Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Is it possible to use a SAML attribute for the display name in Qlik Sense Enterprise on Windows?
It is not possible to use a SAML attribute for the display name.
A user directory connector needs to be used to synchronize the display name for the user, it will add up the information to the same user as long as User Directory and User ID match.
Another alternative would be to use OIDC authentication instead of SAML authentication. Fetching Display name through OIDC claims is supported in Qlik Sense.
Please also note that an outgoing connection to the Identity Provider is needed for OIDC authentication while it's not required for SAML.
Content
The environment being demonstrated in this article consists of one Central Node and Two Worker Nodes. Worker 1 is a Consumption node where both Development and Production apps are allowed. Worker 2 is a dedicated Scheduler Worker node where all reloads will be directed. Central Node is acting as a Scheduler Manager.
The Zabbix Monitoring appliance can be downloaded and configured in a number of ways, including direct install on a Linux server, OVF templates and self-hosting via Docker or Kubernetes. In this example we will be using Docker. We assume you have a working docker engine running on a server or your local machine. Docker Desktop is a great way to experiment with these images and evaluate whether Zabbix fits in your organisation.
This will include all necessary files to get started, including docker compose stack definitions supporting different base images, features and databases, such as MySQL or PostgreSQL. In our example, we will invoke one of the existing Docker compose files which will use PostgreSQL as our database engine.
Source: https://www.zabbix.com/documentation/current/en/manual/installation/containers#docker-compose
git clone https://github.com/zabbix/zabbix-docker.git
Here you can modify environment variables as needed, to change things like the Stack / Composition name, default ports and many other settings supported by Zabbix.
cd ./zabbix-docker/env_vars
ls -la #to list all hidden files (.dotfiles)
nano .env_web
In this file, we will change the value for ZBX_SERVER_NAME
to something else, like "Qlik STT - Monitoring". Save the changes and we are ready to start up Zabbix Server.
./zabbix-docker folder contains many different docker compose templates, either using public images or locally built (latest and local tags).
You can run your chosen base image and database version with:
docker compose -f compose-file.yaml up -d && docker compose logs -f --since 1m
Or unlink and re-create the symbolic link to compose.yaml, which enables managing the stack without specifying a compose file. Run the following commands inside the zabbix-docker
folder to use the latest Ubuntu-based image with PostgreSQL database:
unlink compose.yaml
ln -s ./docker-compose_v3_ubuntu_pgsql_latest.yaml compose.yaml
docker compose up -d
If you skip the -d
flag, the Docker stack will start and your command line will be connected to the log output for all containers. The stack will stop if you exit this mode with CTRL+C or by closing the terminal session. Detached mode will run the stack in background. You can still connect to the live log output, pull logs from history, manage the stack state or tear it down using docker compose down
.
Pro tip: you will be using docker compose
commands often when working with Docker. You can create an alias in most shells to a short-hand, such as "dc = docker compose". This will still accept all following verbs, such as start|stop|restart|up|down|logs
and all following flags. docker compose up -d && docker compose logs -f --since 1m
would become dc up -d && dc logs -f --since 1m
.
Use the IP address of your Docker host: http://IPADDRESS or https://IPADDRESS.
The Zabbix server stack can be hosted behind a Reverse Proxy.
The default username is Admin
and the default password is zabbix
. They are case sensitive.
Download link: https://www.zabbix.com/download_agents, in this case download the Windows installer MSI.
After Agent is installed, in Zabbix go to Data Collection > Hosts and click on Create host in the top right-hand corner. Provide details like hostname and port to connect to the Agent, a display name and adjust any other parameters. You can join clusters with Host groups. This makes navigating Zabbix easier.
Note: Remember to change how Zabbix Server will connect to the Agent on this node, either with IP address or DNS. Note that the default IP address points to the Zabbix Server.
In the Zabbix Web GUI, navigate to Data Collection > Templates and click on the Import button in the top right-hand corner. You can find the templates file at the following download link:
LINK to zabbix templates
Once you have added all your hosts to the Data Collection section, we can link all Qlik Sense servers in a cluster using the same templates. Zabbix will automatically populate metrics where these performance counters are found. From Data Collection > Hosts, select all your Qlik Sense servers and click on "Mass update". In the dialog that comes up, select the "Link templates" checkbox. Here you can link/replace/unlink templates across many servers in bulk.
