Skip to main content
Switching from Qlik Account to a corporate IdP configuration

ON THIS PAGE

Switching from Qlik Account to a corporate IdP configuration

The following procedure describes how to switch from Qlik Account, the identity provider (IdP) provided by Qlik, to a corporate IdP configuration of your choice. The IdP must support OpenID Connect (OIDC).

The switch IdP process for all users is based on email address.

Information noteIt is best practice to use the recovery address when you change IdPs, to avoid any risk of locking yourself out during the change.

Removing Section Access table before configuring the corporate IdP

Before you configure your corporate IdP, you must remove or comment out the Section Access table from all apps, and perform a reload afterward.

After activating the corporate IdP, you can recreate the removed Section Access table, or remove the previously added comments, using the new identities provided from the newly-configured IdP. Again, a reload is needed to reactivate the table in the data model.

For information about section access, see Managing data security with Section Access.

Configuring the corporate IdP

Configuring a corporate IdP after you have been using Qlik Account for some time may require you to give special attention to the following in order to map content (apps, spaces, etc.) for your invited Qlik Account users switching over to the corporate IdP.

Do the following:

  1. Configure the interactive IdP in the Management Console, see Identity providers.

  2. Test the verification flow and ensure the result is successful. As a tenant admin, manually verify that the email and email_verified claims are present and with a value of true. This is important for successfully mapping content after the switch. Do not activate the IdP yet.

  3. Examine the Users list for the tenant via the Management Console.

  4. Identify users whose current email address does not match the corporate email address. When you switch IdPs to preserve content, the email addresses should match.

  5. For users who do not have a matching email address, the tenant admin needs to manually move content to the new account.

  6. Again, check the user list via the Management Console and verify that the correct corporate email addresses are now assigned to all users.

  7. Activate the interactive IdP.

  8. Open a new browser instance or an incognito window, to avoid conflict with existing login sessions. Access the tenant URL (<tenant>.<region>.qlikcloud.com/login) and verify that it takes you to the new interactive IdP.

  9. Log in and access the hub. Verify that Qlik Account content remains available to the user.

  10. Open the Management Console and verify that the user has the new IdP subject assigned to their existing User ID.

  11. Verify that the license assignments in the Management Console are still set correctly for all the users who have logged into the new corporate IdP.

  12. Recreate the Section Access tables, see Removing Section Access table before configuring the corporate IdP.

Information noteIf you delete or deactivate your interactive IdP configuration, you will revert back to Qlik Account, see Identity providers.