Skip to main content Skip to complementary content

Virtual proxies

One or more virtual proxies run on each Qlik Sense Proxy Service (QPS), making it possible to support several sets of site authentication, session handling, and load balancing strategies on a single proxy node.

The Virtual proxies overview lists all the available virtual proxies. The following table presents the available fields and buttons. By default, only some of the fields are displayed. You can use the column selector (Table) to add fields.

Tip noteYou can adjust the column width by dragging the header border.
Virtual proxies
Field/Button Description
Description The description of the virtual proxy.
Prefix The path name in the proxy’s URI that defines each additional path. You can only use lowercase letters in the prefix.
Session cookie header name

The name of the HTTP header used for the session cookie.

Information noteFrom the February 2019 release, a suffix (-HTTP) is added to the session cookie header name when a user accesses the system over http.
Is default virtual proxy

Status values: Yes or No.

Authentication method
  • Ticket: a ticket is used for authentication.

  • Header authentication static user directory: allows static header authentication, where the user directory is set in the QMC.

  • Header authentication dynamic user directory: allows dynamic header authentication, where the user directory is fetched from the header.

  • SAML: SAML2 is used for authentication.

  • JWT: JSON Web Token is used for authentication.

  • OIDC: OpenID Connect is used for authentication.

Linked to proxy service

Status values: Yes or No.

Tags The tags that are connected to the virtual proxy.
Header authentication header name

The header name. The name cannot contain any of the following strings:

  • X-Qlik-Security

  • X-Qlik-User

  • X-Qlik-ProxySession

  • X-Qlik-ProxyId

  • X-Qlik-Trace

  • X-Qlik-App

  • X-Qlik-Capabilities

For example, Qlik-User, Y-Qlik-Userheader, or Userheader are valid values, while X-Qlik-Userheader would result in an invalid request.

Header authentication static user directory

The name of the user directory where additional information can be fetched for header authenticated users.

Header authentication dynamic user directory

The pattern used for identification of the user directory where additional information can be fetched for header authenticated users.

Anonymous access mode

Three possible values:

  • No anonymous user: Users must supply user identity and credentials.

  • Allow anonymous user: Users enter as anonymous but can switch and log in with a user account.

  • Always anonymous user: Users are always anonymous.

Windows authentication pattern

The chosen authentication pattern for logging in. If the User-Agent header contains the Windows authentication pattern string, Windows authentication is used. If there is no matching string, form authentication is used.

Session cookie domain

By default the session cookie is valid only for the machine that the proxy is installed on. This (optional) property allows you to increase its validity to a larger domain. Example:

company.com

Has secure attribute (https) Option for session cookie that has the Secure attribute and uses https.
SameSite attribute (https)

SameSite attribute values for https:

No attribute, None, Lax, Strict

For more information, see SameSite cookie attribute

Has secure attribute (http) Option for session cookie that has the Secure attribute and uses http.
SameSite attribute (http)

SameSite attribute values for http:

No attribute, None, Lax, Strict

For more information, see SameSite cookie attribute

Additional response headers

Headers added to all HTTP responses back to the client. Example:

Header1: value1

Header2: value2

Session inactivity timeout (minutes)

The maximum period of time with inactivity before timeout. After this, the session is invalid and the user is logged out from the system.

Extended security environment

Status values: Yes or No.

Yes: The following information about the client environment is sent in the security header: OS, device, browser, and IP.

No: The user can run the same engine session simultaneously on multiple devices.

SAML Metadata IdP

The metadata from the IdP, used to configure the service provider. Must exist for SAML authentication to work.

SAML entity ID

ID to identify the service provider. The ID must be unique.

SAML attribute for user ID The SAML attribute name for the attribute describing the user ID.
SAML attribute for user directory

The SAML attribute name for the attribute describing the user directory.

SAML signing algorithm

The hash algorithm used for signing SAML requests. In order to use SHA-256, a third-party certificate is required, where the associated private key has the provider "Microsoft Enhanced RSA and AES Cryptographic Provider".

