Skip to main content

Using ADFS as an IdP for Qlik Sense Enterprise on Kubernetes

ON THIS PAGE

Using ADFS as an IdP for Qlik Sense Enterprise on Kubernetes

You can use ADFS as an identity provider for logging into a Qlik Sense Enterprise on Kubernetes tenant using a user from ADFS.

Connecting Qlik Sense Enterprise on Kubernetes with ADFS

Before you start, make sure you have the following:

  • ADFS installation

  • the required resources configured in ADFS

  • Configuration settings from your ADFS application: discoveryUrl, clientId, and clientSecret

  • The following values from your hybrid deployer: public key, key ID, and issuer.

Note: Many of the code examples contain placeholder values that need to be replaced by your own values.

You provide configuration to Qlik Sense Enterprise on Kubernetes by using a values.yml file. The values.yml file should look like the following example:

devMode:
  enabled: true

engine:
  acceptEULA: "yes"

identity-providers:
  secrets:
    idpConfigs:
      - discoveryUrl: "https://adfs-host/adfs/.well-known/openid-configuration"
        clientId: "https://adfs.elastic.example/1234567890"
        clientSecret: "<client secret>"
        realm: "ADFS"
        hostname: "adfs.elastic.example"
        useClaimsFromIdToken: true
        claimsMapping:
          sub: ["sub", "appid"]
          client_id: "appid"
          name: "display_name"
      - issuerConfig:
          issuer: https://the-issuer
        primary: false
        realm: "ADFS"
        hostname: "adfs.elastic.example"
        staticKeys:
        - kid: "thekid"
          pem: |-
            -----BEGIN PUBLIC KEY-----
            MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEsMSxQjXxrvqoKSAREQXsr5Q7+/aetjEb
            OUHt8/Cf73WD56cb4QbHthALl5Ej4MUFOAL9imDmVQe58o9b1j5Zo16Rt1gjLDvd
            nqstc+PX4tyxqGadItJAOU3jka7jYghA
            -----END PUBLIC KEY-----
Note: It is important to note that the userClaimsFromIdToken flag is set to true. The flag instructs edge-auth to use the claims from the ID token instead of querying for userinfo. This is because ADFS returns very little in the userinfo response and instead includes most information in the ID token.

You will have to insert your own values for discoveryUrl, clientId, clientSecret, realm and hostname.

Applying the configuration to your cluster

Use Helm (see https://helm.sh/) to apply the configuration in your values.yml file to your Kubernetes cluster:

$ helm upgrade \
  --install \
  qliksense qlik/qliksense \
  -f values.yml

To make sure that your configuration has been applied, you can run the get values command to see the resolved configuration:

$ helm get values qliksense

devMode:
  enabled: true
engine:
  acceptEULA: "yes"
identity-providers:
  secrets:
    idpConfigs:
      - discoveryUrl: "https://adfs-host/adfs/.well-known/openid-configuration"
        clientId: "https://adfs.elastic.example/1234567890"
        clientSecret: "<client secret>"
        realm: "ADFS"
        hostname: "adfs.elastic.example"
        useClaimsFromIdToken: true
        claimsMapping:
          sub: ["sub", "appid"]
          client_id: "appid"
          name: "display_name"
      - issuerConfig:
          issuer: https://the-issuer
        primary: false
        realm: "ADFS"
        hostname: "adfs.elastic.example"
        staticKeys:
        - kid: "thekid"
          pem: |-
            -----BEGIN PUBLIC KEY-----
            MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEsMSxQjXxrvqoKSAREQXsr5Q7+/aetjEb
            OUHt8/Cf73WD56cb4QbHthALl5Ej4MUFOAL9imDmVQe58o9b1j5Zo16Rt1gjLDvd
            nqstc+PX4tyxqGadItJAOU3jka7jYghA
            -----END PUBLIC KEY-----

Configure your hosts file

Note: This section is only relevant if there is no DNS.

In order for <hostname> to resolve, add the following to your /etc/hosts file:

127.0.0.1   <hostname>
::1         <hostname>

Log in to your tenant

You are now set to log into your tenant with a user from your ADFS deployment. In your browser, go to https://<tenant address> and you should be redirected to an ADFS login page. After a successful login you reach a home page to which apps are distributed.