QlikView Ticketing in an Apache/Linux Environment

This article will describe one method of creating a Single Sign On (SSO) system to authenticate QlikView users originating from a Apache-based portal.

The method described in this article assumes an environment where an extranet user logs on to a public portal hosted by a company that wishes to give that user access to certain QlikView applications. This company (a) does not have an unlimited amount of Session CALs; (b) does not have an Extranet Server license; and (c) needs to implement Section Access security to ensure that the users only have access to content that they are allowed to see. It is also assumed that authentication takes place outside of QlikView—i.e. that the portal login system successfully and correctly authenticates against a directory such as mySQL or Oracle.

The advantage of a ticket (AKA token) based authentication system in QlikView is that all of the above considerations are addressed. First, users will be presented with a seamless experience in the sense that they will be immediately authenticated in QlikView via SSO, so will not be prompted to login twice. Second, because the user will be authenticated as a named user, he can be assigned a standard Named User or Document CAL; there is no need to purchase an expensive Session CALs or an Extranet Server license with Concurrent User CALs. Third, the Section Access NTNAME parameter can be used in conjunction with the authenticated username to dynamically reduce content visible to users.

An additional advantage of ticketing over header-based authentication is that there is no need to maintain a separate directory of custom users within QlikView's Custom Directory DSP. Ticketing relies on the fact that a user account that is a member of QlikView Administrators initiates the ticket request. Because the request comes from an Administrator, the QlikView Server trusts that the user has been externally authenticated and does not conduct a second check of its own. As a result, usernames can be totally arbitrary as the QVS will issue a ticket for any user.

Step 1 - QlikView Web Server and DMS Mode

For simplicity, I strongly recommend that you use the QlikView Web Server (QVWS) rather than IIS for this solution. Using IIS for this method often involves a lot of tedious configuration in order to be able to use the GetTicket method described below. By contrast, QVWS will work out-of-the-box without any additional configurations. QlikView Web Server authentication will need to be set correctly so that the browser does not attempt to use a user's Windows credentials to authenticate the user. To do this, simply navigate to the QlikView Management Console (QMC) >> System >> QlikView Web Servers >> Authentication. Change the Authentication Type from NTLM to "Custom User." QMC will automatically present a text box with the Parameter Prefix value for Custom Users; with the ticketing method, this setting will actually be ignored, so you can leave this at the default ("CUSTOM").

In addition, ticketing in QlikView will only function if the server has been set to DMS mode security, which allows QlikView, rather than Windows, to control file permissions (AKA authorization). To enable DMS mode, open QMC >> System >> QlikView Servers >> Security, and change the security mode from NTFS to DMS.

Step 2 - Document Authorization

Now that QlikView has been set as the authorization manager with the DMS mode change, proper document authorization needs to be set at the document level. Assuming that you are trying to give users access to a file called myfile.qvw, navigate to QMC >> Documents >> User Documents >> myfile.qvw >> Authorization. Add an authorization for "All Authenticated Users" and press "Apply." As mentioned above, ticketing (unlike header or login authentication) does not rely on a separate directory maintained within the QlikView environment. Consequently, access should be allowed for all authenticated users (ticketed users are counted as authenticated by QlikView). With the QVS in DMS mode, no Custom Directory set up, and NTLM authentication disabled in the QVWS settings, this does not pose a security risk: the only possible way that users can get into a document is with a ticket. An additional layer of security can be implemented with Section Access so that any user not specifically named in Section Access will be denied access to the application.

