Skip to main content Skip to complementary content
Qlik Resources

Creating a new identity provider configuration

Qlik Cloud provides identity provider (IdP) configuration for user login, API access, and multi-cloud setup. Each Qlik Cloud tenant supports one interactive IdP such as Qlik Account, Microsoft Entra ID (formerly Azure AD), OKTA, Auth0, or another IdP compliant with OpenID Connect (OIDC) or Security Assertion Markup Language (SAML).

Tenant administrators can create various IdP configurations from the Management Console:

  • For user login, configure an interactive IdP. Choose between OIDC or SAML, depending on the supported standard of your identity provider.

    Information noteOnly one interactive IdP can be active at a time. If you deploy your custom interactive IdP, it will replace the Qlik Account login flow with the authentication process defined by your chosen IdP.

  • For API access, select Machine-to-Machine (M2M) authentication.

  • For seamless multi-cloud identity management, configure a Multi-cloud IdP with your local bearer token.

Creating a new interactive OIDC IdP configuration

Tenant administrators can create new IdP configurations. You can only have one single interactive IdP at a time. If you already have an active one, you need to first deactivate it before you can activate the new one. For more information, see Changing corporate IdP configurations.

This topic describes how to configure the identity provider settings in Qlik Cloud. You also need to make configurations on the identity provider side. For a walk-through of those configurations, refer to the following resources:

Do the following:

  1. In the Management Console, go to Identity provider and click Create new.

  2. For Type, select OIDC.

  3. For Provider, select an identity provider from the list, or choose Generic if your specific provider is not listed.

  4. Optionally, enter a description for the IdP configuration.

  5. Under Application credentials, you can enter the discovery URL. If a discovery URL is not available or does not give proper metadata, you also have the option to manually enter individual values. Manual configuration should be used only when a discovery URL has not been entered.

    Do one of the following:

    1. Enter the discovery URL. This is the URL to the endpoint that provides configuration data for the OAuth clients to interface with the IdP using the OpenID Connect protocol. The naming conventions for the discovery URL vary based on your chosen provider:

      • ADFS: ADFS discovery URL

      • Auth0: OpenID configuration

      • Keycloak: Keycloak OpenID endpoint configuration

      • Okta or Generic IdP: OpenID Connect metadata URI

      • Salesforce: Salesforce discovery URL

    or

    1. Select Manual configuration.

    2. Enter the following values:

      • Authorization endpoint: The URL for interaction with the resource owner, where you get the authorization to access the resource.

      • End session endpoint (optional): The URL used to trigger a single sign-out.

      • Introspection endpoint (optional): The URL to validate reference tokens or JWTs.

      • Issuer: The URL to the identity provider.

      • JWKS URI: The URI to the JSON Web Key Set containing public keys used for verification of a JSON Web Token (JWT).

      • Token endpoint: The URL to get an access token.

      • User info endpoint (optional): The URL to get user information.

    Configuration using the discovery URL and manual configuration.

    Configuration panes shown with and without using discovery URL.

  6. Enter the Client ID: The ID of the configured client at the IdP for interactive user authentication.

  7. Enter the Client secret: The secret for the client configured at the IdP.

  8. Optionally, enter a Realm. This is the name to associate with the IdP. It is the same as the domain name in Qlik Sense Enterprise on Windows and it is used for naming consistency in multi-cloud.

  9. Fill in the fields under Claims mapping.

    Claims are statements (name/value pairs) about the entity (in many cases the user) and metadata about the OpenID Connect service. Mappings are available for sub, name, groups, email, client_id, picture, and email_verified (optional).

    Information note

    • You can enter multiple lookup values, separated by a comma, in the input fields. The first non-null value found will be used.

    • The groups claim is needed to receive groups. Note that nested groups are not supported in Microsoft Entra ID.

  10. Optionally, configure the advanced options. For more details, see Advanced options.

  11. Click Create.

    A confirmation dialog appears with the option to validate the IdP configuration.

    • To validate now, select Validate IdP and click Create. This will initiate the validation process. Follow the steps in the validation wizard to perform a login and verify that the user profile data is correct.

    • If you prefer to create the configuration now but validate it later, clear the Validate IdP checkbox and click Create. You can validate later by clicking More on your IdP configuration and selecting Validate.

    Validating and creating the IdP configuration.

    Confirmation dialog with Validate IdP option selected

Adding your tenant URL to the identity provider allowlist

At your identity provider, add your tenant URL to the allowlist. There are different names for this setting, for example, Allowed Callback URLs, Redirect URI, or Login redirect URI.

When you add the URL, you need to append login/callback to your tenant address, as in https://<tenant name>/login/callback.

Information noteUse the original tenant hostname and not the alias hostname when setting the redirect URI. You find the hostname under Settings > Tenant > Hostname in the Management Console.

Advanced options

The advanced options extend the capabilities of some IdPs.

Email verified override: Used in ADFS and in Microsoft Entra ID. to ensure that the email address of a user can be used for identity mapping. This option is useful when switching IdPs, but also in the Management Console to distinguish two users with the exact same name.

Scope: Used in the OAuth 2.0 specification to specify the access privileges when issuing an access token. For example, use this option to add a groups scope in case the IdP requires that to support a user groups feature.

Post logout redirect URI: Used to redirect a user to a defined URI after logout. For an example of how to use post logout redirect URI, see Using post logout redirect URI.

