Authentication
All authentication in Qlik Sense is managed by the Qlik Sense Proxy Service (QPS). The QPS authenticates all users regardless of Qlik Sense client type. This means that the QPS also authenticates users of the Qlik Management Console (QMC).
Qlik Sense always asks an external system to verify who the user is and if the user can prove it. The interaction between Qlik Sense and the external identity provider is handled by authentication modules.
For a module to communicate with Qlik Sense, it has to be trusted. Transport Layer Security (TLS) and certificate authentication are used to authorize external components for communication with Qlik Sense.
In Qlik Sense, the authentication of a user consists of three distinct steps:
- Authentication module: Get the user identity and credentials.
- Authentication module: Request an external system to verify the user identity using the credentials.
- Transfer the user to Qlik Sense using the Ticket API, the Session API, headers, SAML, JWT, or OIDC.
The first two steps are always handled by the authentication module. It is up to the authentication module to verify the user in an appropriate way.
The third step can be performed in the following ways:
- Using the Ticket API, which transfers the user and the user's properties using a one-time ticket.
- Using the Session API, whereby an external module can transfer web sessions that identify the user and the user's properties to Qlik Sense.
- Using headers, with which a trusted system can transfer the user using HTTP headers. This is a common solution for integrating with single sign-on (SSO) systems.
- Qlik Sense can be configured to allow anonymous users (using, for example, SAML).
Logging in to Qlik Sense Enterprise on Windows is not possible using the default internal accounts identified by names starting with 'sa_' and having user directory INTERNAL (for example, sa_converter, sa_engine, and sa_proxy). These accounts are reserved for specific system functions and are not intended for direct user access or interactive logins.