Creating a virtual proxy
A virtual proxy can be used to handle several different settings for authentication, session handling, and load balancing on the same physical server. Instead of having one server for each configuration, you can reduce the number of servers needed, by using virtual proxies.
Do the following:
-
Select Virtual proxies on the QMC start page or from the StartS drop-down menu to display the overview.
-
Click Create new. You cannot add a virtual proxy to more than one proxy at a time.
-
Edit the properties in the Virtual proxy edit window.
All fields are mandatory and must not be empty.
Property Description Default value Description
The description of the virtual proxy. Blank Prefix The path name in the proxy’s URI that defines each additional path. Example:
https://[node]/[prefix]/
Note the following:
- You can only use lowercase letters in the prefix. After upgrade to Qlik Sense 3.0, any uppercase letters in existing virtual proxies will automatically be replaced by lowercase letters.
- You can only use the following unreserved characters: (a-z, 0-9, "-", ".", "_" , "~"). For more information, see the Unreserved Characters section in the following document: Uniform Resource Identifier (URI): Generic Syntax
- You can use slashes (/), but the prefix cannot begin nor end with a slash.
Blank Session inactivity timeout (minutes) The maximum period of time with inactivity before timeout. After this, the session is invalid and the user is logged out from the system.
30 minutes Session cookie header name The name of the HTTP header used for the session cookie. This value is blank by default and you must enter a value.
Tip noteIt can be useful to include the value of the Prefix property above as a suffix in the cookie name.Blank Property Description Default value Anonymous access mode How to handle anonymous access:
- No anonymous user
-
Allow anonymous user
- Always anonymous user
No anonymous user Authentication method
-
Ticket: a ticket is used for authentication.
-
Header authentication static user directory: allows static header authentication, where the user directory is set in the QMC.
-
Header authentication dynamic user directory: allows dynamic header authentication, where the user directory is fetched from the header.
-
SAML: SAML2 is used for authentication.
-
JWT: JSON Web Token is used for authentication.
Ticket Header authentication header name The name of the HTTP header that identifies users, when header authentication is allowed. Mandatory if you allow header authentication (by selecting either Header authentication static user directory or Header authentication dynamic user directory for the Authentication method property).
Information noteHeader authentication only supports US-ASCII (UTF-8 is not supported).Blank Header authentication static user directory The name of the user directory where additional information can be fetched for header authenticated users. Mandatory if you allow static header authentication (by selecting Header authentication static user directory for the Authentication method property).
Blank Header authentication dynamic user directory Mandatory if you allow dynamic header authentication (by selecting Header authentication dynamic user directory for the Authentication method property). The pattern you supply must contain ‘$ud’, ‘$id’ and a way to separate them.
Example setting and matching header:
$ud\\$id – matches USERDIRECTORY\userid (backslashes must be escaped with an additional \)
$id@$ud – matches userid@USERDIRECTORY ($id and $ud can be in any order)
$ud:::$id – matches USERDIRECTORY:::userid
Blank Windows authentication pattern The chosen authentication pattern for logging in. If the User-Agent header contains the Windows authentication pattern string, Windows authentication is used. If there is no matching string, form authentication is used.
Windows Authentication module redirect URI When using an external authentication module, the clients are redirected to this URI for authentication. Blank (default module, that is Windows authentication Kerberos/NTLM) SAMLsingle logout Select the checkbox to enable a service provider initiated flow for SAML single logout. When selected, the metadata file generated for this virtual proxy will include single logout locations for POST and Redirect bindings. Blank SAML host URI The server name that is exposed to the client. This name is used by the client for accessing Qlik services, such as the QMC.
The server name does not have to be the same as the machine name, but in most cases it is.
You can use either http:// or https:// in the URI. To be able to use http://, you must select Allow HTTP on the edit page of the proxy that the virtual proxy is linked to.
Mandatory if you allow SAML authentication (by selecting SAML for the Authentication method property).
Blank SAML entity ID ID to identify the service provider. The ID must be unique.
Mandatory if you allow SAML authentication (by selecting SAML for the Authentication method property).
Blank SAML IdP metadata The metadata from the IdP is used to configure the service provider, and is essential for the SAML authentication to work. A common way of obtaining the metadata is to download it from the IdP website.
Click the browse button and open the IdP metadata .xml file for upload. To avoid errors, you can click View content and verify that the file has the correct content and format.
The configuration is incomplete without metadata.
SAML attribute for user ID The SAML attribute name for the attribute describing the user ID.Name or friendly name can be used to identify the attribute.
Blank SAML attribute for user directory The SAML attribute name for the attribute describing the user directory. Name or friendly name can be used to identify the attribute.If the name value is enclosed in brackets, that value is used as a constant attribute value: [example] gives the constant attribute value 'example'.
Blank
SAMLsigning algorithm The hash algorithm used for signing SAML requests. In order to use SHA-256, a third-party certificate is required, where the associated private key has the provider "Microsoft Enhanced RSA and AES Cryptographic Provider".
SAML attribute mapping Click Add new attribute to map SAML attributes to Qlik Sense attributes, and define if these are to be required by selecting Mandatory. Name or friendly name can be used to identify the attribute.If the name value is enclosed in brackets, that value is used as a constant attribute value: [example] gives the constant attribute value 'example'. JWT certificate Add the JWT .X509 public key certificate in PEM format. The following is an example of a public key certificate.
