLUDE= [lib://snowflake_external_share:DataFiles/Capacity_Usage_Script_PROD.txt] cannot access the local file system in current script mode. Try including with LIB path.

Environment

• Qlik Cloud Analytics
• Qlik Talend Cloud

Resolution

The Consumption Report app isn't meant to be reloaded. The app should be distributed from Qlik Cloud Administration > Settings each day. Refer to Distributing detailed consumption reports for details:

Redistribute the app to obtain the most recent data. Apps stored on your tenant exist as separate instances and are not replaced by newer ones.

On the Talend side, refer to Distributing Data Capacity Reporting App for Talend Management Console for details on how to set up capacity reporting.

Cause

The Report Consumption app is meant to be distributed from Qlik Cloud Administration > Settings and not updated by a scheduled reload of the app.

Using Server-Side Extension (SSE) functions, duplicated requests are called every time though it's called only once.

Environment

• Qlik Sense Enterprise on Windows May 2024 and earlier
• Qlik Sense Desktop May 2024 and earlier

Resolution

A solution is available for KPI charts, Text charts, and Button charts.

A fix for other charts, such as bar charts, line charts, and tables, is actively being worked on (SUPPORT-1268).

Qlik Sense Enterprise on Windows:

1. Upgrade to Qlik Sense Enterprise on Windows to November 2024 or later
   
   
2. Go to Settings.ini file and add the following parameter:
   
   EnableSuppressMeasureTotals=1
   
   See How to modify Qlik Sense Engine Settings.ini for details.
   
   Default location for Qlik Sense Enterprise on Windows (server): \ProgramData\Qlik\Sense\Engine
   
   
3. Save the Settings.ini file
   
   
4. Restart the Engine Service and Service Dispatcher

Qlik Sense Desktop:

1. Upgrade to Qlik Sense Desktop November 2024 or later
   
   
2. Go to Settings.ini file and add the following parameter:
   
   EnableSuppressMeasureTotals=1
   
   See How to modify Qlik Sense Engine Settings.ini for details.
   
   Default location for Qlik Sense Desktop: \Users\Administrator\Documents\Qlik\Sense
   
   
3. Save the Settings.ini file
   
   
4. Reopen the Qlik Sense Desktop

In case the above does not work, drag and drop the same object to the affected object and convert it to the same one.

Cause

The Engine computes a Grand total by calling the SSE aggregation a second time. Grand total is now switched on in GenericCommonStateData.cpp as a KPI object improvement. (Internal Reference: VIZ-2856)

Internal Investigation ID(s)

QB-25025
SUPPORT-1268

This article documents how to configure a Qlik tenant to send emails using MS365.

Prerequisite

An account with an active Office365 license is required for this setup.

MS365 Setup

First, we configure the MS365 tenant to support the configuration.

Once you have an account set up on the MS365 side, let's go to the Microsoft Tenant settings:

1. Open the Microsoft Entra admin center (Home - Microsoft Entra admin center)
   1. Go to Overview
   2. In the overview screen, you will see your Tenant ID. Copy this value, you will need it to configure your Qlik Cloud Tenant.
   3. Click Application to register an application
   4. Click + New registration
      
      
      
      
   5. Name your application
   6. Select the Supported account type that matches your needs
   7. Click Register to register your application
2. Create a Client Credential 
1. Click Certificates & Secrets
2. Click + New client secret
3. Describe (name) the client secret and select its expiration value
4. Click Add to finish this step
   
   
   
   
5. After creating your client secret, the following is displayed:
   
   
   
   
6. Copy the value and save it in a safe place. You will need it to complete your Qlik Cloud Tenant setup.
   
   
3. Enabling the right APIs:
   1. Go to API Permissions
   2. Click + Add Permission
   3. Select Microsoft Graph
   4. Select Application permissions
   5. In the Select permissions field look for Mail.Send
   6. Select the Mail.Send permission

      Setting Application permissions to Mail.Send grants the application to use any email address from your organization.

