Virtual proxies
One or more virtual proxies run on each Qlik Sense Proxy Service (QPS), making it possible to support several sets of site authentication, session handling, and load balancing strategies on a single proxy node.
The Virtual proxies overview lists all the available virtual proxies. The following table presents the available fields and buttons. By default, only some of the fields are displayed. You can use the column selector () to add fields.
Field/Button | Description |
---|---|
Description | The description of the virtual proxy. |
Prefix | The path name in the proxy’s URI that defines each additional path. You can only use lowercase letters in the prefix. |
Session cookie header name |
The name of the HTTP header used for the session cookie. Information noteFrom the February 2019 release, a suffix (-HTTP) is added to the session cookie header name when a user accesses the system over http.
|
Is default virtual proxy |
Status values: Yes or No. |
Authentication method |
|
Linked to proxy service |
Status values: Yes or No. |
Tags | The tags that are connected to the virtual proxy. |
Header authentication header name |
The header name. The name cannot contain any of the following strings:
For example, Qlik-User, Y-Qlik-Userheader, or Userheader are valid values, while X-Qlik-Userheader would result in an invalid request. |
Header authentication static user directory |
The name of the user directory where additional information can be fetched for header authenticated users. |
Header authentication dynamic user directory |
The pattern used for identification of the user directory where additional information can be fetched for header authenticated users. |
Anonymous access mode |
Three possible values:
|
Windows authentication pattern |
The chosen authentication pattern for logging in. If the User-Agent header contains the Windows authentication pattern string, Windows authentication is used. If there is no matching string, form authentication is used. |
Session cookie domain |
By default the session cookie is valid only for the machine that the proxy is installed on. This (optional) property allows you to increase its validity to a larger domain. Example:
|
Has secure attribute (https) | Option for session cookie that has the Secure attribute and uses https. |
SameSite attribute (https) |
SameSite attribute values for https: No attribute, None, Lax, Strict For more information, see SameSite cookie attribute |
Has secure attribute (http) | Option for session cookie that has the Secure attribute and uses http. |
SameSite attribute (http) |
SameSite attribute values for http: No attribute, None, Lax, Strict For more information, see SameSite cookie attribute |
Additional response headers |
Headers added to all HTTP responses back to the client. Example:
|
Session inactivity timeout (minutes) |
The maximum period of time with inactivity before timeout. After this, the session is invalid and the user is logged out from the system. |
Extended security environment |
Status values: Yes or No. Yes: The following information about the client environment is sent in the security header: OS, device, browser, and IP. No: The user can run the same engine session simultaneously on multiple devices. |
SAML Metadata IdP |
The metadata from the IdP, used to configure the service provider. Must exist for SAML authentication to work. |
SAML entity ID |
ID to identify the service provider. The ID must be unique. |
SAML attribute for user ID | The SAML attribute name for the attribute describing the user ID. |
SAML attribute for user directory |
The SAML attribute name for the attribute describing the user directory. |
SAML signing algorithm |
The hash algorithm used for signing SAML requests. In order to use SHA-256, a third-party certificate is required, where the associated private key has the provider "Microsoft Enhanced RSA and AES Cryptographic Provider". |
JWT attribute for user ID |
The JWT attribute name for the attribute describing the user ID. |
JWT attribute for user directory |
The JWT attribute name for the attribute describing the user directory. If the name value is enclosed in brackets, that value is used as a constant attribute value: [example] gives the constant attribute value 'example'. |
Intended audience (aud attribute) | The intended audience is the recipient of the token. The audience value is a string, typically the base address of the resource being accessed, such as https://qlik.com. |
SAML single logout | Enable service provider initiated flow for SAML single logout. When enabled, make sure the IdP metadata file includes a logout URI. You also need to regenerate the metadata file and update the IdP configuration. |
Disable optional OIDC attributes | Only to be used when syncing users through a user directory connector. When selected, the attributes name, groups, email, and picture coming from user directory connector sync are protected from being overwritten by the attributes from the OIDC. |
OpenID Connect metadata URI |
The URL to the endpoint that provides configuration information for the OAuth clients to interface with the identity provider using the OpenID Connect protocol. |
Client ID |
ID of the configured client at the identity provider for user authentication. |
Realm |
Name to associate with the identity provider, used for naming consistency in multi-cloud. |
sub |
Statements (name/value pairs) about the entity/user and metadata about the OpenID Connect service. You can use multiple, comma-separated values. If the subject attribute value format is domainname\username, realm is optional. If not, realm is mandatory. |
name |
Statements (name/value pairs) about the entity/user and metadata about the OpenID Connect service. You can use multiple, comma-separated values. |
groups |
Statements (name/value pairs) about the entity/user and metadata about the OpenID Connect service. You can use multiple, comma-separated values. |
Statements (name/value pairs) about the entity/user and metadata about the OpenID Connect service. You can use multiple, comma-separated values. |
|
client_id |
Statements (name/value pairs) about the entity/user and metadata about the OpenID Connect service. You can use multiple, comma-separated values. |
picture |
Statements (name/value pairs) about the entity/user and metadata about the OpenID Connect service. You can use multiple, comma-separated values. |
scope | Used in the OAuth 2.0 specification to specify the access privileges when issuing an access token. For example, use this option to add a groups scope in case the identity provider requires that to support a user groups feature. |
ID | The ID of the virtual proxy. |
Created | The date and time when the virtual proxy was created. |
Last modified | The date and time when the virtual proxy was last modified. |
Modified by | By whom the virtual proxy was modified. |
<Custom properties> | Custom properties, if any, are listed here. |
Sort the list ascending or descending. Some columns do not support sorting. |
|
Type a string to filter on, or, when available, select a predefined value. All rows that match your filter criteria are displayed. You can filter on multiple columns simultaneously to narrow your search. If a filter is applied to a column, is displayed. To remove your criteria, click Actions in the table header bar and select Clear filters and search. You can combine filtering with searching. |
|
Actions |
Options for clearing filter and search, selecting and deselecting all rows, and toggling wrapping. Information noteThe option Select all rows is applied to the rows that are currently displayed. Any rows that have been filtered out before selecting all rows are disregarded, even if they were selected. The option Deselect all rows is applied to all rows, including those that were filtered out.
|
Column selector: Select which columns to display in the overview. Click to reset to the default columns. | |
Search – both basic and more advanced searches. |
|
Refresh the page. |
|
Edit | Edit the selected virtual proxies. |
Delete | Delete the selected virtual proxies. |
Download SP metadata | Download user configuration data from the identity provider. The information is available as IdP metadata that users can download and provide the service provider (Qlik Sense) with. The metadata is uploaded from the QMC and stored in the database (VirtualProxyConfig table) as a text field (samlMetadataIdP). |
Create new | Create a new virtual proxy. |
Show more | The overview shows a set number of items, by default. To show more items, scroll to the end of the list and click Show more. Searching, sorting, and filtering of items is always done on the full database list of items, not only the items that are displayed. |