Qlik & PMN Integration

The following diagram below describes the overall architecture in place with the Qlik-PMN Integration. The purpose of this diagram is to provide a brief overview of the architecture and identify all key components.

A few key points to note:

• All communication between participating PopMedNet Networks is performed via the Cross Network Directory Service API. This includes synchronization of organization metadata, submission of requests, and processing of responses.

• The Qlik Server is configured to connect directly to the CNDS Service. The Qlik Apps retrieve vital information via the CNDS service such as available data sources, organization metadata, and other information.

• Qlik should be configured using Ticket Authentication to successfully allow PMN to communicate with and use the Qlik Apps.

• PMN Embeds Qlik Apps into the website and allows users to interact with the data and take necessary action.

Qlik Sense Proxy Service & Virtual Proxies

To properly configure a new virtual proxy, follow the procedure outlined below:

• Log onto the Server Qlik Sense is installed on.

• Launch the Qlik Management Console and wait for it to initialize.

• From the home screen, click on Virtual Proxies under the Configure System submenu from the main menu on the left.

• On the Virtual Proxies screen, you will see one Virtual Proxy already defined.

• To create a new Virtual Proxy, click on Create New at the bottom of the screen.

• For the new virtual proxy, configure it as follows:

  • Identification:

    • Description: Enter a name for the virtual proxy, such as ASPE CNDS Proxy or Custom Proxy.

    • Prefix: This prefix is used by PMN to construct the URL when accessing Qlik resources and Qlik applications and is used by the Qlik Sense Proxy Service to identify the virtual proxy and associated authentication and session handling policies to use. Note: The prefix is case- sensitive, so if you set this as tx and use TX or tX in PMN, the virtual proxy will fail to authenticate the users and revert to the default virtual proxy enforcing windows authentication for session authentication.

    • Session Cookie Header Name: This is used by the PMN Integration with Qlik to identify the cookie that stores the ticket authentication header. This should be set to X-Qlik-Session- WebTicket.

  • Authentication:

    • Anonymous Access Mode: This should be set to No Anonymous User. This ensures thatunauthenticated users can’t access the Qlik Server or the Apps using this virtual proxy.Authentication Method: This should be set to Ticket. This enables this virtual proxy for use with the ticket authentication protocol.

    • Windows Authentication Pattern: This should be set to Windows. This enables Windows Authentication as a fallback configuration on the virtual proxy.

  • Load Balancing:

    • Load Balancing Nodes: Add the default/central node to the virtual proxy.

  • Advanced:

    • Host White List: Add all IP Addresses and Domains that will be accessing the Qlik Sense server using this virtual proxy. This adds a second level of security in addition to using ticket authentication, by allowing access to the Qlik Sense Services via this virtual proxy when the origin is from the White List.

• Click on Apply to save the changes.
• From the menu on the right, click on Proxies located under Associated Items.
• Link the new virtual proxy to the Central/Default node to associate it to the default proxy service. This is crucial to enable the virtual proxy, given that if the virtual proxy is not linked to the Qlik Sense Proxy Service, it will not become active on the server and will not be usable.

Ticket Authentication Issues

During the integration process of Qlik with PopMedNet, we identified numerous issues with using ticket authentication. Not only was it unclear on how to configure the virtual proxy for ticket authentication properly, we had no actual sample code or settings to work off from. Thus, we had to struggle through various configurations and trial-runs before the proper configurations were identified.

For the integration of Qlik Apps within PopMedNet, the objective was to ensure that an authenticated user does not have to re-login or enter a different set of credentials when accessing Qlik resources within PMN. When using Windows Authentication the Qlik Apps automatically direct the browser to display an authentication dialog forcing the user to enter their windows credentials before they are given access to the Qlik App and its data.

To pre-authenticate users and perform a single sign-on in PMN and across the Qlik Apps integrated into the website, we had to rely on Ticket Authentication. The first and foremost requirement for this is to configure a new Virtual Proxy enabling Ticket Authentication on the Qlik Proxy Service. This was not an easy feat, as the process/requirements are not documented anywhere nor were the Qlik resources aware of the proper configurations. For the full configuration guide to adding a new virtual proxy, follow the procedure outlined in the previous section above.

Once the new virtual proxy has been configured and linked to the Qlik Proxy service, there are is an additional configuration required within the Qlik Management Console and a few outlines to implementing the actual application integration in code.

User Access Rules

All users that are authenticated using ticket authentication are granted access to the service but still require access allocation to the Qlik Resources before they are able to access and view Qlik Apps and other components related to the Qlik Sense server.