Select "Link" and click on the "Select" button. This new panel will let us search for Template groups and make linking a bit easier. The Template Group we provided contains 4 individual templates.
Fig 2: Mass update panel
Fig 3: Search for Template Group
Once you Select and Update on the main panel, all selected Hosts will receive all items contained in the templates, and populate all graphs and Dashboards automatically.
To review your data, navigate to Monitoring > Hosts and click on the "Dashboards" or "Graphs" link for any node, here is the default view when all Qlik Sense templates are linked to a node:
Fig 5: Repository Service metrics - Example
We will query the Engine Healthcheck end-point on QlikServer3 (our consumer node) and extract usage metrics from by parsing the JSON output.
We will be using a new Anonymous Access Virtual Proxy set up on each node. This Virtual Proxy will only Balance on the node it represents, to ensure we extract meaningful metrics from the Engine and we won't be load-balanced by the Proxy service across multiple nodes. There won't be a way to determine which node is responding, without looking at DevTools in your browser. You can also use Header or Certificate authentication in the HTTP Agent configuration.
Once the Virtual Proxy is configured with Anonymous Only access, we can use this new prefix to configure our HTTP Agent in Zabbix.
In the Zabbix web GUI, go to Data collection > Hosts. Click on any of your hosts. On tabs at the top of the pop-up, click on Macros and click on the "Inherited and host macros" button. Once the list has loaded, search for the following Macro: {$VP_PREFIX}. This is set by default to "anon". Click on "Change" and set Macro value to your custom Virtual Proxy Prefix for Engine diagnostics, and click Update. The Virtual Proxy prefix will have to be changed on each node for the "Engine Performance via HTTP Agent" item to work. Alterantively, you can modify the MACRO value for the Template, this will replicate the changes across all nodes associated to this Template.
Fig 6: Changing Host Macros from Inherited values
To make this change at the Template level, go to Data collection > Templates. Search for the "Engine Performance via HTTP Agent" and click on the Template. Navigate to the Macros tab in the pop-up and add your Virtual Proxy Prefix here to make this the new default for your environment. No further changes to Node configuration are required at this point.
Fig 7: Changing Macros at the Template level
The Zabbix templates provided in this article contain the following Engine metric JSONParsers:
These are the same performance counters that you can see in the Engine Health section in QMC.
Stay tuned to new releases of the Monitoring Templates. Feel free to customise these to your needs and share with the Community.
Environment
Connect to a REST API connection using the Qlik Data Data Gateway Rest API functionality may fail with:
Status(StatusCode="Internal", Detail="Command testconnection returned non-success: URL is not allowed. Please check your allowed urls in configuration file.")"
Enter the URL you want to use in the %ProgramData%\Qlik\Gateway\restconnector_allowed_urls.txt file. You'll need to use an administrator-level instance of a file editing tool (Notepad++), and restart the Qlik Data Gateway - Direct Access service in the Windows Services applet.
The configuration file to enter allowed URLs is restconnector_allowed_urls.txt and is located in %ProgramData%\Qlik\Gateway. To update this file, perform the following steps:
Refer to Qlik Cloud Help entry Preparing a list of URLs that Direct Access gateway can access for more information.
REST connection URLs are required to be entered into the restconnector_allowed_urls.txt file.
After distributing the Consumption Report app from Qlik Cloud Administration > Settings, scheduled reloads of the app fail with the following error:
Error: $(MUST_INCLUDE= [lib://snowflake_external_share:DataFiles/Capacity_Usage_Script_PROD.txt] cannot access the local file system in current script mode. Try including with LIB path.
The Consumption Report app isn't meant to be reloaded. The app should be distributed from Qlik Cloud Administration > Settings each day. Refer to Distributing detailed consumption reports for details:
Redistribute the app to obtain the most recent data. Apps stored on your tenant exist as separate instances and are not replaced by newer ones.
On the Talend side, refer to Distributing Data Capacity Reporting App for Talend Management Console for details on how to set up capacity reporting.