JWT attribute for user ID

The JWT attribute name for the attribute describing the user ID.

JWT attribute for user directory

The JWT attribute name for the attribute describing the user directory. If the name value is enclosed in brackets, that value is used as a constant attribute value: [example] gives the constant attribute value 'example'.

Intended audience (aud attribute) The intended audience is the recipient of the token. The audience value is a string, typically the base address of the resource being accessed, such as https://qlik.com.
SAML single logout Enable service provider initiated flow for SAML single logout. When enabled, make sure the IdP metadata file includes a logout URI. You also need to regenerate the metadata file and update the IdP configuration.
Disable optional OIDC attributes Only to be used when syncing users through a user directory connector. When selected, the attributes name, groups, email, and picture coming from user directory connector sync are protected from being overwritten by the attributes from the OIDC.
OpenID Connect metadata URI

The URL to the endpoint that provides configuration information for the OAuth clients to interface with the identity provider using the OpenID Connect protocol.

Client ID

ID of the configured client at the identity provider for user authentication.

Realm

Name to associate with the identity provider, used for naming consistency in multi-cloud.

sub

Statements (name/value pairs) about the entity/user and metadata about the OpenID Connect service. You can use multiple, comma-separated values.

If the subject attribute value format is domainname\username, realm is optional. If not, realm is mandatory.

name

Statements (name/value pairs) about the entity/user and metadata about the OpenID Connect service. You can use multiple, comma-separated values.

groups

Statements (name/value pairs) about the entity/user and metadata about the OpenID Connect service. You can use multiple, comma-separated values.

email

Statements (name/value pairs) about the entity/user and metadata about the OpenID Connect service. You can use multiple, comma-separated values.

client_id

Statements (name/value pairs) about the entity/user and metadata about the OpenID Connect service. You can use multiple, comma-separated values.

picture

Statements (name/value pairs) about the entity/user and metadata about the OpenID Connect service. You can use multiple, comma-separated values.

scope Used in the OAuth 2.0 specification to specify the access privileges when issuing an access token. For example, use this option to add a groups scope in case the identity provider requires that to support a user groups feature.
ID The ID of the virtual proxy.
Created The date and time when the virtual proxy was created.
Last modified The date and time when the virtual proxy was last modified.
Modified by By whom the virtual proxy was modified.
<Custom properties> Custom properties, if any, are listed here.
Arrow down Arrow up

Sort the list ascending or descending. Some columns do not support sorting.

Filter container

Type a string to filter on, or, when available, select a predefined value. All rows that match your filter criteria are displayed. You can filter on multiple columns simultaneously to narrow your search. If a filter is applied to a column, Filter container is displayed.

To remove your criteria, click Actions in the table header bar and select Clear filters and search.

You can combine filtering with searching.

Searching and filtering in the QMC

Actions

Options for clearing filter and search, selecting and deselecting all rows, and toggling wrapping.

Information noteThe option Select all rows is applied to the rows that are currently displayed. Any rows that have been filtered out before selecting all rows are disregarded, even if they were selected. The option Deselect all rows is applied to all rows, including those that were filtered out.
Table Column selector: Select which columns to display in the overview. Click Undo to reset to the default columns.
Search

Search – both basic and more advanced searches.

Searching and filtering in the QMC

Dimension - Cyclic

Refresh the page.

Edit Edit the selected virtual proxies.
Delete Delete the selected virtual proxies.
Download SP metadata Download user configuration data from the identity provider. The information is available as IdP metadata that users can download and provide the service provider (Qlik Sense) with. The metadata is uploaded from the QMC and stored in the database (VirtualProxyConfig table) as a text field (samlMetadataIdP).
Create new Create new Create a new virtual proxy.
Show more The overview shows a set number of items, by default. To show more items, scroll to the end of the list and click Show more. Searching, sorting, and filtering of items is always done on the full database list of items, not only the items that are displayed.
Tip noteDouble-click an item in the overview to open the resource's edit page. For multiple selections, hold down Ctrl while clicking the items, or drag over the items.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!