QlikView Ticketing in an Apache/Linux Environment

This article will describe one method of creating a Single Sign On (SSO) system to authenticate QlikView users originating from a Apache-based portal.

The method described in this article assumes an environment where an extranet user logs on to a public portal hosted by a company that wishes to give that user access to certain QlikView applications. This company (a) does not have an unlimited amount of Session CALs; (b) does not have an Extranet Server license; and (c) needs to implement Section Access security to ensure that the users only have access to content that they are allowed to see. It is also assumed that authentication takes place outside of QlikView—i.e. that the portal login system successfully and correctly authenticates against a directory such as mySQL or Oracle.

The advantage of a ticket (AKA token) based authentication system in QlikView is that all of the above considerations are addressed. First, users will be presented with a seamless experience in the sense that they will be immediately authenticated in QlikView via SSO, so will not be prompted to login twice. Second, because the user will be authenticated as a named user, he can be assigned a standard Named User or Document CAL; there is no need to purchase an expensive Session CALs or an Extranet Server license with Concurrent User CALs. Third, the Section Access NTNAME parameter can be used in conjunction with the authenticated username to dynamically reduce content visible to users.

An additional advantage of ticketing over header-based authentication is that there is no need to maintain a separate directory of custom users within QlikView's Custom Directory DSP. Ticketing relies on the fact that a user account that is a member of QlikView Administrators initiates the ticket request. Because the request comes from an Administrator, the QlikView Server trusts that the user has been externally authenticated and does not conduct a second check of its own. As a result, usernames can be totally arbitrary as the QVS will issue a ticket for any user.

Step 1 - QlikView Web Server and DMS Mode

For simplicity, I strongly recommend that you use the QlikView Web Server (QVWS) rather than IIS for this solution. Using IIS for this method often involves a lot of tedious configuration in order to be able to use the GetTicket method described below. By contrast, QVWS will work out-of-the-box without any additional configurations. QlikView Web Server authentication will need to be set correctly so that the browser does not attempt to use a user's Windows credentials to authenticate the user. To do this, simply navigate to the QlikView Management Console (QMC) >> System >> QlikView Web Servers >> Authentication. Change the Authentication Type from NTLM to "Custom User." QMC will automatically present a text box with the Parameter Prefix value for Custom Users; with the ticketing method, this setting will actually be ignored, so you can leave this at the default ("CUSTOM").

In addition, ticketing in QlikView will only function if the server has been set to DMS mode security, which allows QlikView, rather than Windows, to control file permissions (AKA authorization). To enable DMS mode, open QMC >> System >> QlikView Servers >> Security, and change the security mode from NTFS to DMS.

Step 2 - Document Authorization

Now that QlikView has been set as the authorization manager with the DMS mode change, proper document authorization needs to be set at the document level. Assuming that you are trying to give users access to a file called myfile.qvw, navigate to QMC >> Documents >> User Documents >> myfile.qvw >> Authorization. Add an authorization for "All Authenticated Users" and press "Apply." As mentioned above, ticketing (unlike header or login authentication) does not rely on a separate directory maintained within the QlikView environment. Consequently, access should be allowed for all authenticated users (ticketed users are counted as authenticated by QlikView). With the QVS in DMS mode, no Custom Directory set up, and NTLM authentication disabled in the QVWS settings, this does not pose a security risk: the only possible way that users can get into a document is with a ticket. An additional layer of security can be implemented with Section Access so that any user not specifically named in Section Access will be denied access to the application.