There are two methods of configuring these allocation rights. The first method involves going into the Qlik Management Console and registering each user separately and allocating them access rights manually. This is a tedious task as it involves configuring all users one-by-one and also requiring the administrator to maintain the users manually in the future as more users access PMN and the integrated Qlik Apps.

The second method involves configuring User Access Rules that dictates when users should be allocated access rights automatically. This can be configured to be determined by different set of rules, and once it has been configured, all users accessing Qlik resources via PMN are automatically granted access rights to the components.

To add and configure a new user access rule:

• Log onto the Qlik Sense Hub
• Click on License and Tokens from the homepage.
• Select User Access Rules from the right navigation bar.
• Click on create new to set up a new user access rule, or open an existing rule to modify it.
• Configure the user access rules to allow users access based off of different criteria set. As an example, refer to the screenshot below:

• In the image above, we’re granting all users that have the user directory values as indicated accessrights to the Qlik resources using Ticket Authentication. Note: The current PMN-Qlik integration implementation uses the name of the PMN Network as the user directory when authenticating a user against the Qlik Service, which is what is used in our user access rules here.
• Click on save to apply the changes.

Note: If the user access rule is not configured properly and/or not enabled, the user may get successfully authenticated using ticket authentication but they won’t be able to view any Qlik Apps in PMN.

Implementation Guidelines

Once the new Virtual Proxy has been configured, enabling ticket authentication on Qlik, and the user access rules have been defined, the next process is to perform the actual integration using code to load applications from Qlik into PMN. Without going into the actual implementation code, there are a certain set of rules that the developer needs to be aware of when working with ticket authentication in Qlik. Below are a few important notes about the integration process:

• The client application, PMN in this instance, transmits the user information and other metadata for the generation of the Ticket by the Qlik Proxy Service.

• On successful authentication and ticket generation, the Qlik server returns the ticket to the client application.

• The ticket is valid for 1 minute only and needs to be authenticated by the server within that time- frame. For this to happen, a call needs to occur from the client application to the Qlik Server that includes the ticket information. This can include accessing resource files, an application, or other artifacts from the Qlik Server.

• The first call to the Qlik server with the ticket is what authenticates the user and establishes the session. The Qlik Server returns a session cookie that the browser automatically injects with every subsequent call to the Qlik Server in the request header.

• After the first call, when accessing resources or components form the Qlik Server, we don’t need toinclude the ticket details with the request as all required information is stored in the session cookie.

• It is crucial to ensure that the first call successfully completes prior to additional requests beingrouted to the Qlik Server. If this isn’t implemented accordingly, subsequent calls will fail and mostlikely revert to Windows Authentication instead of ticket authentication.

• As an example, here’s a quick look at how PMN implements the initialization of the view whenloading a Qlik Sense App into view:

  <script type="text/javascript"> $(document).ready(function () {
  var cssURL = "@(string.Format( "{0}resources/autogenerated/qlik-styles.css",ViewBag.QlikBaseUrl)";
  $.ajax({
  type: "GET",
  url: jsURL,
  dataType: "script", crossDomain: true,
  success: function (param) {
  $('head').append('<link rel="stylesheet" type="text/css" href="' + cssURL + '">'); $.ajax({
  cache: true,
  dataType: "script",
  url: "/areas/cnds/js/search/datasources.js",
  }); }
  }); });
  </script>
  

In the above code, we’re making the first call to the Qlik Server to load require.js. The url constructedto load this resource includes the Qlik Ticket and is the call that authenticates the ticket as well as generates and retrieves the Qlik Session cookie from the Qlik Server.

Once we have successfully loaded require.js, then only do we add the link to the CSS stylesheet and also load the datasources.js script from PMN against the view, which is what handles the initialization of the PMN view and loads the Qlik View into the website.

Note that we’re not passing in the ticket again when we load qlik-styles.css from the Qlik Server.

PMN Configurations for Qlik

PMN CNDS requires certain configurations to be set in order to communicate with the Qlik Server and load Qlik Apps. In this section we will take a quick look at these configurations and how they should be configured.

All configurations in question are controlled via the web.config file for the Portal.

