QlikView Security using Web Tickets

In general below scenarios would be useful to use web ticket as an option,

• QlikView used in isolation, users stored in a database or LDAP
• Login with Group information/SAML – Web Ticket allows you to not only send the username but the membership of groups too.  This can make administration of what the user can subsequently see much easier.
• Login from dozens of online systems – eg Login with your Facebook ID, Google account, Salesforce.com account.  If you do not wish to hold any user credentials for QlikView you could rely on online sources for identity also

How does Web Ticket work

1. A new login page is created and its first task is to obtain the Identify of the user
   • If the page is being added to a web Portal or application this can easily get the current user ID from their active session
   • If the page is standalone it might provide a form to enter a user id and password and validate them first (this is the example provided below)
   • In either case a range of technologies could be used to do this.
2. QlikView is set up so that it trusts this login page to pass over validated users (see below for options)
3. The login page now makes a request to QlikView which says “I have a user I Trust called FRED, can I have a ticket for him”
4. QlikView returns a ticket to the login page which takes the form of a long string and internally records the user that is represented by that ticket
5. The login page now builds a URL to the QlikView server address adding the ticket into the URL, the user is then redirected to that URL
6. When the user hits the QlikView server, it extracts the ticket checks its list of approved tickets and if its valid, the user is then sucessfully logged into QlikView as FRED

NOTE
A ticket once created is valid for 2 minutes, if it is not used in that time it is destroyed
Once a ticket is used to establish a session it cannot be used again.  Within that session a user can open several documents
A web ticket can be used to open a single document or the QlikView Access Point
Web Tickets can be used with features such as Clustering and Document chaining
 

Resolution:

To use web tickets there are two areas that need to be address The Code in your login page and the Server Configuration.

Qlik Support cannot offer direct assistance with coding a web ticket solution. The information provided in this article is given as-is and if assistance is required, please contact Qlik Professional services.

QlikView Configuration 

• First of all, while not mandatory it can be easier to use IIS for the QlikView Web Server when working with ticketing. It may be required to host your login page.
• QlikView needs to be an Enterprise Edition License
• QlikView needs to be running in DMS mode for security
• The QlikView web site in IIS needs to be set up to use Anonymous permissions – it will be expecting windows permissions by default – specifically it is the QVAJAXZFC directory that needs its permission changing.
• QlikView needs to trust the code asking for the ticket.  There is a web page within the QlikView web server called GetWebTicket.aspx which handles requests for tickets, this will only return a ticket to a trusted user/process and this is identified using one of two options

                            Option 1 – use windows permissions
                            Option 2 – use an IP address white list

                                Open the web server config file from C:\ProgramData\QlikTech\WebServer\config.xml
                                Locate the line  <GetWebTicket url="/QvAjaxZfc/GetWebTicket.aspx" />
                                Replace it with the following specifying the IP address(s) of the web server(s) running the code
     

The Code & Example:

The function to request a ticket is a fairly simple HTTP post command which returns a ticket as a string, this method can be used by a wide range of technologies.  The examples provided here use asp.net but it can easily be adapted for PHP, Java and others.

In its raw form the HTTP Post entry to the getwebticket.aspx page on the QlikView server looks like this:

<Global method="GetWebTicket">

               <UserId>FRED</UserId>

               <GroupList><string></string></GroupList>

               <GroupsIsNames>true</GroupsIsNames>

     </Global>

The response containing the ticket should look like this:   <Global><_retval_>ABC123XYZ567FGH456</_retval_></Global>

The above raw commands needs to be embedded into the code for the login form. The example provides no actual logic to authenticate the user against anything but provides the framework to add it in.   The example takes the form of a simple login page asking for a user ID, password and optional groups, for cases where you already have the identity of the user then the UI from the example could be removed to give a seamless login from one system to another.

Once the login button is clicked there is a Login function that is called.  This function in the example does nothing and always says the user is valid: here you would need to provide code to suit your environment, the example just trusts the entry automatically.

loginOK = ValidateUser(username, password);

Following user validation the next function makes the HTTP post to request a web ticket.  The code requires the input of the URL of the QlikView server and in this case embeds a userid and password which has permissions to ask for a ticket (see notes on setting up QV trusts).

ticket = getTicket(username, groups, ticketinguser, ticketingpassword);

Once the ticket is returned, a URL is built and the user is redirected to either the access point or to a single document.              

Response.Redirect(RedirectLink);

You should now be redirected to the QlikView AccessPoint and be logged in at the user specified in the form and see the documents that user is permitted to see.