Step 3 - Create a Link to QlikView Application in the Portal

When a user logs in to the extranet portal, they will presumably be taken to a landing page. We now need to create a link within that landing page to the relevant QlikView application. Please note that users must be linked directly to an application in the method described below, rather than to the AccessPoint. For the sake of commonality, I will assume that this landing page has been written in PHP and the user is authenticated in the PHP header. The relevant code for the PHP landing page is as follows:

<?php

//Build HTTP XML request
function ticket_page ($path,$qvadm,$qvpass,$qvuserid){
$request = curl_init();
curl_setopt($request, CURLOPT_URL,$path);
curl_setopt($request, CURLOPT_RETURNTRANSFER,1);
curl_setopt($request, CURLOPT_HTTPAUTH,CURLAUTH_NTLM);
curl_setopt($request, CURLOPT_USERPWD, "$qvadm:$qvpass");
curl_setopt($request, CURLOPT_HTTPHEADER, array('X-Requested-With: XMLHttpRequest','Content-Type: text/xml'));
curl_setopt($request, CURLOPT_POSTFIELDS, '<Global method="GetTicket"><UserId>'.$qvuserid.'</UserId></Global>');
$FinalRequest = curl_exec($request);
curl_close($request);
return $FinalRequest;
}

//Leave both lines uncommented
$qvadmin = 'qvadmin@mydomain.com';//Set the QV admin username
$qvadminpass = '123456';//Set the QV admin password

//Leave both lines uncommented
$serverName = 'qlikview.mydomain.com'; //FQDN of the QVS
$qvdoc = 'myfile.qvw'; //file that user should have access to

//Set the QV user for whom to fetch a ticket; Pick one of the following and comment the other lines
//use this version for testing purposes (hardcoded username)
$qvuser = 'test_user';
//standard PHP header authentication
//$qvuser = $_SERVER['PHP_AUTH_USER'];
//other PHP authentication
//$qvuser = $_GET['user_id'];

$qvXML1 = ticket_page('http://'.$serverName.'/QvAJAXZfc/GetTicket.aspx?admin=',$qvadmin,$qvadminpass,$qvuser);
$qvXML2 = preg_split('<_retval_>', $qvXML1);
$qvXML3 = $qvXML2[1];
$qvXML4 = str_replace('>', '', $qvXML3);
$ticket = str_replace('</','', $qvXML4);
$url = "http://$serverName/qvAJAXzfc/opendoc.htm?document=$qvdoc&ticket=$ticket";

//Can uncomment the following line to automatically redirect to QVW
//If uncommenting, recommend deleting all JavaScript and HTML code below
//header("Location: $url");

?>

<script type="text/javascript">
function GoAjax() { window.open("<?php echo $url; ?>", "_blank"); }
</script>

<body>
<a onclick="javascript:GoAjax();" href="javascript:void(0);">QlikView</a>
</body>

Code Explanation

PHP: cURL with NTLM authentication is used for security purposes, in place of a JavaScript XMLHTTPRequest(), to generate the HTTP request. This prevents the user from seeing any of the credentials being passed to the QVS behind the scenes when viewing the webpage source.

The PHP section of the code also defines certain variables. These variables have been defined in PHP for security purposes so that users will never be able to see this code by viewing the webpage source. The $qvdoc variable is the name of the QVW that you wish to open. $serverName is the Fully Qualified Domain Name (FQDN) of the QVS. $qvuser is the user for whom you are requesting the ticket; this will typically exist in your PHP authentication header following a successful login. You can also use a hard-coded version for testing purposes. $qvadmin is the username of the QlikView Administrator user under whose account the XMLHttpRequest will be executed. And, finally, $qvadminpass is the password associated with the QlikView Administrator.

You can uncomment the last line in the PHP code segment (the header redirection) to automatically take the user to the QVW when the landing page loads. Alternatively, you can leave this line commented and use a link to access the QVW from the landing page.

JavaScript: The JavaScript GoAJAX() function simply opens a blank browser window with the ticketed URL. This function is called by the HTML link below. Note: if using PHP header redirection, the JavaScript and HTML code can be entirely deleted. A slightly modified function to that of GoAJAX() can be written to open the document using the IE Plugin.

HTML: The HTML section provides a link that will execute the JavaScript function GoAJAX() when clicked. The text "QlikView" can be replaced with a logo, etc.