Step 3 - Create a Link to QlikView Application in the Portal

When a user logs in to the extranet portal, they will presumably be taken to a landing page. We now need to create a link within that landing page to the relevant QlikView application. Please note that users must be linked directly to an application in the method described below, rather than to the AccessPoint. For the sake of commonality, I will assume that this landing page has been written in PHP and the user is authenticated in the PHP header. The relevant code for the PHP landing page is as follows:

<?php

//Build HTTP XML request
function ticket_page ($path,$qvadm,$qvpass,$qvuserid){
$request = curl_init();
curl_setopt($request, CURLOPT_URL,$path);
curl_setopt($request, CURLOPT_RETURNTRANSFER,1);
curl_setopt($request, CURLOPT_HTTPAUTH,CURLAUTH_NTLM);
curl_setopt($request, CURLOPT_USERPWD, "$qvadm:$qvpass");
curl_setopt($request, CURLOPT_HTTPHEADER, array('X-Requested-With: XMLHttpRequest','Content-Type: text/xml'));
curl_setopt($request, CURLOPT_POSTFIELDS, '<Global method="GetTicket"><UserId>'.$qvuserid.'</UserId></Global>');
$FinalRequest = curl_exec($request);
curl_close($request);
return $FinalRequest;
}

//Leave both lines uncommented
$qvadmin = 'qvadmin@mydomain.com';//Set the QV admin username
$qvadminpass = '123456';//Set the QV admin password

//Leave both lines uncommented
$serverName = 'qlikview.mydomain.com'; //FQDN of the QVS
$qvdoc = 'myfile.qvw'; //file that user should have access to

//Set the QV user for whom to fetch a ticket; Pick one of the following and comment the other lines
//use this version for testing purposes (hardcoded username)
$qvuser = 'test_user';
//standard PHP header authentication
//$qvuser = $_SERVER['PHP_AUTH_USER'];
//other PHP authentication
//$qvuser = $_GET['user_id'];

$qvXML1 = ticket_page('http://'.$serverName.'/QvAJAXZfc/GetTicket.aspx?admin=',$qvadmin,$qvadminpass,$qvuser);
$qvXML2 = preg_split('<_retval_>', $qvXML1);
$qvXML3 = $qvXML2[1];
$qvXML4 = str_replace('>', '', $qvXML3);
$ticket = str_replace('</','', $qvXML4);
$url = "http://$serverName/qvAJAXzfc/opendoc.htm?document=$qvdoc&ticket=$ticket";

//Can uncomment the following line to automatically redirect to QVW
//If uncommenting, recommend deleting all JavaScript and HTML code below
//header("Location: $url");

?>

<script type="text/javascript">
function GoAjax() { window.open("<?php echo $url; ?>", "_blank"); }
</script>

<body>
<a onclick="javascript:GoAjax();" href="javascript:void(0);">QlikView</a>
</body>

Code Explanation

PHP: cURL with NTLM authentication is used for security purposes, in place of a JavaScript XMLHTTPRequest(), to generate the HTTP request. This prevents the user from seeing any of the credentials being passed to the QVS behind the scenes when viewing the webpage source.

The PHP section of the code also defines certain variables. These variables have been defined in PHP for security purposes so that users will never be able to see this code by viewing the webpage source. The $qvdoc variable is the name of the QVW that you wish to open. $serverName is the Fully Qualified Domain Name (FQDN) of the QVS. $qvuser is the user for whom you are requesting the ticket; this will typically exist in your PHP authentication header following a successful login. You can also use a hard-coded version for testing purposes. $qvadmin is the username of the QlikView Administrator user under whose account the XMLHttpRequest will be executed. And, finally, $qvadminpass is the password associated with the QlikView Administrator.

You can uncomment the last line in the PHP code segment (the header redirection) to automatically take the user to the QVW when the landing page loads. Alternatively, you can leave this line commented and use a link to access the QVW from the landing page.

JavaScript: The JavaScript GoAJAX() function simply opens a blank browser window with the ticketed URL. This function is called by the HTML link below. Note: if using PHP header redirection, the JavaScript and HTML code can be entirely deleted. A slightly modified function to that of GoAJAX() can be written to open the document using the IE Plugin.

HTML: The HTML section provides a link that will execute the JavaScript function GoAJAX() when clicked. The text "QlikView" can be replaced with a logo, etc.

