Skip to main content

Changing corporate IdP configurations

The following procedure describes how to change from one corporate identity provider (IdP) configuration to another. The IdP that you change to must support OpenID Connect (OIDC).

The change basically involves deactivating the existing interactive IdP configuration and activating the new interactive IdP configuration. If you deactivate the currently active corporate IdP, you will revert back to Qlik Account, see Identity providers

Changing corporate IdPs can be disruptive for your users and the content they own. But if the users' email addresses are consistent across the change-over, the content will follow them. Read more about how to ensure this happens in this topic.

Note: It is best practice to use the recovery address when you change IdPs, to avoid any risk of locking yourself out during the change. You should have the recovery address stored in a safe place. When you first configured your Qlik Sense Enterprise SaaS deployment, you were asked to save the tenant URL and recovery address / link. See also: Known limitation in Qlik Cloud Services: Account Owner should not be removed as tenant admin.

Removing Section Access table before configuring the corporate IdP

Before you configure your corporate IdP, you must remove or comment out the Section Access table from all apps, and perform a reload afterward.

After activating the corporate IdP, you can recreate the removed Section Access table, or remove the previously added comments, using the new identities provided from the newly-configured IdP. Again, a reload is needed to reactivate the table in the data model.

For information about section access, see Managing data security with Section Access.

Configuring the corporate IdP

Configuring a corporate IdP after you have been using Qlik Account for some time may require you to give special attention to the following in order to map content (apps, spaces, etc.) for your invited Qlik Account users switching over to the corporate IdP.

Do the following:

  1. Configure the interactive IdP in the Management Console, see Identity providers.

  2. Test the verification flow and ensure the result is successful. As a tenant admin, manually verify that the email and email_verified claims are present and with a value of true. This is important for successfully mapping content after the switch. Do not activate the IdP yet.

  3. Examine the Users list for the tenant via the Management Console.

  4. Identify users whose current email address does not match the corporate email address. When you switch IdPs to preserve content, the email addresses should match.

  5. For users who do not have a matching email address, the tenant admin needs to manually move content to the new account.

  6. Again, check the user list via the Management Console and verify that the correct corporate email addresses are now assigned to all users.

  7. Activate the interactive IdP.

  8. Open a new browser instance or an incognito window, to avoid conflict with existing login sessions. Access the tenant URL (<tenant>.<region>.qlikcloud.com/login) and verify that it takes you to the new interactive IdP.

  9. Verify that previous corporate IdP content remains available to the user.

  10. Open the Management Console and verify that the user has the new IdP subject assigned to their existing User ID.

  11. Verify that the license assignments in the Management Console are still set correctly for all the users who have logged into the new corporate IdP.

  12. Recreate the Section Access tables, see Removing Section Access table before configuring the corporate IdP .

Note: If you delete or deactivate your interactive IdP configuration, you will revert back to Qlik Account, see Identity providers.