   7. Click Add permission
   8. Click Grant admin consent for <MS Tenant Name> to finish this step
      
      
      
      
4. Select an Owner for the application
   1. Click + Add Owner
   2. Type the name of the User who will be the Owner
   3. Mark the user and click Select 

Qlik Cloud Tenant Setup

1. Open your Administration activity center (see Accessing the Administration activity center)
2. Go to the Email Provider section
3. Select Microsoft 365
   
   
   
   
4. Insert all previously set information:
   1. Sender email address: Insert an email registered on Microsoft. This can be your email address or another dedicated account created specifically for this purpose. 
   2. Tenant ID: Obtained from the Microsoft Entra Overview section.
   3. Client ID: The Application (client) ID you previously created.
   4. Client secret: The Client secret value which you saved in the previous setup steps.
      
      
      
      
5. Save the changes
6. Send a test email

Environment

• Qlik Cloud Analytics
• Microsoft Office 365

The information in this article is provided as-is and will be used at your discretion. Depending on the tool(s) used, customization(s), and/or other factors, ongoing support on the solution below may not be provided by Qlik Support.

When using SAML or ticket authentication which started in Qlik Sense June 2019, some users belonging to a big number of groups see the error "Qlik Sense G3 Broker API" on the hub and cannot proceed further.

You may receive the following error when setting up the SAML virtual proxy: cachebust pending 

Environments:

• Qlik Sense Enterprise on Windows 
  All Version
  
  

Resolution/Workaround

The only known workaround in the above versions is to reduce the number of groups sent in the SAML response or ticket request.

The fix for this defect is included in the following versions, but additional steps may be necessary:

All Versions

The default setting will still be a header size of 8192 bytes. The fix adds support for a configurable MaxHttpHeaderSize.

Steps:

1. To configure add it at the top section of the file under [globals] (C:\Program Files\Qlik\Sense\ServiceDispatcher\service.conf)

   [globals]
   LogPath="${ALLUSERSPROFILE}\Qlik\Sense\Log"
   MigrationPort=4545
   (...)
   MaxHttpHeaderSize=65534

2. Once the change is done, save the file and restart the Qlik Service Dispatcher service.

Note: Above value (16384) is an example. You may potentially need to put more depending of the total number of characters of all the AD groups to which the user belongs. The max value is 65534.

Other Related Articles:
https://community.qlik.com/t5/Official-Support-Articles/Error-431-when-trying-to-access-the-Qlik-Sense-Management/ta-p/1789124 

Internal Investigation ID(s):

QB-234.

This video will demonstrate how to install and configure Qlik-CLI for SaaS editions of Qlik Sense.

Content:

• Requirements
• Installation method One
• Installation Method Two
• Enable the Completion Feature (optional, but useful)
• Use Qlik-CLI
• Related Content
• Transcript

Requirements

• The user has access to a Qlik Cloud tenant
• The user has a professional license assigned in the tenant
• The user has the developer role assigned (required for API access)
• An API key can be obtained

Installation method One

1. Download Qlik-CLI from GitHub
2. Copy the executable to a local directory
3. Add the Qlik-CLI as an Environment Variable Path. 
   1. Open your Windows Control Panel
   2. Navigate to System 
   3. Open Advanced system settings in the leftmost menu
   4. Click Environment Variables 
   5. Locate Path in the User's System variables 
   6. Click Edit
   7. Click New
   8. Add the path to Qlik-CLI for example C:\Tools\Qlik-QLI\Modify the User Environment. Add path to Qlik-CLI. ie "C:\Tools\Qlik-QLI\"
   9. Confirm with OK until all windows are closed
4. Confirm the Qlik-CLI location path to verify it the installation completed successfully 
   1. Open PowerShell
   2. Execute:
      

      get-command qlik​

   3. Closer PowerShell

Installation Method Two

1. Download and install Chocolatey as documented on chocolatey.org.
2. Open PowerShell
3. Execute:
   

   choco install qlik-cli

4. This completes the installation.

Enable the Completion Feature (optional, but useful)

1. Verify if a PowerShell profile exists or create a new one
   1. Open PowerShell
   2. Execute:
      

      if ( -not (Test-Path $PROFILE) ) {
         echo "" > $PROFILE
      }​

2. Open the profile with the command notepad $PROFILE:
   

   qlik completion ps > "./qlik_completion.ps1" # Create a file containing the powershell completion.
   . ./qlik_completion.ps1                      # Source the completion.​

3. Save it. 
4. Restart PowerShell

Use Qlik-CLI

Advanced and additional instructions as seen in the video can be found at Qlik-CLI on Qlik.Dev. Begin with Get Started.

