Using Okta as an IdP for Qlik Sense Enterprise on Kubernetes
You can configure Qlik Sense Enterprise on Kubernetes (QSEoK) to use Okta as an identity provider.
After completing the steps, you will be able to log into a QSEoK tenant using an Okta user name and password as well as interact with the QSEoK tenant programmatically.
We assume that you are running QSEoK on a Mac which has Kubernetes running using Docker for Mac. Also without this exact configuration, you should be able to use the same concepts if running Kubernetes in other supported ways.
Configuring QSEoK to use Okta IdP
Before you start, make sure you have the following:
Okta app, configured with interactive login and programmatic access.
Configuration settings from your Okta application:
- discoveryUrl: The OpenID Connect Discovery URL which allows applications, such as QSEoK, to use Okta with minimal configuration.
- clientId: Uniquely identifies the client that is using Okta for authentication.
- clientSecret: Secret that the client uses along with the Client ID to use Okta for authentication.
You provide configuration to QSEoK by using a values.yml file. The values.yml file should look like the following example:
devMode: enabled: true engine: acceptEULA: "yes" identity-providers: secrets: idpConfigs: - discoveryUrl: "<OpenID Configuration from Application>" clientId: "<Client ID from Application>" clientSecret : "<Client Secret from Application>" realm: "<Name for this IdP>" hostname: "<Hostname for your QSEoK tenant>"
You need to enter the values for discoveryUrl, clientId, clientSecret, realm, and hostname.
In Okta, you can find your Client ID and Client secret under the General tab in the Client Credentials section for the application you created.
Applying the configuration to your cluster
Use Helm (see https://helm.sh/) to apply the configuration in your values.yml file to our Kubernetes cluster:
$ helm upgrade qliksense qlik/qliksense -f values.yml
To make sure that your configuration has been applied you can run get values command to see the resolved configuration:
$ helm get values qliksense
devMode: enabled: true engine: acceptEULA: "yes" identity-providers: secrets: idpConfigs: - discoveryUrl: "https://dev-<tenantid>.oktapreview.com/.well-known/openid-configuration" clientId: "<clientID code>" clientSecret : "<clientsecret code>" realm: "Okta" hostname: "<hostname>"
Configuring your hosts file
For <hostname> to resolve, add the following to your /etc/hosts file:
127.0.0.1 <hostname> ::1 <hostname>
Log in to your tenant
You are now set to log into your tenant. In your browser, go to https://<tenant address> and you should be redirected to an Okta login page. After a successful login you reach a home page to which apps are distributed.
Adding programmatic configuration to QSEoK
You now need an IdP configuration to QSEoK to point to the application and authorization server created above. Note that a primary: true was added to the existing configuration you had.
devMode: enabled: true engine: acceptEULA: "yes" identity-providers: secrets: idpConfigs: - discoveryUrl: "https://dev-<tenantid>.oktapreview.com/.well-known/openid-configuration" clientId: "<client ID coder" clientSecret : "<client secret code>" realm: "Okta" hostname: "<hostname>" primary: true - discoveryUrl: "https://dev-<tenantid>.oktapreview.com/oauth2/<resource-server-id>/.well-known/openid-configuration" primary: false realm: "Okta" hostname: "<hostname>" claimsMapping: client_id: ["client_id", "cid"]
Use Helm to apply the configuration in your values.yml file to your Kubernetes cluster:
$ helm upgrade qliksense qlik/qliksense -f values2.yml