 <?xml version="1.0" encoding="utf-8"?>
       <configuration>
         <appSettings>
           .
           .
           .
           <add key="CNDS.Qlik.Host" value="pmndev001" />
           <add key="CNDS.Qlik.Prefix" value="tx" />
           <add key="CNDS.Qlik.Port" value="443" />
           <add key="CNDS.Qlik.IsSecure" value="True" />
           <add key="CNDS.Qlik.QPS.Port" value="4243"/>
           <add key="CNDS.Qlik.DataSourceSearchAppID"
                      value="7ca3d0e2-2f69-473a-b566-421dd9a70274" />
           <add key="CNDS.Qlik.DataSourceSearchObjectID" value="NVjNCH" />
           .
           .
           .
</appSettings>

The above snippet is from the web.config. The different settings that are required for integration with Qlik

are as follows:

CNDS.Qlik.Host

The name or address of the webserver to be accessed. This can also be the network machine name where the Qlik Server is hosted when connecting over the local network. The host name is not case-sensitive. For example; pmndev001 and PMNDev001 are equivalent.

CNDS.Qlik.Prefix

The prefix as configured for the virtual proxy. This is the path name in the proxy’s URI that defines the route for the virtual proxy, This is case-sensitive, so make sure that if the virtual proxy’s configured prefix is tx then it is entered as such and not Tx or TX.

CNDS.Qlik.Port

The port number used to identify the specific at the provided host. For default installation of Qlik Sense, this would be 443 using https.

CNDS.Qlik.IsSecure

Whether the protocol to be used is http or https.

CNDS.Qlik.QPS.Port

The configured port on which the Qlik Proxy Service is listening on. 4243 is the default port used by Qlik but this can be changed by the Administrator during the installation of Qlik on the server. Verify the port to be used from the Network Administrator.

CNDS.Qlik.DataSourceSearchAppID

This is the Application ID from the Qlik Server for the Data Source Search app. This is required by PMN to identify which application to load from the Qlik Server. As more applications are enabled for use within PMN, we should see additional configurations similar in nature to this being added for each application.

To identify the Application ID to set this configuration properly, follow the steps below:

• Log onto the Qlik Web Server

• Launch the Qlik Sense Hub. Note: It is a common misunderstanding that you can go to the Qlik

  Management Console and open the application details there to get the App ID from the URL. As perour observation, the ID displayed there does not match the actual application ID can thus doesn’twork as expected.

• Once the Qlik Sense Hub loads, click on the ... button and select Dev Hub. This will take you to the Dev Hub in a new tab.

• Once the Dev Hub loads up, click on either the Single Configurator Tool or the Engine API Explorer tool. In our case, let’s proceed with the Single Configurator tool.

  

• Once the tool initializes, click on Select an app and select the Data Sources application.

  

• Once the app has been selected and the Data Sources list is displayed, click on a data source andyou’ll be presented with a preview of the application.

• Note the URI, which includes the application ID for this specific Qlik Application.

• Copy the App ID and update the web.config in PMN accordingly.

CNDS.Qlik.DataSourceSearchObjectID

This is the Application Object ID for the Data Source Search app. To identify the Object ID, follow the same procedure outlined above to retrieve the App ID and from the last step, note the Object ID displayed for the Qlik Application.

Interacting with the Embedded Qlik App

Once a Qlik Sense App is embedded into a PMN View, we can implement different interactions with it, including but not limited to retrieving data and user selections from the Qlik App and more.

To interact with the app and it’s data, we utilize the Qlik Sense APIs. The Qlik Sense APIs provide tremendous flexibility to build, extend, and combine Qlik Sense with PopMedNet. The App API is used for all communication between PMN and the Qlik Sense App. This is an external interface used for communication with the Qlik Sense app and contains methods for app level commands. The full list of available commands can be found here.

Offering a complete web integration, the powerful App APIs enable data to be freely exchanged between Qlik Sense and the PMN Web Application. To interact with the Qlik App, the very first thing that we need to do is open the Qlik Sense app by using the Qlik API’s openApp method. This requires the application ID, which we set in the web.config.

Once the app has been loaded, we can then use the App API to work with the application objects and data. In PMN, we utilize the createTable method of the App API to define a table that allows us to capture data selection as soon as the selection state of the Qlik App changes. This allows us to capture user’s selection instantly as they work within the Qlik App and update our web UI accordingly.

 

This documentation was transferred from a short documentation by Salman Khalid (Unlicensed) entitled "Qlik & PMN Integration" written on 4/10/2017.

Related articles

• Page:
  Setting Up PMN URLs
• Page:
  Changing PMN SSO Endpoint
• Page:
  Turning Off SSO
• Page:
  Qlik & PMN Integration
• Page:
  How to Debug a DMC Adapter