Managing identity providers
In Qlik Sense Enterprise SaaS, you can use an already existing identity provider (IdP) when setting up your deployment. You can also choose to use the Qlik Account. In Qlik Sense Business, you can only use Qlik Account.
This topic describes how to configure the identity provider settings in Qlik Sense Enterprise SaaS. You also need to make configurations on the identity provider side. For a walk-through of those configurations, refer to the following resources:
Using Salesforce.com as an IDP for Qlik Sense Enterprise SaaS (OIDC authentication)
Using Active Directory Federation Services as an IDP for Qlik Sense Enterprise SaaS
How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP
Creating a new identity provider configuration
Do the following:
-
In the Management Console, open the section Identity provider.
-
Click Create new.
The page for creating an IdP configuration opens.
-
Select IdP type:
- Interactive for login of users
- Machine-to-Machine (M2M) for
- Multi-cloud for entering your local bearer token to create the identity provider configuration, see MSC - Deployments
-
Select your IdP provider. Select Generic if your specific IdP is not available as an option.
-
Optionally, enter a description.
-
Fill in the fields in the Application credentials section:
-
The first field is the URL to the endpoint that provides configuration information for the
-
- Auth0: OpenID configuration
-
- Okta/Generic: OpenID Connect metadata URI
-
Manual configuration
Sometimes a discovery URL is not available or does not give proper metadata. Instead of entering an endpoint URL for retrieval of metadata, you enter the corresponding data in the form. You only use manual configuration if you have not entered any discovery URL.
Do the following:
-
In the Create identity provider configuration panel, select a provider.
-
Turn on Manual configuration.
This disables the OpenID configuration field and enables the fields for manual configuration.
-
Add Issuer, URL to the identity provider.
-
Add Authorization endpoint, URL for interaction with the resource owner, where you get the authorization to access the resource.
-
Add Token endpoint, URL to get an access token.
-
Add User info endpoint, URL to get user information.
-
Add
-
Optionally, add End session endpoint, URL used to trigger a single sign-out.
-
Optionally, add Introspection endpoint, URL to validate reference tokens or JWTs.
-
Fill in the fields in the Claims mapping section.
Claims are statements (name/value pairs) about the entity (in many cases the user) and metadata about the
- sub, name, groups, email, client_id, picture
Groups claim is needed to receive groups.
- sub, name, groups, email, client_id, picture
-
At your identity provider, allow list your tenant URL. The setting has different names, for example, Allowed Callback URLs, Redirect URI, or Login redirect URI.
When allowlisting, you need to add login/callback to your tenant address. Example: https://<tenant name>/login/callback.
Note: You must use the original hostname and not the alias hostname when setting the redirect URI. You find the hostname under Settings > Tenant > Hostname.
-
-
Client ID (only for interactive): ID of the configured client at the IdP for interactive user authentication.
-
Client secret (only for interactive): Secret for the client configured at the IdP.
-
Realm (optional): Name to associate with the IdP. This is the same as the domain name in Qlik Sense Enterprise on Windows and it is used for naming consistency in multi-cloud.
-
-
Fill in the fields in the Claims mapping section.
Claims are statements (name/value pairs) about the entity (in many cases the user) and metadata about the
- sub, name, groups, email, client_id, picture
Groups claim is needed to receive groups.
- sub, name, groups, email, client_id, picture
-
At your identity provider, allow list your tenant URL. The setting has different names, for example, Allowed Callback URLs, Redirect URI, or Login redirect URI.
When allowlisting, you need to add login/callback to your tenant address. Example: https://<tenant name>/login/callback.
Note: You must use the original hostname and not the alias hostname when setting the redirect URI. You find the hostname under Settings > Tenant > Hostname.
Advanced options
The advanced options extend the capabilities of some IdPs.
Email verified override: Used in
Scope: Used in the
Post logout redirect URI (optional): Used to redirect a user to a defined URI after logout.
For an example of how to use post logout redirect URI, see: IdP: Using post logout redirect URI.
Enabling auto-creation of groups
Enable auto-creation of groups is turned on in the Management Console on the Settings page.
Groups are used for access control of users, and can optionally be automatically created from idp-groups.
| Property | Description |
|---|---|
| Enable auto-creation of groups |
When enabled, groups are inherited from the identity provider so that access can be granted to the same groups of users that exist in the IdP. This simplifies access administration compared to granting access to one user at a time. It is required that you use single sign-on and have administrative access to your IdP to configure groups. Note that new IdP groups will show up in Qlik Sense Enterprise as users log in (or log in again) to the Qlik Sense Enterprise tenant. IdP groups are not imported all at the same time. Instead, IdP groups are discovered at login time. Further, only groups associated with users in Qlik Sense Enterprise will be available as described earlier. |
Do the following:
- In the Management Console, go to the Settings page.
- Under the Groups section, switch on the Enable auto-creation of groups button.
Making changes to an existing IdP configuration
You can make changes to an existing IdP configuration.
Do the following:
-
In the Management Console, open the section Identity provider.
-
In the table, to the far right, click ... for the IdP that you want to edit.
A sub menu is displayed with options for activating/deactivating, validating, editing, and deleting IdPs.
Activating/Deactivating the IdP
You can have several different interactive IdPs configured in parallel, but only one active at a time. The others need to be deactivated or deleted. When you deactivate an interactive IdP, you automatically revert back to the Qlik Account configuration. For more information, see Deleting the IdP
Validating the IdP
Validation occurs automatically when an interactive IdP is saved, but you can also manually trigger a validation if needed, for example, after editing the IdP. When selecting Validate, you are taken to the identity provider for login, and then a series of other validation steps.
Editing the IdP
You can edit IdPs of all types. After editing, validate your changes to ensure that the IdP is working properly. The Validate option is not available for Machine-to-Machine configurations.
Deleting the IdP
In Qlik Sense Enterprise SaaS, the default IdP is Qlik Account. You can change to a corporate IdP of your choice. If you later decide to delete the corporate IdP, you need to be aware of the consequences.
When you delete a corporate IdP, the tenant reverts back to Qlik Account. Users who access the tenant via the deleted corporate IdP can no longer log in, nor can they can access content that they created. However, their content is visible by Qlik Account tenant administrators who could adjust ownership.
Also, if those users previously used Qlik Account, with the same email address as for the corporate IdP, any content created during the period with the Qlik Account is preserved.