qlikview 11 security - authentication and authorization
DESCRIPTION
QlikView 11 Security - Authentication and AuthorizationTRANSCRIPT
Security – Authentication and Authorization Security – Authentication and Authorization Security – Authentication and Authorization “What’s New” in security in QlikView 11
Security – Authentication and Authorization “What’s New” in security in QlikView 11
Fredrik Lautrup
Ralph Senseny
Fredrik Lautrup
Ralph Senseny
Legal Disclaimer
This Presentation contains forward-looking statements, including, but not limited to, statements regarding the value
and effectiveness of QlikTech's products, the introduction of product enhancements or additional products and
QlikTech's growth, expansion and market leadership, that involve risks, uncertainties, assumptions and other factors
which, if they do not materialize or prove correct, could cause QlikTech's results to differ materially from those
expressed or implied by such forward-looking statements. All statements, other than statements of historical fact, are
statements that could be deemed forward-looking statements, including statements containing the words "predicts,"
"plan," "expects," "anticipates," "believes," "goal," "target," "estimate," "potential," "may", "will," "might," "could," and
similar words. QlikTech intends all such forward-looking statements to be covered by the safe harbor provisions for
forward-looking statements contained in Section 21E of the Exchange Act and the Private Securities Litigation Reform
Act of 1995. Actual results may differ materially from those projected in such statements due to various factors,
including but not limited to: risks and uncertainties inherent in our business; our ability to attract new customers and
retain existing customers; our ability to effectively sell, service and support our products; our ability to manage our
international operations; our ability to compete effectively; our ability to develop and introduce new products and add-
ons or enhancements to existing products; our ability to continue to promote and maintain our brand in a cost-effective
manner; our ability to manage growth; our ability to attract and retain key personnel; the scope and validity of
#qonnections
manner; our ability to manage growth; our ability to attract and retain key personnel; the scope and validity of
intellectual property rights applicable to our products; adverse economic conditions in general and adverse economic
conditions specifically affecting the markets in which we operate; and other risks more fully described in QlikTech's
publicly available filings with the Securities and Exchange Commission. Past performance is not necessarily indicative
of future results. The forward-looking statements included in this presentation represent QlikTech's views as of the
date of this presentation. QlikTech anticipates that subsequent events and developments will cause its views to
change. QlikTech undertakes no intention or obligation to update or revise any forward-looking statements, whether
as a result of new information, future events or otherwise. These forward-looking statements should not be relied upon
as representing QlikTech's views as of any date subsequent to the date of this presentation.
This Presentation should be read in conjunction with QlikTech's periodic reports filed with the SEC (SEC Information),
including the disclosures therein of certain factors which may affect QlikTech’s future performance. Individual
statements appearing in this Presentation are intended to be read in conjunction with and in the context of the
complete SEC Information documents in which they appear, rather than as stand-alone statements.
© 2011 Qlik Technologies Inc. All rights reserved. QlikTech and QlikView are trademarks or registered trademarks of
Qlik Technologies Inc. or its subsidiaries in the U.S. and other countries. Other company names, product names and
company logos mentioned herein are the trademarks, or registered trademarks of their owners.
Agenda
• Overview
• Ways to customize authentication
– Header Solution
– Web Tickets
#qonnections
– Web Tickets
– QlikView’s Authentication.aspx API
• Authorization between services
– Certificates
• Questions and Answers
OverviewOverview
#qonnections
OverviewOverview
Basic Architecture
TrustTrustQlikViewQlikView
#qonnections
Authentication server
Cutomizing Authentication
Get user id Verify
Transfer user
#qonnections
Get user id and
credentials
Verify credentials
Transfer user identity to QlikView
QlikView
Server
Authentication Authentication –– Who are you?Who are you?
Web Server
Fro
nt
En
d
User Docs
Authorisation Authorisation –– What documents can I see?What documents can I see?
#qonnections
QlikView
Publisher
Back E
nd
Source Docs
Authorisation Authorisation –– What data sources can I use?What data sources can I use?