-----BEGIN CERTIFICATE-----
MIIDYTCCAkmgAwIBAgIJAM/oG48ciCGeMA0GCSqGSIb3DQEBCwUAMEcxEDAOBgNV
BAoMB0NvbXBhbnkxEzARBgNVBAMMCkpvaG4gRG9ubmUxHjAcBgkqhkiG9w0BCQEW
D2pkZUBjb21wYW55LmNvbTAeFw0xNzAzMjAxMjMxNDhaFw0yNzAzMTgxMjMxNDha
MEcxEDAOBgNVBAoMB0NvbXBhbnkxEzARBgNVBAMMCkpvaG4gRG9ubmUxHjAcBgkq
hkiG9w0BCQEWD2pkZUBjb21wYW55LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALIaab/y0u/kVIZnUsRVJ9vaZ2coiB3dVl/PCa40fyZdOIK5CvbA
d0mJhuM7m/L4PldKmWh7nsPVC6SHAwgVwXASPHZQ6qha9ENChI2NfvqY4hXTH//Y
FYaGLuKHD7pE7Jqt7Bhdh1zbBjrzsr1eU4Owwv9W9DxM4tVx3Xx8AUCNRoEWgObz
Oqw9CfYY7/AWB8Hnr8G22X/l0/i4uJhiIKDVEisZ55hiNTEyqwW/ew0ilI7EAngw
L80D7WXpC2tCCe2V3fgUjQM4Q+0jEZGiARhzRhtaceuTBnnKq3+DnHmW4HzBuhZB
CLMuWaJowkKaSfCQMel6u0/Evxc8i8FkPeMCAwEAAaNQME4wHQYDVR0OBBYEFNQ9
M2Y5WlRCyftHlD2oIk12YHyBMB8GA1UdIwQYMBaAFNQ9M2Y5WlRCyftHlD2oIk12
YHyBMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHO46YLxtcMcanol
PUC5nGdyYchZVHkd4F5MIe82mypwFszXGvpxKQXyAIPMkTIGb1wnE/wbCfB7moxX
oFo+NoASER6wtt6FPHNcCiCXHm3B+2at16nOeMLfDefhQq03Q7qjfoa+7woAYole
C9fTHGAl4TMIPThGSluiVLOLgHFUHpZryI6DdiEutXiH4afXaw0mScG36Z1uvHIq
dPtjb/vDm1b9jvLITe8mZ8c2is1aBCLOdFvNupARxK7U3UD6HzGIh4x7eqo6Q9CK
mKIz25FHrKTkyi1n/0+SAlOGp8PSnWrRZKmHkHbpfY5lpCuIBY9Cu2l1Xeq4QW5E
AqFLKKE=
-----END CERTIFICATE-----
Blank JWTattribute for user ID The JWT attribute name for the attribute describing the user ID.
Blank JWTattribute for user directory The JWT attribute name for the attribute describing the user directory. If the name value is enclosed in brackets, that value is used as a constant attribute value: [example] gives the constant attribute value 'example'.
JWTattribute mapping Click Add new attribute to map JWT attributes to Qlik Sense attributes. If the name value is enclosed in brackets, that value is used as a constant attribute value: [example] gives the constant attribute value 'example'. Blank Property Description Default value Load balancing nodes Click Add new server node to add load balancing to that node. Blank Property Description Default value Extended security environment
Enabling this setting will send the following information about the client environment in the security header: OS, device, browser, and IP.
If not selected, the user can run the same engine session simultaneously on multiple devices.
Blank Session cookie domain By default the session cookie is valid only for the machine that the proxy is installed on. This (optional) property allows you to increase its validity to a larger domain. Example:
company.com
Blank (default machine) Additional response headers Headers added to all HTTP responses back to the client. Example:
Header1: value1
Header2: value2
Blank Host white list All values added here are validated starting from the bottom level. If, for example, domain.com is added, this means that all values ending with domain.com will be approved. If subdomain.domain.com is added, this means that all values ending with subdomain.domain.com will be approved.
To support switching schema when using cross-origin resource sharing (CORS), the host white list must include the schema to avoid requests being blocked by the CORS policy.
Example:
If you have a mashup loaded from an unsecure web site (http://subdomain.domain.com) and Qlik Sense running secure (https://qlik.sense... ), the schema, (http://subdomain.domain.com), must be present in the host white list.
Information noteEven if the white list is empty, the name of the machine where Qlik Sense is installed is still considered part of the white list, although not visible.Blank
Property Description Default value Session module base URI The address to an external session module, if any. Blank (default module, that is in memory) Load balancing module base URI The address to an external load balancing module that selects which Qlik Sense engine to use for the user’s session, if any. Blank (default module, that is round robin) The client authentication link is used to authenticate the client against the Qlik Sense server.
Information noteThe Client authentication link can be generated on any virtual proxy in the QMC. However, if the client authentication link will be retrieved from the hub, you must generate the link from the default virtual proxy on the central node.Property Description Default value Client authentication link host URI The Qlik Sense URI that will be a part of the client authentication link. Blank Client authentication link friendly name A name that helps the user to identify the host. The friendly name will be a part of the client authentication link. Blank Generate client authentication link Click the button to generate a link that can be copied and distributed to users. - Property Description Tags Tip noteIf no QMC tags are available, this property group is empty.Click the text box to be display a list of the available tags. Start typing to reduce the list. Connected tags are displayed under the text box.
Property Description Custom properties If no custom properties are available, this property group is not displayed at all (or displayed but empty) and you must make a custom property available for this resource type before it will be displayed here. -
Click Apply to save your changes. If a mandatory field is empty, Apply is disabled.
-
Click Apply in the action bar to save your changes.
Successfully updated is displayed at the bottom of the page.
Learn more
Did this page help you?
If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!