The Report Consumption app is meant to be distributed from Qlik Cloud Administration > Settings and not updated by a scheduled reload of the app.
Using Server-Side Extension (SSE) functions, duplicated requests are called every time though it's called only once.
Qlik Sense Enterprise on Windows:
Qlik Sense Desktop:
In case the above does not work, drag and drop the same object to the affected object and convert it to the same one.
The Engine computes a Grand total by calling the SSE aggregation a second time. Grand total is now switched on in GenericCommonStateData.cpp as a KPI object improvement. (Internal Reference: VIZ-2856)
QB-25025
This article documents how to configure a Qlik tenant to send emails using MS365.
An account with an active Office365 license is required for this setup.
First, we configure the MS365 tenant to support the configuration.
Once you have an account set up on the MS365 side, let's go to the Microsoft Tenant settings:
Setting Application permissions to Mail.Send grants the application to use any email address from your organization.
The information in this article is provided as-is and will be used at your discretion. Depending on the tool(s) used, customization(s), and/or other factors, ongoing support on the solution below may not be provided by Qlik Support.
When using SAML or ticket authentication which started in Qlik Sense June 2019, some users belonging to a big number of groups see the error "Qlik Sense G3 Broker API" on the hub and cannot proceed further.
You may receive the following error when setting up the SAML virtual proxy: cachebust pending
Environments:
The only known workaround in the above versions is to reduce the number of groups sent in the SAML response or ticket request.
The fix for this defect is included in the following versions, but additional steps may be necessary:
All Versions
The default setting will still be a header size of 8192 bytes. The fix adds support for a configurable MaxHttpHeaderSize.
Steps:
[globals]
LogPath="${ALLUSERSPROFILE}\Qlik\Sense\Log"
MigrationPort=4545
(...)
MaxHttpHeaderSize=65534
Note: Above value (16384) is an example. You may potentially need to put more depending of the total number of characters of all the AD groups to which the user belongs. The max value is 65534.
Other Related Articles:
https://community.qlik.com/t5/Official-Support-Articles/Error-431-when-trying-to-access-the-Qlik-Sense-Management/ta-p/1789124
QB-234.
This video will demonstrate how to install and configure Qlik-CLI for SaaS editions of Qlik Sense.
Content:
get-command qlik
choco install qlik-cli
if ( -not (Test-Path $PROFILE) ) {
echo "" > $PROFILE
}
qlik completion ps > "./qlik_completion.ps1" # Create a file containing the powershell completion.
. ./qlik_completion.ps1 # Source the completion.
Advanced and additional instructions as seen in the video can be found at Qlik-CLI on Qlik.Dev. Begin with Get Started.
Please note that due to changes in how browsers handle third-party cookies, you may wish to instead leverage the new qlik-embed framework with OAuth2 for your embedding needs, rather than the guidance in this tutorial.
In Qlik Cloud Services (Qlik Sense Enterprise SaaS), it is possible to get the iFrame HTML code to embed a chart in a webpage by right-clicking that chart and choosing "embed chart".
However, just placing this code on a web page is not sufficient to handle the authentication part.
The information provided in this article provides an example of how this can be achieved. Further customization is likely necessary. For assistance, join our active community in the Integrations and Extensions forum or contact our Consulting Services for an engagement.
Environments:
The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Document</title>
<script type="text/javascript">
const webIntegrationId = "g-yrbnOz9wV5-YnIqYLZMgfAxf_iKg30";
function login() {
function isLoggedIn() {
return fetch("https://yourtenant.eu.qlikcloud.com/api/v1/users/me", {
method: 'GET',
mode: 'cors',
credentials: 'include',
headers: {
'Content-Type': 'application/json',
'qlik-web-integration-id': webIntegrationId,
},
}).then(response => {
return response.status === 200;
});
}
return isLoggedIn().then(loggedIn => {
if (!loggedIn) {
// check login
window.top.location.href = "https://yourtenant.eu.qlikcloud.com/login?qlik-web-integration-id=" + webIntegrationId + "&returnto=" + top.location.href;
throw new Error('not logged in');
}
});
}
login()
</script>
</head>
<body style="height:600px;">
<iframe
src="https://yourtenant.eu.qlikcloud.com/single/?appid=9539b869-1c84-4e6d-9129-4c5b031ca88a&obj=WJhPv&opt=ctxmenu,currsel"
style="border:none;width:100%;height:100%;"></iframe>
</body>
</html>
const webIntegrationID = "IDGOESHERE";
<iframe>src="linktotheobjecthere"></iframe>
This customization is provided as is. Qlik Support cannot provide continued support of the solution. For assistance, reach out to our Professional Services or engage in our active Integrations forum.
