Common QPR Authentication
Common authentication enables linking from one QPR product to the other without the need of a separate login for the product that is the link target. When you are authenticated to one QPR product, you are automatically authenticated all other QPR products as well. It is possible to configure a common authentication between following QPR products:
- QPR UI
- QPR ProcessAnalyzer Web Service
- QPR Suite Portal
- QPR Suite Web Services
Common authentication works in a way that if there is a valid (non expired) session existing in any of the systems, sessions for the other systems are refreshed automatically without the need to login again. If all sessions have expired, there is a need to relogin. If a session has been expired, a valid session in other system is able to renew the expired session without notifying user.
Common authentication needs to be setup for each QPR product according to the instructions described in this page.
In common authentication, username attribute is used to match user accounts between QPR products.
Configuring Common Authentication for QPR UI
To configure Common Authentication for QPR UI, follow these instructions:
- Determine the needed setting string as follows: it uses format PRODUCTNAME,URL;PRODUCTNAME,URL;... where PRODUCTNAME is either WAS, WS or PA. Example:
PA,http://localhost/QPRPA/MainService.svc/webHttp/;WAS,http://SERVERNAME/QPR/Portal/QPR.Isapi.dll;WS,http://SERVERNAME/QPR/Portal/QPR.Isapi.dll/wsforward/MainService.svc/webHttp/;SERVERNAME is the name of the corresponding server.
- Login to the QPR UI database using SQL Server Management Studio.
- Right click QPR UI database, select New Query, and define following query:
SELECT VALUE_FIELD FROM [DATABASENAME].[dbo].[CONFIGURATIONENTITY] WHERE KEY_FIELD ='AUTHENTICATION_SERVICES';
If the query returns a row, store the result for backup.
- If the step 4 query didn't return anything, run the following:
INSERT INTO [DATABASENAME].[dbo].[CONFIGURATIONENTITY](KEY_FIELD,VALUE_FIELD) VALUES ('AUTHENTICATION_SERVICES', 'SETTINGSTRING');
(replace the SETTINGSTRING with the one determined in step 1).
- If the step 4 query returned a row, run the following:
UPDATE [DATABASENAME].[dbo].[CONFIGURATIONENTITY] SET VALUE_FIELD = 'SETTINGSTRING' WHERE KEY_FIELD = 'AUTHENTICATION_SERVICES';
(replace the SETTINGSTRING with the one determined in step 1).
Configuring Common Authentication for QPR ProcessAnalyzer
For QPR ProcessAnalyzer the common authentication is configured to the web.config file. Search the <Qpr.ProcessAnalyzer.Common.Properties.Settings> section in the file containing placeholders for the settings ServerGroupPA, ServerGroupMD and ServerGroupMEA. To create a common authentication group to QPR UI, define the QPR UI url to the ServerGroupMD setting. To create a common authentication group to QPR Suite, define the QPR Suite url to the ServerGroupMEA setting. The setting ServerGroupPA is for creating an authentication group to another QPR ProcessAnalyzer server.
In the following example, the SERVERNAME needs to be replaced with the name of the corresponding QPR server:
<setting name="ServerGroupPA" serializeAs="Xml"> <value> <ArrayOfString xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <string>http://SERSERNAME</string> </ArrayOfString> </value> </setting> <setting name="ServerGroupMD" serializeAs="Xml"> <value> <ArrayOfString xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <string>http://SERVERNAME:8080/EnticeServices/</string> </ArrayOfString> </value> </setting> <setting name="ServerGroupMEA" serializeAs="Xml"> <value> <ArrayOfString xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <string>http://SERVERNAME/QPR/Portal/QPR.Isapi.dll</string> </ArrayOfString> </value> </setting>
Configuring Common Authentication for QPR Suite Portal and QPR Suite Web Service
- In the QPR application server, open file C:\ProgramData\QPR Software\QPR 2017\2017.1\Servers\Settings\QPR_Servers.ini. Note that you may have other version than QPR Suite 2017.
- In the [UMS Settings] section, set EnableSSOForPortal=1 (if EnableSSOForPortal setting already exists, change the existing setting. If the setting doesn't exist, create it as a new).
- If you are adding the common authentication to QPR UI, in the [WAS Settings] section, add
SERVERNAME is the name of the QPR UI server that is used when accessing QPR UI. Note that the url defined here does not contain a path part, such as EnticeServices. If you also need to add common authentication to QPR ProcessAnalyzer, add
as a new line. Note the increasing number in the setting name if AuthenticationService_1 is already reserved.
- Restart QPR Suite Windows service.
For more information, see the detailed instructions: http://kb.qpr.com/qpr2017-1/index.html?common_qpr_authentication.htm
Note also that the QPR Reporting Add-on has a separate mode for the common QPR authentication (in its web.config file qprauthenticationmode is set to commonqprauthentication). More information about Reporting Add-on web.config file.
Embed QPR Suite Portal in QPR UI
QPR Suite Portal can be embedded into QPR UI using External Content presentation object. When setting QPR Suite Portal url (in the External Content URL field), add the following parameter to the url: &xsession=<#sys:sessionId>. When the session id is passed to the Suite QPR Portal, user is automatically authenticated to QPR Portal using the common authentication.
QPR UI Session Expiration
By default, QPR UI user session will expire if there is no communication with the QPR UI server for 2 hours. This default expiration timeout time can be changed by adding or editing the SESSION_EXPIRATION_TIME value (in minutes) in the CONFIGURATIONENTITY table in QPR UI database configuration table.
If session in QPR Suite or QPR ProcessAnalyzer is still valid when QPR UI session has expired, QPR UI session is automatically renewed without the need to input credentials.
If federated authentication is in use, the user is redirected to the identity provider. Note that the session in the identity provider server may still be valid and thus there is not need to input credentials.