Header Solution
HighHigh
#qonnections
LowLow
Trust Zone BTrust Zone BTrust zone ATrust zone A
Header
Header Solution - Architecture
#qonnections
Authentication server
Header
Use case – Integration using proxy
Trust Zone BTrust Zone BTrust zone ATrust zone A
Header:User ID A
#qonnections
Apache reverse proxy
Header:QVUSER=A
User ID A
Use case – SSO using filter
#qonnections
IIS
Header
Web TicketsWeb Tickets
HighHigh
HighHigh
#qonnections
LowLow
Trust
Web Tickets
Authenticating system
User Directory
#qonnections
Use case – SAML using Webtickets
Trust
SAML Service providerSAML Service provider
SAML Identity ProviderSAML Identity Provider
#qonnections
SAML Service providerSAML Service provider
QlikView’s Authentication.aspx API
HighHigh
HighHigh
#qonnections
LowLow
Authenticate.aspx - Architecture
User Directory
Authenticate to external directory
#qonnections
Login
Transfer user identity to Qlikview
Authenticate.aspx flow
Login failure
NoNo
#qonnections
Get user
credentials
Authenticate
to external
system
Transfer
user to
QlikView
Resolv user
groupsSuccess
NoNo
YesYes
Pseudo code
//Validate credentials with external authentication system
List<string> groups = new List<string>();
groups.Add(“NTDOMAIN\\EXPORTXLS"); //Allow him to export to Excel for this session
#qonnections
groups.Add(“NTDOMAIN\\EXPORTXLS"); //Allow him to export to Excel for this session
groups.Add(“MOBILE"); //He can see data that is allowed from mobile devices
IUser user = new NamedUser("NTDOMAIN\\XXX", groups, true);
QlikView.AccessPoint.User.GenericAuthentication(context, user);
//Ready to use QV
Use Case – Authenticate.aspx
LDAP Directory
Authenticate to external directory
Group resolution usingDirectory Service Connector
#qonnections
Login
external directory
Transfer user identity to Qlikview
Use Case – Authenticate.aspx
LDAP Directory
Group resolution usingDirectory Service Connector
#qonnections
Request
Transfer user identity to Qlikview
Verify certificate
Gererall security requirements
All authentication needs to be protected from evesdropping
• Use encrypted communication such as HTTPS or VPN
All authentication is done outside the QlikView system therefore there needs to be established trust between the systems
• IP address whitelists
#qonnections
• IP address whitelists
• Firewall restrictions
• Authentication using something you have
Hardening of the IIS platform in accordance with local security policy
How to Choose a Solution
Web frontend to
integrate with
Need to integrate content into portal using IFrames
No
No
Yes
Yes
Authenticate.aspxAuthenticate.aspx
#qonnections
Need to
transfer groups
from authentication system
SSO system
with header support
No
No
Yes
Yes
WebTicketWebTicket
WebTicketWebTicket
WebTicketWebTicketHeaderHeader
Certificates
#qonnections
Certificates
Features
• Configuring Certificates, in a multiple server deployment within QlikView, removes the dependency of a QlikView Administration Group
• Certificates allows the use of certificates to build a trust domain between services that can be located between different domains/areas such as internal networks, extranets and internet
Certificates
#qonnections
domains/areas such as internal networks, extranets and internet
• Eliminates the need to share an Active Directory (AD) or other user directories.
• The architecture is based on the QlikView Management Service (QMS) as the certificate manager (CA, Certificate Authority). The QMS will be able to create and distribute certificates to all services in the QlikView installation.
Certificates
• When deploying Certificates all QlikView servers must be configured for certificates.
• QlikView services participating in the installation will receive certificates signed using this root certificate when added to the QMS.
Certificate Structure
#qonnections
• QMS as the Certificate Authority(CA) issues digital certificates that contain keys and the identity of the owner
• QlikView Management Service is an important part of the security solution and needs to be managed from a secure location to keep the certificate solution secure.
• The QMS is responsible for saying "yes, this service deployed on this server is a service in my installation".
Questions
#qonnections
Questions
With QlikView there are many With QlikView there are many
ways to solve authentication it’s ways to solve authentication it’s
just a matter of selecting the just a matter of selecting the
#qonnections
just a matter of selecting the just a matter of selecting the
appropriate one based on the appropriate one based on the
pre requisites of the customerpre requisites of the customer
Stay Qonnected
Fredrik Lautrup, [email protected] Lautrup, [email protected]
#qonnections
Ralph Senseny, [email protected] Senseny, [email protected]
Stay Qonnected
Visit partners.qlikview.com
to download all Qonnections2012 presentations
Join the conversation
Qonnections Community
#qonnections
Qonnections Community Grouptinyurl.com/qonnect-qlikcommunity
Qonnect Facebook Grouptinyurl.com/qonnect-facebook
Qonnect LinkedIn Grouptinyurl.com/qonnect-linkedin
#qonnections
Thank you!