This article explains how to set up Cisco Duo as an Open ID Connect (OIDC) Identity Provider to authenticate to Qlik Cloud.
This is a basic example in order to get started with Advanced Analytics Integration in Qlik Sense using PYTHON.
This customization is provided as is. Qlik Support cannot provide continued support of the solution. For assistance, reach out to our Professional Services or engage in our active Integrations forum.
The architecture at a high-level looks like this:
With this new capability, it is possible to add syntax to a chart expression that tells Qlik Sense that a particular expression should not be evaluated on the Qlik Sense server, but instead, all the information and data needed to calculate that expression should be sent via the server side extension on to the back end Python system for calculation.
After the advanced analytic calculations are completed, the data is sent back to the Qlik Sense Server and to the client for visualization.
For an example with video that uses R-Server instead, see R Integration with Qlik Sense
In order to display a "Hello World" message in the Qlik Sense App, Perform the steps below:
Note: To obtain the latest HelloWorld example and other Python examples, see Python Examples in Qlik's Github repository. Make sure to check out the GetStarted.md documentation as well.
SSEPython.ScriptAggrStr('", ".join(args[0])' , HelloWorldData)
Eight script functions are automatically added to the functionality of the plugin. What is needed to be covered on the plugin side to fulfill
the functionality is to implement the Script aggregate rpc function.
The syntax of these functions is <EngineSSEName>.<FunctionName>(Script [,Parameter...])
where the Script is a Python script to be evaluated & Parameter is the data sent from Qlik's end.
Here, the ScriptAggrStr function is used which accepts argument of type String & returns a String after an aggregation. The 'join' function in Python method returns a string, which is the concatenation of the strings in the sequence seq. The separator between elements is the string providing this method. From Qlik side, we pass a field called HelloWorldData which contains the 2 strings as we have loaded.
To use SSE function(s) to load data via application load script, the Extension clause needs to be used. See additional information as well as an example under Load > Argument > Extension and Examples > Loading from Analytic connections via the following link: Script Regular Statements: Load.
Customer policy adopted injection via the reverse proxy of the Content Security Policy header for security reasons.
The policy adopted is basic: default-src 'self'
Opening the QlikView AccessPoint or Qlik Sense Hub may fail or the AccessPoint may only render partially.
The Browser Debug tools will provide more insight:
QlikView
Qlik Sense Enterprise on Windows
The Header Content Security Option contains a string of rules that informs the browser which resource/code is trusted to be loaded, executed rendered.
More details on the argument could be found here:
https://www.w3.org/TR/CSP3/ ,
For QlikView Accesspoint a first example is to use Content-Security-Policy: "default-src 'self' 'unsafe-inline' data: ;" ; (note that using 'unsafe-inline' option could be unsafe in a the proxy injection scenario when the client will brose a different site , you could/evaluate to use instead the sha256-hashcode version )
Further option could be necessary if for example you have QlikView Extension Object ( Server and Document Extensions) that are using external resources downloaded from CDN locations;
In this case the troubleshoot is the same use F12/Development Tools to check the resource that violates the policy and ad an exclusion.
QlikView Access Point Shows "Loading Content" Indefinitely,
What is CSP (Content-Security-Policy) and How does it Relate to Qlik?
This article explains how to get started with the .NET SDK
The following must be installed to test the example provided in this article:
*It does not need to be installed on the same machine, but proper ports must be open for incoming connection on the Qlik Sense server side.
Please also make sure that the user connecting from the .NET SDK has a license assigned
Environments:
In the below program, we are using Windows authentication, so we have to use the AsNtlmUserViaProxy function to specify that we want to use Windows authentication.
