Security Authentication and Authorization

Whats New in security in QlikView 11

Fredrik Lautrup Ralph Senseny

Legal Disclaimer
This Presentation contains forward-looking statements, including, but not limited to, statements regarding the value and effectiveness of QlikTech's products, the introduction of product enhancements or additional products and QlikTech's growth, expansion and market leadership, that involve risks, uncertainties, assumptions and other factors which, if they do not materialize or prove correct, could cause QlikTech's results to differ materially from those expressed or implied by such forward-looking statements. All statements, other than statements of historical fact, are statements that could be deemed forward-looking statements, including statements containing the words "predicts," "plan," "expects," "anticipates," "believes," "goal," "target," "estimate," "potential," "may", "will," "might," "could," and similar words. QlikTech intends all such forward-looking statements to be covered by the safe harbor provisions for forward-looking statements contained in Section 21E of the Exchange Act and the Private Securities Litigation Reform Act of 1995. Actual results may differ materially from those projected in such statements due to various factors, including but not limited to: risks and uncertainties inherent in our business; our ability to attract new customers and retain existing customers; our ability to effectively sell, service and support our products; our ability to manage our international operations; our ability to compete effectively; our ability to develop and introduce new products and addons or enhancements to existing products; our ability to continue to promote and maintain our brand in a cost-effective manner; our ability to manage growth; our ability to attract and retain key personnel; the scope and validity of intellectual property rights applicable to our products; adverse economic conditions in general and adverse economic conditions specifically affecting the markets in which we operate; and other risks more fully described in QlikTech's publicly available filings with the Securities and Exchange Commission. Past performance is not necessarily indicative of future results. The forward-looking statements included in this presentation represent QlikTech's views as of the date of this presentation. QlikTech anticipates that subsequent events and developments will cause its views to change. QlikTech undertakes no intention or obligation to update or revise any forward-looking statements, whether as a result of new information, future events or otherwise. These forward-looking statements should not be relied upon as representing QlikTech's views as of any date subsequent to the date of this presentation. This Presentation should be read in conjunction with QlikTech's periodic reports filed with the SEC (SEC Information), including the disclosures therein of certain factors which may affect QlikTechs future performance. Individual statements appearing in this Presentation are intended to be read in conjunction with and in the context of the complete SEC Information documents in which they appear, rather than as stand-alone statements. 2011 Qlik Technologies Inc. All rights reserved. QlikTech and QlikView are trademarks or registered trademarks of Qlik Technologies Inc. or its subsidiaries in the U.S. and other countries. Other company names, product names and company logos mentioned herein are the trademarks, or registered trademarks of their owners.

#qonnections

Agenda
Overview Ways to customize authentication
Header Solution Web Tickets QlikViews Authentication.aspx API

Authorization between services

Certificates

Questions and Answers

#qonnections

Overview

#qonnections

Basic Architecture
Trust QlikView

Authentication server

#qonnections

Cutomizing Authentication

Get user id and credentials

Verify credentials

Transfer user identity to QlikView

#qonnections

Web Server

Authentication Who are you?

QlikView Server

Authorisation What documents can I see?

User Docs

Authorisation What data sources can I use?

QlikView Publisher

Source Docs

#qonnections

Back End

Front End

Header Solution
High

Low

#qonnections

Header Solution - Architecture

Trust zone A Header Authentication server

Trust Zone B

#qonnections

Use case Integration using proxy

Trust zone A
Header: QVUSER=A

Trust Zone B
User ID A

Apache reverse proxy

#qonnections

Use case SSO using filter

Header

IIS
#qonnections

Web Tickets
High

High

Low

#qonnections

Web Tickets
Trust
Authenticating system

User Directory

#qonnections

Use case SAML using Webtickets

SAML Identity Provider

Trust SAML Service provider

#qonnections

QlikViews Authentication.aspx API

High

High

Low

#qonnections

Authenticate.aspx - Architecture
User Directory

Authenticate to external directory Login Transfer user identity to Qlikview

#qonnections

Authenticate.aspx flow

Login failure

No Get user credentials Authenticate to external system Success Resolv user groups Transfer user to QlikView

Yes

#qonnections

Pseudo code

//Validate credentials with external authentication system List<string> groups = new List<string>(); groups.Add(NTDOMAIN\\EXPORTXLS"); //Allow him to export to Excel for this session groups.Add(MOBILE"); //He can see data that is allowed from mobile devices IUser user = new NamedUser("NTDOMAIN\\XXX", groups, true); QlikView.AccessPoint.User.GenericAuthentication(context, user); //Ready to use QV

#qonnections

Use Case Authenticate.aspx

Group resolution using Directory Service Connector Authenticate to external directory Login Transfer user identity to Qlikview
#qonnections

LDAP Directory

Use Case Authenticate.aspx

LDAP Directory

Group resolution using Directory Service Connector Request

Verify certificate

Transfer user identity to Qlikview

#qonnections

Gererall security requirements

All authentication needs to be protected from evesdropping Use encrypted communication such as HTTPS or VPN All authentication is done outside the QlikView system therefore there needs to be established trust between the systems IP address whitelists Firewall restrictions Authentication using something you have Hardening of the IIS platform in accordance with local security policy

#qonnections

How to Choose a Solution

Yes

Web frontend to integrate with

No

No

Yes

Need to integrate content into portal using IFrames

Authenticate.aspx

WebTicket
Yes

Need to transfer groups from authentication system

Yes

No

SSO system with header support

No

WebTicket
#qonnections

Header

WebTicket

Certificates

#qonnections

Certificates
Features
Configuring Certificates, in a multiple server deployment within QlikView, removes the dependency of a QlikView Administration Group Certificates allows the use of certificates to build a trust domain between services that can be located between different domains/areas such as internal networks, extranets and internet Eliminates the need to share an Active Directory (AD) or other user directories. The architecture is based on the QlikView Management Service (QMS) as the certificate manager (CA, Certificate Authority). The QMS will be able to create and distribute certificates to all services in the QlikView installation.
#qonnections

Certificates
Certificate Structure
When deploying Certificates all QlikView servers must be configured for certificates. QlikView services participating in the installation will receive certificates signed using this root certificate when added to the QMS. QMS as the Certificate Authority(CA) issues digital certificates that contain keys and the identity of the owner QlikView Management Service is an important part of the security solution and needs to be managed from a secure location to keep the certificate solution secure. The QMS is responsible for saying "yes, this service deployed on this server is a service in my installation".
#qonnections

Questions

#qonnections

With QlikView there are many ways to solve authentication its just a matter of selecting the appropriate one based on the pre requisites of the customer

#qonnections

Stay Qonnected

Fredrik Lautrup, fredrik.lautrup@qlikview.com

Ralph Senseny, ralph.senseny@qlikview.com

#qonnections

Stay Qonnected Visit partners.qlikview.com to download all Qonnections 2012 presentations Join the conversation Qonnections Community Group
tinyurl.com/qonnect-qlikcommunity

Qonnect Facebook Group

tinyurl.com/qonnect-facebook

Qonnect LinkedIn Group

tinyurl.com/qonnect-linkedin
#qonnections

Thank you!

#qonnections