Configuring single sign-on from Qlik Sense Enterprise on Windows to Qlik Alerting
Configure single sign-on (SSO) to allow users to authenticate to Qlik Alerting using Qlik Sense Enterprise on Windows credentials. With SSO, you don't need any other authentication within Qlik Alerting.
When you have configured external product sign-on to Qlik Alerting, users with permission will see a new menu item with in their user profile menu in the Qlik Sense hub. When the users click the button, they are redirected to the configured sign-on URI path, where they are authenticated. Once successfully authenticated, the users are taken to the Qlik Alerting start page.
To set up SSO authentication to Qlik Alerting, you need to configure external product sign-on in the QMC with Qlik Alerting as the external product. Upload an SSO script in the QMC to create an authentication URL, and then add the URL in the Qlik Alerting configuration.
Prerequisites
-
Qlik Sense Enterprise on Windows May 2023 or later.
-
Qlik Alerting July 2023 or later.
Configuring SSO authentication in the Qlik Management Console
You need RootAdmin, ContentAdmin, or DeploymentAdmin role to configure external product sign-on.
Do the following:
-
Open the QMC: https://<QPS server name>/qmc
-
Select External product sign-on on the QMC start page or from the Start drop-down menu .
-
Enter a name.
-
For Product select Qlik Alerting.
-
Enter the path to the Qlik Alerting login URI: https://<alerting_server>:4552/api/users/authQXSession
-
Enter the path to the Qlik Alerting start page: https://<alerting_server>:4552/#/loginQXSession
-
Enter a Menu label.
Qlik Sense hub users with permission see in their profile menu to access Qlik Alerting. The Menu label text is the label for that icon.
-
Click Apply, and then click Save.
When you have configured external product sign-on, you upload an SSO script to the content library.
-
Select Content libraries on the QMC start page or from the Start drop-down menu .
-
Select the Default record and click Edit.
-
Under Associated items, click Contents.
-
Click Upload.
-
In the Upload static content dialog, click Choose Files, navigate to %Program Files%\Qlik Alerting\setup on the Qlik Alerting server and select the qaw_sso.html file.
-
Click Upload. When the file is uploaded to the content library, you can see it under Contents.
-
Copy the URL path for the uploaded file. For example, /content/Default/qaw_sso.html.
-
Build the authentication URL from the copied URL path as https://<qliksense_server>/<your_URL_path>. For example, https://<qliksense_server>/content/Default/qaw_sso.html.
-
Save the authentication URL somewhere. You will need it in the next step when you configure Qlik Alerting.
Configuring access for users
Configure external product sign-on access for users who should have access to Qlik Alerting. Users with access will have a menu item with a bell icon in the Qlik Sense hub that takes them to Qlik Alerting sign-on.
In addition to the access, users must also:
-
Have Analyzer or Professional entitlement in Qlik Sense.
-
Be included in the list of users in Qlik Alerting who are synced across from Qlik Sense. This list of users is defined by You configure Filter for user fetch in the Sources settings.
Users with HubAdmin role in Qlik Sense have external product sign-on access by default. For other users, you need to create a security rule in the Qlik Management Console to provide access.
The following example, shows how to create a security rule that gives access to all users in a specific user directory.
Example: Creating a security rule for external product sign-on
-
Open the QMC: https://<QPS server name>/qmc
-
Select Security rules on the QMC start page or from the Start drop-down menu.
-
Click Create new in the action bar.
-
From the Create rule from template list, select External product sign-on.
-
Enter a name, for example, QlikAlertingSignOn.
- Leave Resources filter as ExternalProductSignOn_*.
-
For Actions, select Read. Select the user condition properties user, userDirectory, =,and value. For value, enter the name of the user directory, in this example ABC-DEF.
The Conditions field under Advanced will show ((user.userDirectory="ABC-DEF")). You need to have the same condition here as in Filter for user fetch in Qlik Alerting. Having the same condition ensures that the users synced in Qlik Alerting are the same users that have been allowed access to Qlik Alerting from the Qlik Sense hub. Otherwise, a user might see the Qlik Alerting icon in the hub without being able to access Qlik Alerting.
-
For Context, select Only in hub.
-
Click Preview to view the access rights that your rule will create and the users that they apply to.
-
Click Apply to create and save the rule.
Successfully added is displayed at the bottom of the page.
Next, configure SSO authentication in Qlik Alerting.
Configuring SSO authentication in Qlik Alerting
When you have configured SSO authentication in the Qlik Management Console, you need to set it up in Qlik Alerting.
Do the following:
-
Open Qlik Alerting: https://<alerting_server>:4552/
-
Log in using administrator credentials.
-
Go to Admin > Sources.
-
On the Qlik source, click , and then select Edit.
-
For Filter for user fetch, enter userDirectory eq 'ABC-DEF'.
This is the same condition as in the security rule in the Qlik Management Console.
-
Under Authentication, select SSO.
-
The Authentication URL field is now enabled for editing. Enter your authentication URL that you saved from the configuration in the QMC content library. For example, https://<qliksense_server>/content/Default/qaw_sso.html.
-
Click Test connection. A dialog opens with details on the configuration.
-
Verify the entered details, and then click Save.
Logging in to Qlik Alerting
Once you have enabled single-sign on, you have multiple ways to log in to Qlik Alerting.
Logging in to Qlik Alerting from the Qlik Sense hub
Do the following:
-
Go to https://<qliksense_server>/hub/ and click your user profile icon.
-
Click the icon.
You are redirected to the Qlik Alerting start page.
Logging in to Qlik Alerting from the Qlik Sense extension
When you have created an alert in the Qlik Sense extension, you can navigate to Qlik Alerting without entering credentials.
Do the following:
-
In the Create alert dialog, click Detailed view.
You are redirected to the Qlik Alerting start page.
Logging in to Qlik Alerting from an email alert
If you have received an email alert from Qlik Alerting, you can log in from a link in the email.
Do the following:
-
Click the link in the email.
You are redirected to the default browser. If you have an active Qlik Sense or Qlik Alerting session, you are taken directly to the Qlik Alerting start page. Otherwise, you're asked to enter your Qlik Sense credentials. After successful login, you are redirected to Qlik Alerting.
Logging in to Qlik Alerting by entering the URL in a browser
Do the following:
-
Enter the Qlik Alerting URL in a browser: https://<alerting_server>:4552/
If you have an active Qlik Sense or Qlik Alerting session, you are taken directly to the Qlik Alerting start page. Otherwise, you are asked to enter your Qlik Sense credentials. After successful login you are redirected to Qlik Alerting.