// using System, etc. using Qlik; using Qlik.Engine; namespace ConsoleApp1 { class Program { static void Main(string[] args) { Uri uri = new Uri("https://qlikserver3.domain.local/"); ILocation location = Qlik.Engine.Location.FromUri(uri); location.AsNtlmUserViaProxy(certificateValidation: false); using (var hub = location.Hub()) { Console.WriteLine("Product Version: " + hub.ProductVersion()); Console.WriteLine("OS Name: " + hub.OSName()); Console.WriteLine("OS Version: " + hub.OSVersion()); Console.WriteLine("Press enter to close..."); Console.ReadLine(); } } } }
Product Version: 3.2.3
OS Name: WindowsNT
OS Version: 6.2.9200
Press enter to close...
Connect to an app:
using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Threading.Tasks; using Qlik; using Qlik.Engine; namespace ConsoleApp1 { class Program { static void Main(string[] args) { Uri uri = new Uri("https://qlikserver1.domain.local/"); ILocation location = Qlik.Engine.Location.FromUri(uri); location.AsNtlmUserViaProxy(certificateValidation: false); IAppIdentifier appIdentifier = location.AppWithId("03bbedf2-2c45-4e10-bf5a-fded0c21cda8"); using (var app = location.App(appIdentifier)) { var layout = app.GetAppLayout(); Console.WriteLine(layout.Title + " [" + app.Type + "]"); Console.ReadLine(); } } } }
Result:
Test1 [Doc]
Tip: If the program does not run, try to build it and execute the .exe file from the Qlik Sense server. If that works locally from the server itself, it might be that there is a network device that is not allowing the connection or the proper ports are not open.
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement which any web application can support through the use of a special response header. When a supported browser receives this header that browser will prevent any communication sent over HTTP in the future and will redirect all traffic over HTTPS instead.
More details about HSTS can be found on https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
In Qlik Sense, one can add additional HTTP response headers in the Virtual Proxy configuration to enforce HSTS
For additional information about HTTP to HTTPS redirects, see
Sites to Confirm HSTS setup
Gov Site on HSTS https://https.cio.gov/hsts/
Note: Qlik does NOT support the configuration or implementation of non-Qlik or Operating System related software. The above suggestion is an introduction to this topic, and if it does not work in your particular environment then please reach out internally to your IT team. If you need direct assistance, please contact your Account Owner to discuss purchasing Consulting Services. (see How to Contact the Consulting Team?)
This article explains how to simply set up JWT authentication using Qlik Sense default certificates and test it.
Click here for Video Transcript
In order to integrate your solution with Qlik Sense using JWT authentication, you will need to pass in your code the JWT token in the authorization token for the first request to Qlik Sense so that a session is created.
QlikView and Qlik Sense provides the capability to extend presentation capability by creating extension objects.
It is important to note that Qlik only supports the API calls made to the QlikView or Qlik Sense server. Qlik does not directly support 3rd party extension implementations. For issues with 3rd party provided extensions, the primary support channel is the 3rd party extension provider.
For Qlik to support API-related issues, the script or code must be minimised to show the issue is related to the specific API and not the custom code using the API. This initial troubleshooting and simplification of the script must be done by the extension developer.
Extensions provided by Qlik employees on Qlik Community are not supported by Qlik. These extension solutions are supported within these communities.
Extensions developed by Qlik’s partners, including certified Extensions, are supported by the Qlik partner.
A customer should also consider this:
The architecture of the integration at a High-level looks like this:
Qlik Sense Advanced Analytics integration is essentially an extension to Qlik Sense’s expression syntax, and as such it can be used in both Chart Expressions, and in Load Script Expressions.
With this new capability, we are now able to add syntax to a chart expression that tells Qlik Sense that particular expression should not be evaluated on the Qlik Sense server, but instead, all the information and data needed to calculate that expression should be sent via the server side extension on to the backend R system for calculation.
After the advanced analytic calculations are completed, the data is sent back to the Qlik Sense Server and to the client for visualization.
This video shows an example of how Qlik Sense connects to an R server for extending expression capabilities in Qlik Sense Apps while offloading the calculations to the R server engine.