Please note that due to changes in how browsers handle third-party cookies, you may wish to instead leverage the new qlik-embed framework with OAuth2 for your embedding needs, rather than the guidance in this tutorial.

In Qlik Cloud Services (Qlik Sense Enterprise SaaS), it is possible to get the iFrame HTML code to embed a chart in a webpage by right-clicking that chart and choosing "embed chart".

However, just placing this code on a web page is not sufficient to handle the authentication part.

The information provided in this article provides an example of how this can be achieved. Further customization is likely necessary. For assistance, join our active community in the Integrations and Extensions forum or contact our Consulting Services for an engagement. 

Environments:

• Qlik Cloud Services April 2019 and later

Resolution:

The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.

Steps

1. Open the Qlik Tenant Management Console
2. Scroll to Integration Settings
3. Open Web
4. Click Create new 
5. Fill out the form:
   • Name: The name of the integration 
   • Add an origin: The allowed origins for the requests (such as the webserver hosting the integrations)
6. Click Create to confirm
7. Open Content Security Policy in the Integrations Settings section 
8. Click Add
9. Fill out the form:
   • Name: The name of the integration
   • Origin: The allowed origins for the requests (such as the webserver hosting the integrations)
   • Directive: Choose frame-ancestors
10. Click Add to confirm
11. Copy the script provided in this example:
    
    To handle the authentication and be able to see the chart on an external web page, the parent site needs to do a redirection and let the user authenticate, below is a code example of how to do that.
    

    <!DOCTYPE html>
    <html lang="en">
    
    <head>
      <meta charset="UTF-8">
      <meta name="viewport" content="width=device-width, initial-scale=1.0">
      <meta http-equiv="X-UA-Compatible" content="ie=edge">
      <title>Document</title>
      <script type="text/javascript">
        const webIntegrationId = "g-yrbnOz9wV5-YnIqYLZMgfAxf_iKg30";
        function login() {
          function isLoggedIn() {
            return fetch("https://yourtenant.eu.qlikcloud.com/api/v1/users/me", {
              method: 'GET',
              mode: 'cors',
              credentials: 'include',
              headers: {
                'Content-Type': 'application/json',
                'qlik-web-integration-id': webIntegrationId,
              },
            }).then(response => {
              return response.status === 200;
            });
          }
          return isLoggedIn().then(loggedIn => {
            if (!loggedIn) {
              // check login
                window.top.location.href = "https://yourtenant.eu.qlikcloud.com/login?qlik-web-integration-id=" + webIntegrationId + "&returnto=" + top.location.href;
              throw new Error('not logged in');
            }
          });
        }
    	login()
      </script>
    </head>
    
    <body style="height:600px;">
    	<iframe
        src="https://yourtenant.eu.qlikcloud.com/single/?appid=9539b869-1c84-4e6d-9129-4c5b031ca88a&obj=WJhPv&opt=ctxmenu,currsel"
        style="border:none;width:100%;height:100%;"></iframe>
    </body>
    
    </html>​

    
    
    
12. Paste it into a new file using Visual Studio Code and save it with the HTML extension
13. Replace all mentions of yourtenant in the script with the name of your Qlik Sense SaaS tenant
14. Copy the Web Integration ID from the Web Integration menu and paste it into the script at:
    

    const webIntegrationID = "IDGOESHERE";​

15. Add the link to the Qlik App Object you want to embed in the <iframe> section:
    

    <iframe>src="linktotheobjecthere"></iframe>

16.  Save the file and place it where your web server can read it. 

This customization is provided as is. Qlik Support cannot provide continued support of the solution. For assistance, reach out to our Professional Services or engage in our active Integrations forum.

This article explains how to set up Cisco Duo as an Open ID Connect (OIDC) Identity Provider to authenticate to Qlik Cloud.

Set up Cisco Duo

1. in Cisco Duo, go to Application and create a new application.
   
   
2. Set Grant Type to Authorization Code 
   
   
   • Allow PKCE only authentication remains unchecked.
   • Access Token Lifetime can be set to 60 
     
     
3. Set Sign-in Redirect URLs to your Qlik Cloud tenant URL, appending /login/callback. Do not use the alias.
   
   Example: https://<TENANT URL>.<REGION>.qlikcloud.com/login/callback
   
   If you don't recall the original tenant URL, open https://<TENANT URL>.<REGION>.qlikcloud.com/api/v1/tenants in a browser tab to locate it.
   
