QlikView 11 Security - Authentication and Authorization

Security – Authentication and Authorization Security – Authentication and Authorization Security – Authentication and Authorization “What’s New” in security in QlikView 11

Security – Authentication and Authorization “What’s New” in security in QlikView 11

Fredrik Lautrup

Ralph Senseny

Fredrik Lautrup

Ralph Senseny

Legal Disclaimer

This Presentation contains forward-looking statements, including, but not limited to, statements regarding the value

and effectiveness of QlikTech's products, the introduction of product enhancements or additional products and

QlikTech's growth, expansion and market leadership, that involve risks, uncertainties, assumptions and other factors

which, if they do not materialize or prove correct, could cause QlikTech's results to differ materially from those

expressed or implied by such forward-looking statements. All statements, other than statements of historical fact, are

statements that could be deemed forward-looking statements, including statements containing the words "predicts,"

"plan," "expects," "anticipates," "believes," "goal," "target," "estimate," "potential," "may", "will," "might," "could," and

similar words. QlikTech intends all such forward-looking statements to be covered by the safe harbor provisions for

forward-looking statements contained in Section 21E of the Exchange Act and the Private Securities Litigation Reform

Act of 1995. Actual results may differ materially from those projected in such statements due to various factors,

including but not limited to: risks and uncertainties inherent in our business; our ability to attract new customers and

retain existing customers; our ability to effectively sell, service and support our products; our ability to manage our

international operations; our ability to compete effectively; our ability to develop and introduce new products and add-

ons or enhancements to existing products; our ability to continue to promote and maintain our brand in a cost-effective

manner; our ability to manage growth; our ability to attract and retain key personnel; the scope and validity of

#qonnections

manner; our ability to manage growth; our ability to attract and retain key personnel; the scope and validity of

intellectual property rights applicable to our products; adverse economic conditions in general and adverse economic

conditions specifically affecting the markets in which we operate; and other risks more fully described in QlikTech's

publicly available filings with the Securities and Exchange Commission. Past performance is not necessarily indicative

of future results. The forward-looking statements included in this presentation represent QlikTech's views as of the

date of this presentation. QlikTech anticipates that subsequent events and developments will cause its views to

change. QlikTech undertakes no intention or obligation to update or revise any forward-looking statements, whether

as a result of new information, future events or otherwise. These forward-looking statements should not be relied upon

as representing QlikTech's views as of any date subsequent to the date of this presentation.

This Presentation should be read in conjunction with QlikTech's periodic reports filed with the SEC (SEC Information),

including the disclosures therein of certain factors which may affect QlikTech’s future performance. Individual

statements appearing in this Presentation are intended to be read in conjunction with and in the context of the

complete SEC Information documents in which they appear, rather than as stand-alone statements.

© 2011 Qlik Technologies Inc. All rights reserved. QlikTech and QlikView are trademarks or registered trademarks of

Qlik Technologies Inc. or its subsidiaries in the U.S. and other countries. Other company names, product names and

company logos mentioned herein are the trademarks, or registered trademarks of their owners.

Agenda

• Overview

• Ways to customize authentication

– Header Solution

– Web Tickets

#qonnections

– Web Tickets

– QlikView’s Authentication.aspx API

• Authorization between services

– Certificates

• Questions and Answers

OverviewOverview

#qonnections

OverviewOverview

Basic Architecture

TrustTrustQlikViewQlikView

#qonnections

Authentication server

Cutomizing Authentication

Get user id Verify

Transfer user

#qonnections

Get user id and

credentials

Verify credentials

Transfer user identity to QlikView

QlikView

Server

Authentication Authentication –– Who are you?Who are you?

Web Server

Fro

nt

En

d

User Docs

Authorisation Authorisation –– What documents can I see?What documents can I see?

#qonnections

QlikView

Publisher

Back E

nd

Source Docs

Authorisation Authorisation –– What data sources can I use?What data sources can I use?

