Steve O. Ams, Jr. Ego Magnus Numen
Ego Magnus Numen

Impersonate User via JWT Virtual Proxy

Getting Started

I encourage you to gain a good understanding of the way jwt is actually used by Qlik Sense.

  1. You’ll need a Base64 RSA keypair (PEM Format).
    • You have a few options here…
      • You can export a keypair with the built -in certificate manager in the Qlik Sense QMC
      • Generate your own private public keypair
        • I personally prefer this tool, but this command works the same with openssl:
        • openssl genrsa -des3 -out jwt.private.pem 2048 && openssl rsa -in jwt.private.pem -outform PEM -pubout -out jwt.public.pem
  2. Next go to
    1. Create a keypair that matches the intended UserId field.
    2. Do the same for the UserDirectory field
    3. Repeat as needed for any additional attributes (e.g. Qlik Sense security rules derived from the user.environment namespace)
  3. Next, Configure your Qlik Sense virtual proxy for JWT Authentication for accepting the userId and UserDirectory you wish to impersonate.
    • This requires you to match the parameters in the attribute configuration that aligns with what you did on
    • be sure to place the public certificate in the certificate area
    • also, be sure to link the relevant engine nodes in the load balancing section
    • finally link the proxy noides exposed to this configuration in the related section (bottom right)
  4. Finally, find a good extension to perform the header injection for the header used by the JWT virtual proxy


“OpenSSL GenPKey Command.” Accessed April 22, 2019.