   
4. In the Scopes section:
   
   
   1. Verify that openid is set as the scope
   2. Check profile and set the following claim:
      
      • IdP Attribute: <Display Name>
        
      • Claim: name
   3. Check email and set the following claim:
      
      • IdP: <Email Address>
        
      • Claim: email
        
        
5. Set a Name 
   
   
6. Uncheck Let users remove devices, add new devices, and reactive Duo Mobile
   
   
7. If required, limit who can authenticate through this application (Users in the organization that will be able to log in to Qlik Cloud).
   
   To do so, check Only allow authentication from users in certain groups and choose the required group.

Set up Qlik Cloud

1. Log in to the Qlik Cloud Management Console and navigate to Identity Provider
   
   
2. Create a new Identity Provider
   
   
   • Type: Interactive
   • Provider: Generic
     
     
3. Input the OpenID Connect Metadata URI as created in Cisco Duo
   
   The Metadata URI can be found under Discovery URL in the application created previously in Cisco Duo.
   
   
4. Input the Client ID as created in Cisco Duo
   
   
5. Input the Client Secret as created in Cisco Duo
   
   
6. Leave Realms (optional) blank
   
   
7. sub is set to sub
   
   
8. Click Create and Save
   
   
9. Click Validate
   
   After clicking Validate and logging in to Cisco Duo, confirm that claim mapping is correct and make the user a Tenant Admin so that you can still access the management console after activating Cisco Duo as an Identity Provider.
   
   Once Cisco Duo has been activated as your new IdP, the Invite User option will be disabled in your Management Console as users will now be managed by your new Identity Provider. See Identity providers.

Environment

Qlik Cloud 

This is a basic example in order to get started with Advanced Analytics Integration in Qlik Sense using PYTHON.

This customization is provided as is. Qlik Support cannot provide continued support of the solution. For assistance, reach out to our Professional Services or engage in our active Integrations forum.

The architecture at a high-level looks like this:



With this new capability, it is possible to add syntax to a chart expression that tells Qlik Sense that a particular expression should not be evaluated on the Qlik Sense server, but instead, all the information and data needed to calculate that expression should be sent via the server side extension on to the back end Python system for calculation.

 After the advanced analytic calculations are completed, the data is sent back to the Qlik Sense Server and to the client for visualization.

For an example with video that uses R-Server instead, see R Integration with Qlik Sense 

Resolution:

In order to display a "Hello World" message in the Qlik Sense App, Perform the steps below:

Note: To obtain the latest HelloWorld example and other Python examples, see Python Examples in Qlik's Github repository. Make sure to check out the GetStarted.md documentation as well.
 

1. Make sure you have Python 3.4 (or later) installed including 'PIP' option. Run python -m pip install --upgrade pip to upgrade to latest version of pip.
2. Install the grpcio package. In order to install it, use: python -m pip install grpcio
3. Install the numpy package. In order to install it, use: python -m pip install numpy
4. Install the nose package. In order to install it, use: python -m pip install nose
5. Install the pandas package. In order to install it, use: python -m pip install pandas
6. Install the google package. Use python -m pip install google
7. Install the protobuf package. Use python -m pip install protobuf
8. May need to install the google API Python package on older examples: If so, use pip install --upgrade google-api-python-client
9. Note: If using Qlik Sense Desktop, add SSEPlugin=<EngineName>,localhost:<port> on a new line in your Settings.ini file located at C:\Users\[user]\Qlik\Sense. For example: SSEPlugin=SSEPython,localhost:50052
10. Note: If using Qlik Sense Server, Create an Analytic Connection. See Creating an analytic connection
11. Create a Qlik Sense app with basic data. In the app attached to this article Inline Load of 2 strings was used. Alternatively, use the HelloWorld example app included with the Server-Side Extension (SSE) package that can be downloaded in .zip format under Qlik SSE. 
12. Note: See example app attached. Create a new KPI object in a Sheet. Under Measures, add: SSEPython.ScriptAggrStr('", ".join(args[0])' , HelloWorldData)
13. A Plugin using Python needs to be written so that you can communicate between Sense & Python engine using gRPC. See attached the example written using the open-source plugin provided by Qlik in order to test this functionality. Please note that these plugins are open-source and support will not be provided for it by Qlik Support (refer to the T&C in Writting an SSE Plugin
14. Run the plugin in CMD prompt, using command: python ExtensionService_helloworld.py  Note: Troubleshoot ModuleNotFoundError
15. You will be presented with this screen
    
    
    
    
16. Now restart Qlik Sense desktop & open your Sense app
17. You should the below object utilizing Python:
    
    

Understanding the Python script & Function:

SSEPython.ScriptAggrStr('", ".join(args[0])' , HelloWorldData)

Eight script functions are automatically added to the functionality of the plugin. What is needed to be covered on the plugin side to fulfill
the functionality is to implement the Script aggregate rpc function.

