Authentication methods

Authentication is often used in conjunction with a single sign-on (SSO) system that supplies a reverse proxy or filter for authentication of the user.

Note: Header and SAML authentication cannot be used for a default virtual proxy. If you only have a default virtual proxy you need to create a new virtual proxy for header or SAML authentication.

Do the following:

  1. Select Virtual proxies on the QMC start page or from the StartS drop-down menu to display the overview.

  2. Select the virtual proxy that handles the authentication and click Edit.
  3. In the Authentication property group, make the necessary selections.

    Depending on what authentication method you select, there are different additional fields.

    1. Property Description Default value
      Anonymous access mode

      How to handle anonymous access:

      • No anonymous user
      • Allow anonymous user

      • Always anonymous user
      No anonymous user

      Authentication method

      • Ticket: a ticket is used for authentication.

      • Header authentication static user directory: allows static header authentication, where the user directory is set in the QMC.

      • Header authentication dynamic user directory: allows dynamic header authentication, where the user directory is fetched from the header.

      • SAML: SAML2 is used for authentication.

      • JWT: JSON Web Token is used for authentication.

      Ticket
      Header authentication header name

      The name of the HTTP header that identifies users, when header authentication is allowed. Mandatory if you allow header authentication (by selecting either Header authentication static user directory or Header authentication dynamic user directory for the Authentication method property).

      Note: Header authentication only supports US-ASCII (UTF-8 is not supported).
      Blank
      Header authentication static user directory

      The name of the user directory where additional information can be fetched for header authenticated users. Mandatory if you allow static header authentication (by selecting Header authentication static user directory for the Authentication method property).

      Blank
      Header authentication dynamic user directory

      Mandatory if you allow dynamic header authentication (by selecting Header authentication dynamic user directory for the Authentication method property). The pattern you supply must contain ‘$ud’, ‘$id’ and a way to separate them.

      Example setting and matching header:

      $ud\\$id – matches USERDIRECTORY\userid (backslashes must be escaped with an additional \)

      $id@$ud – matches userid@USERDIRECTORY ($id and $ud can be in any order)

      $ud:::$id – matches USERDIRECTORY:::userid

      Blank
      Windows authentication pattern

      The chosen authentication pattern for logging in. If the User-Agent header contains the Windows authentication pattern string, Windows authentication is used. If there is no matching string, form authentication is used.

      Windows
      Authentication module redirect URI When using an external authentication module, the clients are redirected to this URI for authentication. Blank (default module, that is Windows authentication Kerberos/NTLM)
      SAML single logout Select the checkbox to enable a service provider initiated flow for SAML single logout. When selected, the metadata file generated for this virtual proxy will include single logout locations for POST and Redirect bindings. Blank
      SAML host URI

      The server name that is exposed to the client. This name is used by the client for accessing Qlik services, such as the QMC.

      The server name does not have to be the same as the machine name, but in most cases it is.

      You can use either http:// or https:// in the URI. To be able to use http://, you must select Allow HTTP on the edit page of the proxy that the virtual proxy is linked to.

      Mandatory if you allow SAML authentication (by selecting SAML for the Authentication method property).

      Blank
      SAML entity ID

      ID to identify the service provider. The ID must be unique.

      Mandatory if you allow SAML authentication (by selecting SAML for the Authentication method property).

      Blank
      SAML IdP metadata

      The metadata from the IdP is used to configure the service provider, and is essential for the SAML authentication to work. A common way of obtaining the metadata is to download it from the IdP website.

      Click the browse button and open the IdP metadata .xml file for upload. To avoid errors, you can click View content and verify that the file has the correct content and format.

      The configuration is incomplete without metadata.

       
      SAML attribute for user ID

      The SAML attribute name for the attribute describing the user ID.Name or friendly name can be used to identify the attribute.

      I do not know the name of a mandatory SAML attribute

      Blank
      SAML attribute for user directory

      The SAML attribute name for the attribute describing the user directory. Name or friendly name can be used to identify the attribute.If the name value is enclosed in brackets, that value is used as a constant attribute value: [example] gives the constant attribute value 'example'.

      I do not know the name of a mandatory SAML attribute

      Blank

       

      SAML signing algorithm

      The hash algorithm used for signing SAML requests. In order to use SHA-256, a third-party certificate is required, where the associated private key has the provider "Microsoft Enhanced RSA and AES Cryptographic Provider".