Header Solution

HighHigh

#qonnections

LowLow

Trust Zone BTrust Zone BTrust zone ATrust zone A

Header

Header Solution - Architecture

#qonnections

Authentication server

Header

Use case – Integration using proxy

Trust Zone BTrust Zone BTrust zone ATrust zone A

Header:User ID A

#qonnections

Apache reverse proxy

Header:QVUSER=A

User ID A

Use case – SSO using filter

#qonnections

IIS

Header

Web TicketsWeb Tickets

HighHigh

HighHigh

#qonnections

LowLow

Trust

Web Tickets

Authenticating system

User Directory

#qonnections

Use case – SAML using Webtickets

Trust

SAML Service providerSAML Service provider

SAML Identity ProviderSAML Identity Provider

#qonnections

SAML Service providerSAML Service provider

QlikView’s Authentication.aspx API

HighHigh

HighHigh

#qonnections

LowLow

Authenticate.aspx - Architecture

User Directory

Authenticate to external directory

#qonnections

Login

Transfer user identity to Qlikview

Authenticate.aspx flow

Login failure

NoNo

#qonnections

Get user

credentials

Authenticate

to external

system

Transfer

user to

QlikView

Resolv user

groupsSuccess

NoNo

YesYes

Pseudo code

//Validate credentials with external authentication system

List<string> groups = new List<string>();

groups.Add(“NTDOMAIN\\EXPORTXLS"); //Allow him to export to Excel for this session

#qonnections

groups.Add(“NTDOMAIN\\EXPORTXLS"); //Allow him to export to Excel for this session

groups.Add(“MOBILE"); //He can see data that is allowed from mobile devices

IUser user = new NamedUser("NTDOMAIN\\XXX", groups, true);

QlikView.AccessPoint.User.GenericAuthentication(context, user);

//Ready to use QV

Use Case – Authenticate.aspx

LDAP Directory

Authenticate to external directory

Group resolution usingDirectory Service Connector

#qonnections

Login

external directory

Transfer user identity to Qlikview

Use Case – Authenticate.aspx

LDAP Directory

Group resolution usingDirectory Service Connector

#qonnections

Request

Transfer user identity to Qlikview

Verify certificate

Gererall security requirements

All authentication needs to be protected from evesdropping

• Use encrypted communication such as HTTPS or VPN

All authentication is done outside the QlikView system therefore there needs to be established trust between the systems

• IP address whitelists

#qonnections

• IP address whitelists

• Firewall restrictions

• Authentication using something you have

Hardening of the IIS platform in accordance with local security policy

How to Choose a Solution

Web frontend to

integrate with

Need to integrate content into portal using IFrames

No

No

Yes

Yes

Authenticate.aspxAuthenticate.aspx

#qonnections

Need to

transfer groups

from authentication system

SSO system

with header support

No

No

Yes

Yes

WebTicketWebTicket

WebTicketWebTicket

WebTicketWebTicketHeaderHeader

Certificates

#qonnections

Certificates

Features

• Configuring Certificates, in a multiple server deployment within QlikView, removes the dependency of a QlikView Administration Group

• Certificates allows the use of certificates to build a trust domain between services that can be located between different domains/areas such as internal networks, extranets and internet

Certificates

#qonnections

domains/areas such as internal networks, extranets and internet

• Eliminates the need to share an Active Directory (AD) or other user directories.

• The architecture is based on the QlikView Management Service (QMS) as the certificate manager (CA, Certificate Authority). The QMS will be able to create and distribute certificates to all services in the QlikView installation.

Certificates

• When deploying Certificates all QlikView servers must be configured for certificates.

• QlikView services participating in the installation will receive certificates signed using this root certificate when added to the QMS.

Certificate Structure

#qonnections

• QMS as the Certificate Authority(CA) issues digital certificates that contain keys and the identity of the owner

• QlikView Management Service is an important part of the security solution and needs to be managed from a secure location to keep the certificate solution secure.

• The QMS is responsible for saying "yes, this service deployed on this server is a service in my installation".

Questions

#qonnections

Questions

With QlikView there are many With QlikView there are many

ways to solve authentication it’s ways to solve authentication it’s

just a matter of selecting the just a matter of selecting the

#qonnections

just a matter of selecting the just a matter of selecting the

appropriate one based on the appropriate one based on the

pre requisites of the customerpre requisites of the customer

Stay Qonnected

Fredrik Lautrup, [email protected] Lautrup, [email protected]

#qonnections

Ralph Senseny, [email protected] Senseny, [email protected]

Stay Qonnected

Visit partners.qlikview.com

to download all Qonnections2012 presentations

Join the conversation

Qonnections Community

#qonnections

Qonnections Community Grouptinyurl.com/qonnect-qlikcommunity

Qonnect Facebook Grouptinyurl.com/qonnect-facebook

Qonnect LinkedIn Grouptinyurl.com/qonnect-linkedin

#qonnections

Thank you!