The syntax of these functions is <EngineSSEName>.<FunctionName>(Script [,Parameter...])
where the Script is a Python script to be evaluated & Parameter is the data sent from Qlik's end.

Here, the ScriptAggrStr function is used which accepts argument of type String & returns a String after an aggregation. The 'join' function in Python method returns a string, which is the concatenation of the strings in the sequence seq. The separator between elements is the string providing this method. From Qlik side, we pass a field called HelloWorldData which contains the 2 strings as we have loaded.

To use SSE function(s) to load data via application load script, the Extension clause needs to be used. See additional information as well as an example under Load > Argument > Extension and Examples > Loading from Analytic connections via the following link: Script Regular Statements: Load.

Related Content:

• R integration with Qlik Sense 
• Analytic Connections - Qlik Sense for Administrators 
• Script Regular Statements - Load - Qlik Sense on Windows 
• Creating an Advanced Analytics Server in 15 minutes using AWS 
• Qlik Server-Side Extension (SSE) with Analytic Connections 
• How to call an external / custom function in Qlik Sense? 
• Qlik Sense Analytic Connection (SSE) Error when reloading App 
   

Customer policy adopted injection via the reverse proxy of the Content Security Policy header for security reasons. 

The policy adopted is basic: default-src 'self'

Opening the QlikView AccessPoint or Qlik Sense Hub may fail or the AccessPoint may only render partially. 

The Browser Debug tools will provide more insight:


 

Environment:

QlikView 
Qlik Sense Enterprise on Windows 

The Header Content Security Option contains a string of rules that informs the browser which resource/code is trusted to be loaded, executed rendered. 

More details on the argument could be found here: 
 https://www.w3.org/TR/CSP3/ ,
 

Resolution:

For QlikView Accesspoint a first example is to use Content-Security-Policy: "default-src 'self'  'unsafe-inline' data: ;" ; (note that using 'unsafe-inline'  option could be unsafe in a the proxy injection scenario when the client will brose a different site , you could/evaluate to use instead the  sha256-hashcode version )  
Further option could be necessary if for example you have QlikView Extension Object ( Server and Document Extensions) that are using external resources downloaded from CDN locations;
In this case the troubleshoot is the same use F12/Development Tools to check the resource that violates the policy and ad an exclusion. 

Related Content:

QlikView Access Point Shows "Loading Content" Indefinitely,
What is CSP (Content-Security-Policy) and How does it Relate to Qlik?


 

This article explains how to get started with the .NET SDK

The following must be installed to test the example provided in this article:

• Microsoft Visual Studio (The community version can be used)
• Qlik Sense Server

*It does not need to be installed on the same machine, but proper ports must be open for incoming connection on the Qlik Sense server side.

Please also make sure that the user connecting from the .NET SDK has a license assigned

Environments:

Resolution:

1. Open Visual Studio and create a new project. In this example, we have selected "Console App (.NET Framework)"
2. Go to Tools > NuGet Package manager > Package Manager Console
3. Use "Install-Package QlikSense.NetSDK" to install the latest version of the SDK or "Install-Package QlikSense.NetSDK -Version x.x.x" to install a specific version (It must match the Qlik Sense server version). Go to https://www.nuget.org/packages/QlikSense.NetSDK/ to find the correct command for your version if you are unsure.
4. Once the package is installed, it will appear in the References for your project. We can create a small program with the following code to connect to the Qlik Sense server and show Product version, OS Name and OS Version.

          In the below program, we are using Windows authentication, so we have to use the AsNtlmUserViaProxy function to specify that we want to use Windows authentication.