Block passing 'offline_access' scope to identity provider: When using Google Identity or OneLogin as the identity provider, this setting must be turned on for the configuration to work with Qlik Sense Mobile SaaS and OAuth 2.0 applications.

Creating a new interactive SAML IdP configuration

Tenant administrators can create new IdP configurations. You can only have one single interactive IdP at a time. If you already have an active one, you need to first deactivate it before you can activate the new one. For more information, see Changing corporate IdP configurations.

This topic describes how to configure the identity provider settings in Qlik Cloud. You also need to make configurations on the identity provider side. For a walk-through of those configurations, refer to the following topics:

Do the following:

  1. In the Management Console, go to Identity provider and click Create new.

  2. For Type, select SAML.

  3. For Provider, select an identity provider from the list, or choose Generic if your specific provider is not listed.

  4. Optionally, enter a description for the IdP configuration.

  5. Under Configuration, you have the option to either upload the SAML XML metadata from your identity provider or manually enter individual values.

    Do one of the following:

    1. Select Use IdP metadata.

    2. Click Upload file under SAML IdP metadata and choose the file containing metadata from your identity provider. Alternatively, if your identity provider metadata isn't available as a file, you can copy and paste the metadata directly in the IdP metadata field.

    or

    1. Click Upload file under Signing certificates to upload the certificate file.
      This is the certificate used by the identity provider to sign the SAML assertions sent to Qlik Cloud.

    2. Enter the Entity ID of your identity provider.

    3. Enter the Single sign-on URL.

      This is the endpoint where the SAML authentication requests are sent. It is the URL to which the user is redirected for authentication.

    4. Select a Name ID format.

    Configuration using metadata and manual configuration.

    Configuration panes shown with and without using IdP metadata

  6. Optionally, select Enable IdP-initiated login.

    The default login flow is that the user first goes to Qlik Cloud and is then redirected to the IdP for authentication. Enable IdP-initiated login if you want the user to first login to the identity provider and then be redirected to Qlik Cloud.

  7. Modify the fields under Claims mapping or keep the default values.

    Claims mappings define how user attributes from your identity provider are associated with fields in the Qlik Cloud user model. Mappings are available for sub, name, email, groups, and picture. Adjust the values to fit your organization's needs and the attributes from your identity provider.

    Information note

    • You can enter multiple lookup values, separated by a comma, in the input fields. The first non-null value found will be used.

    • The groups claim is needed to receive groups. Note that nested groups are not supported in Microsoft Entra ID.

  8. Optionally, configure Post logout redirect URI under Advanced options.

    This it used to redirect a user to a defined URI after logout. For an example of how to use post logout redirect URI, see Using post logout redirect URI.

  9. Click Create.

    A confirmation dialog appears with the option to validate the IdP configuration.

    The SAML service provider metadata and signing certificate are available only after creating the IdP configuration. If you need this information to set up the identity provider, you can create the IdP without validation initially, and validate once the configuration at your identity provider is completed.

    • To validate now, select Validate IdP and click Create. This will initiate the validation process. Follow the steps in the validation wizard to perform a login and confirm that the user profile data is valid.

    • If you prefer to create the configuration now but validate it later, clear the Validate IdP checkbox and click Create. You can validate later by clicking More on your IdP configuration and selecting Validate.

    Validating and creating the IdP configuration.

    Confirmation dialog with Validate IdP option selected

Uploading the service provider metadata to your identity provider

Do the following:

  1. In the Management Console, on your newly created IdP configuration, click More and select View provider configuration.

    A dialog shows the service provider metadata and the URL to the metadata endpoint.

    Service provider metadata.

    Confirmation dialog with Validate IdP option selected

  2. Depending on the setup at your identity provider, copy either the metadata or the URL and save it for later use. Download the signing certificate file, if needed. Click Done.

  3. At your identity provider, enter the service provider metadata. Ensure to configure the following required settings:

    • Assertion Consumer Service (ACS) URL. This is where the identity provider sends the SAML assertions after authentication.

    • Entity ID of the service provider.

    • The certificate for validating authentication requests. This is used by the identity provider to verify the authenticity of the service provider.

  4. Once the configuration at your identity provider is complete, you can validate your IdP configuration in the Management Console. Click More on your configuration and select Validate. Follow the steps in the validation wizard to perform a login and verify that the user profile data is correct.

Creating a new machine-to-machine IdP configuration

To configure a machine-to-machine IdP, follow the instruction for Creating a new interactive OIDC IdP configuration but select Machine-to-Machine (M2M) as the IdP type.

A few of the settings differ compared to the interactive OIDC configuration: The fields Client ID and Client secret are not applicable in this context and under Claims mapping, you will only have mappings for sub and client_id.

Enabling auto-creation of groups

Groups are used to control user access and can be automatically created from IdP groups. When auto-creation of groups is enabled, groups are inherited from the identity provider so that access can be granted to the same groups of users that exist in the IdP. This simplifies access administration compared to granting access to one user at a time.

As users log in, new IdP groups dynamically appear in Qlik Cloud. These groups are not imported all at the same time; rather, IdP groups are discovered during the login process. Only the groups associated with Qlik Cloud users are available.

To configure groups, you must use single sign-on and have administrative access to your IdP.

Do the following:

  1. In the Management Console, go to the Settings page.
  2. Under Feature control, select Creation of groups.
Related learning:

Learn more

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!

Leave your feedback here