       
      SAML attribute mapping

      Click Add new attribute to map SAML attributes to Qlik Sense attributes, and define if these are to be required by selecting Mandatory. Name or friendly name can be used to identify the attribute.If the name value is enclosed in brackets, that value is used as a constant attribute value: [example] gives the constant attribute value 'example'.

      Note: SAML response based attributes are not taken into account when running product audit.
       
      JWT certificate

      Add the JWT .X509 public key certificate in PEM format. The following is an example of a public key certificate.

      -----BEGIN CERTIFICATE-----

      MIIDYTCCAkmgAwIBAgIJAM/oG48ciCGeMA0GCSqGSIb3DQEBCwUAMEcxEDAOBgNV

      BAoMB0NvbXBhbnkxEzARBgNVBAMMCkpvaG4gRG9ubmUxHjAcBgkqhkiG9w0BCQEW

      D2pkZUBjb21wYW55LmNvbTAeFw0xNzAzMjAxMjMxNDhaFw0yNzAzMTgxMjMxNDha

      MEcxEDAOBgNVBAoMB0NvbXBhbnkxEzARBgNVBAMMCkpvaG4gRG9ubmUxHjAcBgkq

      hkiG9w0BCQEWD2pkZUBjb21wYW55LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP

      ADCCAQoCggEBALIaab/y0u/kVIZnUsRVJ9vaZ2coiB3dVl/PCa40fyZdOIK5CvbA

      d0mJhuM7m/L4PldKmWh7nsPVC6SHAwgVwXASPHZQ6qha9ENChI2NfvqY4hXTH//Y

      FYaGLuKHD7pE7Jqt7Bhdh1zbBjrzsr1eU4Owwv9W9DxM4tVx3Xx8AUCNRoEWgObz

      Oqw9CfYY7/AWB8Hnr8G22X/l0/i4uJhiIKDVEisZ55hiNTEyqwW/ew0ilI7EAngw

      L80D7WXpC2tCCe2V3fgUjQM4Q+0jEZGiARhzRhtaceuTBnnKq3+DnHmW4HzBuhZB

      CLMuWaJowkKaSfCQMel6u0/Evxc8i8FkPeMCAwEAAaNQME4wHQYDVR0OBBYEFNQ9

      M2Y5WlRCyftHlD2oIk12YHyBMB8GA1UdIwQYMBaAFNQ9M2Y5WlRCyftHlD2oIk12

      YHyBMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHO46YLxtcMcanol

      PUC5nGdyYchZVHkd4F5MIe82mypwFszXGvpxKQXyAIPMkTIGb1wnE/wbCfB7moxX

      oFo+NoASER6wtt6FPHNcCiCXHm3B+2at16nOeMLfDefhQq03Q7qjfoa+7woAYole

      C9fTHGAl4TMIPThGSluiVLOLgHFUHpZryI6DdiEutXiH4afXaw0mScG36Z1uvHIq

      dPtjb/vDm1b9jvLITe8mZ8c2is1aBCLOdFvNupARxK7U3UD6HzGIh4x7eqo6Q9CK

      mKIz25FHrKTkyi1n/0+SAlOGp8PSnWrRZKmHkHbpfY5lpCuIBY9Cu2l1Xeq4QW5E

      AqFLKKE=

      -----END CERTIFICATE-----

      Blank
      JWT attribute for user ID

      The JWT attribute name for the attribute describing the user ID.

      Blank
      JWT attribute for user directory

      The JWT attribute name for the attribute describing the user directory. If the name value is enclosed in brackets, that value is used as a constant attribute value: [example] gives the constant attribute value 'example'.

       
      JWT attribute mapping Click Add new attribute to map JWT attributes to Qlik Sense attributes. If the name value is enclosed in brackets, that value is used as a constant attribute value: [example] gives the constant attribute value 'example'. Blank
  4. Click Apply to save your changes. If a mandatory field is empty, Apply is disabled.

    Successfully updated is displayed at the bottom of the page.

Did this information help you?

Thanks for letting us know. Is there anything you'd like to tell us about this topic?

Can you tell us why it did not help you and how we can improve it?