// using System, etc. 
using Qlik;
using Qlik.Engine;

namespace ConsoleApp1
{
    class Program
    {
        static void Main(string[] args)
        {
            Uri uri = new Uri("https://qlikserver3.domain.local/");
            ILocation location = Qlik.Engine.Location.FromUri(uri);
            location.AsNtlmUserViaProxy(certificateValidation: false);
            using (var hub = location.Hub())
            {
                Console.WriteLine("Product Version: " + hub.ProductVersion());
                Console.WriteLine("OS Name:    " + hub.OSName());
                Console.WriteLine("OS Version: " + hub.OSVersion());
                Console.WriteLine("Press enter to close...");
                Console.ReadLine();
            }
        }
    }
}

• This should show something like this:

Product Version: 3.2.3
OS Name: WindowsNT
OS Version: 6.2.9200
Press enter to close...

Connect to an app:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using Qlik;
using Qlik.Engine;

namespace ConsoleApp1
{
    class Program
    {
        static void Main(string[] args)
        {
            Uri uri = new Uri("https://qlikserver1.domain.local/");
            ILocation location = Qlik.Engine.Location.FromUri(uri);
            location.AsNtlmUserViaProxy(certificateValidation: false);
            IAppIdentifier appIdentifier = location.AppWithId("03bbedf2-2c45-4e10-bf5a-fded0c21cda8");
            using (var app = location.App(appIdentifier))
            {
                var layout = app.GetAppLayout();
                Console.WriteLine(layout.Title + " [" + app.Type + "]");
                Console.ReadLine();
            }
        }
    }
}

Result:
Test1 [Doc]


Tip: If the program does not run, try to build it and execute the .exe file from the Qlik Sense server. If that works locally from the server itself, it might be that there is a network device that is not allowing the connection or the proper ports are not open.

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement which any web application can support through the use of a special response header. When a supported browser receives this header that browser will prevent any communication sent over HTTP in the future and will redirect all traffic over HTTPS instead. 

More details about HSTS can be found on https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html

Resolution

In Qlik Sense, one can add additional HTTP response headers in the Virtual Proxy configuration to enforce HSTS

1. Open the Qlik Sense QMC
2. In the CONFIGURATION SYSTEM section,  click on Virtual Proxies
3. Select the Virtual Proxy profile for user access and click on Edit
4. Go to the Advanced section and in the field "Additional response headers" 
5. Enter the HSTS configuration setting applicable to your environment. i.e  Strict-Transport-Security: max-age=31536000;includeSubDomains;Preload
   
   
   
   
6. HTTP to HTTPS must be enabled.

For additional information about HTTP to HTTPS redirects, see

• How to: Redirect HTTP to HTTPS in Qlik Sense
• Qlik Community: Qlik Sense redirect HTTP to HTTPS
• and feature request Sense Initial URL redirect to /hub (http)

Sites to Confirm HSTS setup

• https://hstspreload.org/
• https://tools.geekflare.com/hsts-test
• https://dev.ssllabs.com/ssltest/
• https://nvisium.com/blog/2014/04/25/is-your-site-hsts-enabled.html

Gov Site on HSTS  https://https.cio.gov/hsts/

Note: Qlik does NOT support the configuration or implementation of non-Qlik or Operating System related software. The above suggestion is an introduction to this topic, and if it does not work in your particular environment then please reach out internally to your IT team. If you need direct assistance, please contact your Account Owner to discuss purchasing Consulting Services. (see How to Contact the Consulting Team?)

Environment:

Qlik Sense Enterprise on Windows 

This article explains how to simply set up JWT authentication using Qlik Sense default certificates and test it.

Steps:

1. Create a new virtual proxy
   
   This section only explains settings specific to JWT and supposes that you have set up Name, Prefix, Session cookie header name, load balancing nodes and linked a Proxy to the new virtual proxy.
   These are the minimum settings required for a virtual proxy to work correctly. Please refer to the Qlik Sense Online Help "Creating a virtual proxy" as well as Qlik Sense For Administrators - JWT authentication for details.
   
   
   1. In the authentication section, select JWT for authentication
   2. Paste the certificate used to sign/decrypt JWT in "JWT certificate
      
      In this article, we will use the default Qlik Sense certificate located:
      
      Important note: We use Qlik Default certificates for simplicity in this article, in a Production scenario, the customer should create the key material (generate a private/public key pair for JWT signing and verification) that is managed by customer internal security policies.
      