This entry was posted in QlikView Server, Security and tagged , , , , , , . Bookmark the permalink.

16 Responses to QlikView Ticketing in an Apache/Linux Environment

  1. Peter says:

    Is this concept legal to implement it?
    because we are not buying license, but we are using it for many users without license. so will qliktech agree for this concept to implement?

  2. Vlad Gutkovsky says:

    Peter, yes this concept is legal. It won’t work without licenses. When you fetch a ticket for a username and then open a document through that ticket, it will use a license for that user. There are no potential license-violation concerns here.

    Regards,
    Vlad

  3. Ankit says:

    Can you please tell me if this method will sign every user as admin?
    And if you could provide me with an example to implement the H Header sso for QlikView. (I do not have IIS, the system is using the QlikView server). I would be greatfull to you if you could help me out

    Thanks
    Ankit

  4. Vlad Gutkovsky says:

    Ankit, no, certainly not. User privileges are defined in Section Access, which can (and should) be set up to catch the ticketed usernames and define them as either ADMIN or USER.

    I don’t have a working example of header authentication. I strongly prefer ticketing over header authentication, as described in this article. As of v11, there is an even more powerful method called Web Ticketing, which I have now switched to. If you search on QlikCommunity, you can find numerous discussions about Web Ticketing.

    Regards,
    Vlad

  5. Ankit says:

    Thank you for the quick reply.
    I did see the web ticketing mentioned in most of the places. If possible, could you please provide me an example to implement it QVWS and JAVA.

    Thank you
    Ankit

  6. Vlad Gutkovsky says:

    Ankit, the only example that I have of this functionality is commercially ready–i.e. available for sale. It is implemented in C# and uses both QVWS and IIS.

    Regards,
    Vlad

  7. Jon says:

    Hi Vlad,

    Thanks for the article.

    Can you tell me if this was designed on QV10 or QV11?

    I’m having difficulty with the QVW prompting for a section access Username/Password even after my client getting a ticket from QVS successfully (and including that ticket in the call to open the QVW).

    Cheers,
    Jon

  8. Vlad Gutkovsky says:

    Jon, this article was written in v10. I’m not sure if it will work in v11, but I would not be shocked if it does not. As I mentioned in the comments above, v11 introduced a concept called “Web Tickets” which make life a lot easier (including letting you get to the AccessPoint instead of to a single document). You can probably modify the script I wrote in this article to switch over to the Web Ticket method. Take a look at this article for more details: http://community.qlikview.com/docs/DOC-3614

    Regards,
    Vlad

  9. chris says:

    hello – thanks for the post but isn’t this stating the admin and admin password within the php file? couldnt anyone rightclick on the webpage and find these out, or am I missing something?

  10. chris says:

    hi – i get a Parse error: syntax error, unexpected ‘;’ on line 33 ?

    not sure if it’s this line: $ticket = str_replace(‘</',

    — c

    • chris says:

      think? $ticket = str_replace(‘</','', is correct ?

      – still cant get ticket part of url working though..

      • Sorry for the delayed reply. Looks like the text was cut off. I fixed it above. However, keep in mind that this solution was only ever tested in v10. If you’re trying to implement it with v11, you’ll likely have to use web tickets (which are far superior anyway).

        Vlad

  11. chris says:

    hi thanks for the reply – im looking at web tickets now.

    struggling to find php code that can request the ticket. though.

  12. Bilge says:

    Great example.

    I have a quick question:
    I think the URL is constructed once, not every time the link is clicked (pls correct me if I am wrong, I am not familiar with PHP).

    If so, would not the ticket expire after a while (I believe 2 min)? Say, if I use the link 2 min after the page is loaded, will I still be able to open the qlikview app?

    Thanks

    • Bilge, I don’t currently have a testing environment readily available for this, but it should not work after ticket expiration. The counter starts running once the ticket has been issued by the QVS.

      Vlad

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify via email when new comments are added

Blog Home
Archives