Click here for Video Transcript
In order to start displaying a simple "Hello World" in Qlik Sense using a R-Script, we will do the following:
1. Have R & R-studio installed in your system. (RGui included with R for Windows can also be used) R can be downloaded at https://cloud.r-project.org/
2. We need a package in R to extend R functionality to applications via TCP/IP. The package name is "Rserve()"
Install the package using the below command in RStudio GUI:
install.packages('Rserve')
3. Now we need to invoke that library and start Rserve. In order to do so, execute the below scripts:
library(Rserve) Rserve()
4.The communication method from Sense to R is taken care using gRPC. R is not a supported language in gRPC by default.
So a possible solution for this is to develop a connector in any of the supported languages of gRPC. Qlik provides an open-source connector developed in C# which in turn access Rserve to be able to run R scripts.
qlik-oss/sse-r-plugin
Once you built the connector, start the SSEtoRserve.exe (ideally on the Rserve server itself)
Note: Qlik Support does not support this plugin directly. Inquiries should be submitted via GitHub under sse-r-plugin - Issues
5. Now we will have to configure the plugin:
Add the following line in the settings.ini file:
SSEPlugin=R,localhost:50051
The settings.ini is located in this location:
Add the following line in the settings.ini file:
SSEPlugin=R,localhost:50051
The settings.ini file is located in this location:
a. In the QMC, add a new Analytic Connection.
b. Restart the Qlik Sense Engine service.
Please refer to the screenshot below for creating a new connection.
Note: If the R-Plugin (SSEtoRserve.exe) was installed on the R-Server (where Rserve runs) or another machine, point to that machine name instead of 'localhost'. Also, in multi-node environments with multiple Qlik Sense Engines, even if the plugin was installed on the Central node, make sure to add the Central node's hostname instead of 'localhost' as the other Rim node Engine services need the correct DNS/Netbios name to reach the plugin.
6. Now Open a Qlik Sense App and add a KPI object in the sheet. This can be one of the Apps included with the plugin itself under <storage path>\sse-r-plugin-master\sense_apps
Note that the example apps also need data connections to be created to the data files included with these apps files in the above location.
7. Otherwise, a new app can be created and any data may be loaded for the SSE example below.
8. For the measure, add the following expression which contains an R-script:
R.ScriptEvalStr('paste(q$firstWord, q$secondWord);', 'Hello' as firstWord, 'World' as secondWord)
9. If everything is configured properly, the R-script shown in bold above should be executed fine and it should display a "Hello World" message.
R.ScriptEvalStr('paste(q$firstWord, q$secondWord);', Only([First Word]) as firstWord, Only([Second Word]) as secondWord)
Eight script functions are automatically added to the functionality of the plugin. What is needed to be covered on the plugin side to fulfill the functionality is to implement the EvaluateScript rpc function.
The syntax of these functions is:
<EngineSSEName>.<FunctionName>(Script [,Parameter...])
Where the Script is an R-Script to be evaluated & Parameter is the data sent from Qlik's end.
Here, we use the ScriptEvalStr function which accepts argument of type String & returns a String. The 'paste' function in R concatenates vectors after converting to character. We pass two data fields of type string from Qlik (First Word & Second Word). The R-script then references these data fields through the q dataframe (structure already taken care in R) (q$firstWord and q$secondWord). The script/function finally returns a String back to Qlik Sense.
When using Qlik Sense behind a reverse proxy, environment.user.ip is always the IP of the reverse proxy instead of the end user client.
Environments:
This is a product limitation.
A feature request (SHEND-225) has been logged but there is no information if and when the feature will be implemented yet.
When embedding a sheet in an iFrame, the "full screen" toggle button for Qlik Sense native chart objects is missing. This feature is present at the sheet level in the hub
Full Screen toggle button is available at the sheet level in the hub
The same feature is missing, once a sheet is added in an iFrame (Single Configurator)
This is a known limitation.
An improvement task has been created (Jira task VIZ-103) and an idea is available on our Ideation Platform.
To check the current status or to add your vote, head over to the idea: full screen for iframe and embed
QB-4967
VIZ-103