      
   3. Go to C:\ProgramData\Qlik\Sense\Repository\Exported Certificates\.Local Certificates
   4. Open server.pem in a text editor
   5. Copy the content including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- then paste it in the JWT Certificate field in the QMC > Virtual Proxy configuration.
   6. Choose a value for JWT attribute for user ID and JWT attribute for user directory. That can be anything (except reserved key words for JWT claims) but it must match the values used in the JWT payload section when the JWT is generated.
   7. Apply changes and close.
      
       

      

      
      
      
2. Generate the JWT
   
   In this article, we will directly use the JWT debugger available on https://jwt.io to generate the token. In a real use case, the JWT library corresponding to the programming language used should be used to generate the JWT.
   
   
   1. Open https://jwt.io and go to the debugger
   2. Select RS256 for the algorithm
   3. In the PAYLOAD box, set up your attributes previously set via QMA in Qlik Sense's virtual proxy configuration for the user ID and the user directory. (Note: Swap 'DOMAIN' with the user's directory) 
   4. In the Verify signature, paste server.pem (Certificate) and server_key.pem (Private key) content in the appropriate fields. Those files are both located in C:\ProgramData\Qlik\Sense\Repository\Exported Certificates\.Local Certificates
   5. You can now copy the JWT generated in the left field and test it. This should look like:
      
      
      
      
3. Test the generated JWT
   
   In order to log in with JWT, you need to inject the JWT as a header. There are various extensions available depending on your browser in order to test this.
   
   In this example, we are using Chrome with Modheader.
   
   
   1. Install ModHeader from the Chrome Web Store
   2. Try to go to the hub:
      
                https://{your server name}/{prefix for JWT virtual proxy}/hub/
      
      
   3. You should get a 401 error: "Could not authenticate the request: Expected an authentication header." as no header has been provided.
   4. Go to ModHeader and set the following header:
      
             Header name: Authorization
             Header value: Bearer yourjwt
      
      
      
      
   5.    Reload the page, you should now be logged into the hub correctly.

In order to integrate your solution with Qlik Sense using JWT authentication, you will need to pass in your code the JWT token in the authorization token for the first request to Qlik Sense so that a session is created.

Related Content:

• Using Qlik Sense on Windows Repository API (QRS) with qlik-cli 
• Examples of integration for different purposes are available on the internet:
  https://github.com/qlik-oss/enigma.js/tree/master/examples/authentication/sense-using-jwt

QlikView and Qlik Sense provides the capability to extend presentation capability by creating extension objects.

It is important to note that Qlik only supports the API calls made to the QlikView or Qlik Sense server. Qlik does not directly support 3rd party extension implementations. For issues with 3rd party provided extensions, the primary support channel is the 3rd party extension provider. 

For Qlik to support API-related issues, the script or code must be minimised to show the issue is related to the specific API and not the custom code using the API. This initial troubleshooting and simplification of the script must be done by the extension developer. 

Extensions provided by Qlik employees on Qlik Community are not supported by Qlik. These extension solutions are supported within these communities.  

Extensions developed by Qlik’s partners, including certified Extensions, are supported by the Qlik partner.

A customer should also consider this:

• Extensions are generally not supported by Qlik. Qlik Support can only provide recommendations and general configuration advice for extensions. 
• Extensions should be tested one by one when installing them. This is meant to verify them working and not to break standard functionality. 
• A QlikView or Qlik Sense upgrade might cause conflict with non-compatible extensions. This can lead to Qlik product malfunction. It is recommended to always validate upgrade and extension compatibility in the test environment prior to upgrading the production environment. Any compatibility issues or questions should be reported to the extension provider. 

How to get started with R-Script integration within Qlik Sense

The architecture of the integration at a High-level looks like this:



 

Qlik Sense Advanced Analytics integration is essentially an extension to Qlik Sense’s expression syntax, and as such it can be used in both Chart Expressions, and in Load Script Expressions.
 

With this new capability, we are now able to add syntax to a chart expression that tells Qlik Sense that particular expression should not be evaluated on the Qlik Sense server, but instead, all the information and data needed to calculate that expression should be sent via the server side extension on to the backend R system for calculation.

 After the advanced analytic calculations are completed, the data is sent back to the Qlik Sense Server and to the client for visualization.

Environment:

• Qlik Sense Enterprise on Windows , all versions

Resolution:

This video shows an example of how Qlik Sense connects to an R server for extending expression capabilities in Qlik Sense Apps while offloading the calculations to the R server engine.

Click here for Video Transcript

In order to start displaying a simple "Hello World" in Qlik Sense using a R-Script, we will do the following:

1. Have R & R-studio installed in your system. (RGui included with R for Windows can also be used) R can be downloaded at https://cloud.r-project.org/

2. We need a package in R to extend R functionality to applications via TCP/IP. The package name is "Rserve()"
Install the package using the below command in RStudio GUI:

install.packages('Rserve')

3. Now we need to invoke that library and start Rserve. In order to do so, execute the below scripts:

library(Rserve)
Rserve()

4.The communication method from Sense to R is taken care using gRPC. R is not a supported language in gRPC by default.

So a possible solution for this is to develop a connector in any of the supported languages of gRPC. Qlik provides an open-source connector developed in C# which in turn access Rserve to be able to run R scripts.
qlik-oss/sse-r-plugin
Once you built the connector,  start the SSEtoRserve.exe (ideally on the Rserve server itself)

Note: Qlik Support does not support this plugin directly. Inquiries should be submitted via GitHub under sse-r-plugin - Issues

5. Now we will have to configure the plugin:

For Qlik Sense Desktop June 2019 and up:

Add the following line in the settings.ini file:

SSEPlugin=R,localhost:50051

The settings.ini is located in this location: 

For previous Qlik Sense Desktop:

Add the following line in the settings.ini file:

SSEPlugin=R,localhost:50051

The settings.ini file is located in this location:

For Qlik Sense Enterprise/Server:

a. In the QMC, add a new Analytic Connection.
b. Restart the Qlik Sense Engine service.

Please refer to the screenshot below for creating a new connection.

Note: If the R-Plugin (SSEtoRserve.exe) was installed on the R-Server (where Rserve runs) or another machine, point to that machine name instead of 'localhost'. Also, in multi-node environments with multiple Qlik Sense Engines, even if the plugin was installed on the Central node, make sure to add the Central node's hostname instead of 'localhost' as the other Rim node Engine services need the correct DNS/Netbios name to reach the plugin.



6. Now Open a Qlik Sense App and add a KPI object in the sheet. This can be one of the Apps included with the  plugin itself under <storage path>\sse-r-plugin-master\sense_apps

Note that the example apps also need data connections to be created to the data files included with these apps files in the above location.

7. Otherwise, a new app can be created and any data may be loaded for the SSE example below.

8. For the measure, add the following expression which contains an R-script:

R.ScriptEvalStr('paste(q$firstWord, q$secondWord);', 'Hello' as firstWord, 'World' as secondWord)

9. If everything is configured properly, the R-script shown in bold above should be executed fine and it should display a "Hello World" message.

Understanding the R-script & Function:

R.ScriptEvalStr('paste(q$firstWord, q$secondWord);', Only([First Word]) as firstWord, Only([Second Word]) as secondWord)

Eight script functions are automatically added to the functionality of the plugin. What is needed to be covered on the plugin side to fulfill the functionality is to implement the EvaluateScript rpc function.

The syntax of these functions is: 

<EngineSSEName>.<FunctionName>(Script [,Parameter...])

Where the Script is an R-Script to be evaluated & Parameter is the data sent from Qlik's end.

Here, we use the ScriptEvalStr function which accepts argument of type String & returns a String. The 'paste' function in R concatenates vectors after converting to character. We pass two data fields of type string from Qlik (First Word & Second Word). The R-script then references these data fields through the q dataframe (structure already taken care in R) (q$firstWord and q$secondWord). The script/function finally returns a String back to Qlik Sense.

Related Content:

• Analytic Connections - Qlik Sense for Administrators 
• Script Regular Statements - Load - Qlik Sense on Windows 
• Creating an Advanced Analytics Server in 15 minutes using AWS 
• Qlik Server-Side Extension (SSE) with Analytic Connections 
• Getting Started with Advanced Analytics in Qlik Sense using Python 
• How to call an external / custom function in Qlik Sense? 
• Qlik Sense Analytic Connection (SSE) Error when reloading App 
  
  
   

When using Qlik Sense behind a reverse proxy, environment.user.ip is always the IP of the reverse proxy instead of the end user client.

Environments:

• Qlik Sense Enterprise for Windows

This is a product limitation.

A feature request (SHEND-225) has been logged but there is no information if and when the feature will be implemented yet.