Skip to main content Skip to complementary content

OIDC configuration with Okta

OpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0, an authorization framework. OIDC enables single sign-on (SSO) to reduce the number of times a user has to log on to access websites and applications. OIDC can be configured for authentication with third-party products.

Configuring Okta

Information noteBecause this configuration involves a third-party product, we cannot guarantee that the configuration is exactly as described here. Changes may occur in the third-party product, without our knowledge.
  1. Log in to https://www.okta.com/ with an admin account.

  2. Go to Security > API.

  3. In the Authorization Servers tab, select Add Authorization Server and enter the name, audience, and description for the Authorization Server.

    1. After creating the authorization server, go to Claims tab.

      1. Click Add Claim.

      2. Enter Name of the claim as groups.

      3. For Include in token type” dropdown, select ID Token and Always.

      4. Set Value type to Groups.

      5. Set Filter to Matches regex .*

      6. Click Create.

    2. Go to the Scopes tab.

      1. Open the Scopes tab.

      2. Click Add scope.

      3. Enter Name of the scope as groups.

      4. Select Include in public metadata.

      5. Click Create.

    3. Go to the Access Policies tab.

      1. Click Add Policy. Enter name and description for the new policy and keep Assign to set to All clients option. Click Create Policy.

      2. After the new policy is created, add a new rule for the policy by clicking Add Rule. Enter a rule name. Keep the default values as they are for all fields and click Create Rule.

    4. Note the Issuer URI which can be found in Settings tab of authorization server. This URI will be in the format: https://<yourOktaDomain>/oauth2/<authServerId>

      Information noteInstead of creating a new authorization server, the default authorization server available in Okta can be used by making the above-mentioned changes.
  4. In the top menu, select Applications.

  5. Click Add Application.

  6. Click Create New App.

  7. For Platform, select Web.

  8. For Sign on method, select OpenID Connect.

  9. Click Create.

    The configuration window appears.

  10. Name the app Qlik SenseOIDC configuration.

  11. Optionally, add a logo.

  12. For Login Redirect URIs, enter https://<QSEhostname>/<VirtualProxyPrefix>/oidcauthn.

    Information noteUse okta as the virtual proxy prefix.
  13. Click Save.

    The Application details page appears.

  14. Note down Client ID and Client secret, available under General > Client credentials.

  15. You must assign users to the app, so that they can use the connection that you have created. Click Assign to People and add users. Users must have an Okta account.

Creating and configuring the virtual proxy

  1. In the Qlik Management Console (QMC), open Virtual proxies.

  2. Click Create new Create new.

  3. In Properties, to the right, ensure that the sections Identification, Authentication, Load balancing, and Advanced are selected.

  4. Under Identification, enter okta for Description and Prefix.

  5. For Session cookie header name, add -okta at the end of the existing name so that it reads X-Qlik-Session-okta.

  6. For Authentication method, select OIDC.

  7. In the OpenID Connect metadata URI field, enter the noted Issuer URI from Okta's Authorization Server Settings in the following format: https://<yourOktaDomain>/oauth2/<authServerId>/.well-known/openid-configuration.

  8. Enter the noted Client ID and Client secret in the corresponding fields.

  9. For Realm, enter “okta”. Users added in the repository through OIDC authentication will have user directory name set to “okta”.

    Information noteIf the subject attribute value format is domainname\username, realm is optional. If not, realm is mandatory.
    The attributes sub, name, and email are mandatory. Other attributes are not mandatory, but must have a value. A configuration with empty attributes will generate an error.
  10. In the client_id field, change the value to aud.

  11. In the scope field, enter openid profile email.

    Information noteThe openid part is mandatory. Other scopes can be added, but must match what is set on the identity provider side.
  12. Under Load balancing nodes, click Add new server node.

  13. Select the engine nodes this virtual proxy will load balance connections to.

  14. Under Advanced, in the Host allow list section, click Add new value.

  15. Add the host name of Okta, that is, the same name that you entered for OpenID Connect metadata URI.

  16. Click Apply and then OK to restart the services.

  17. In the Associated items menu to the right, select Proxies.

  18. Click Link and link the virtual proxy to the proxy or proxies that will use this configuration.

    The proxy service is restarted.

Verify that the claims and scopes that you have configured in the IdP server are returned in claims_supported and scopes_supported tags when you select the OpenID Connect Metadata URI, https://{IdP_hostname}/.well-known/openid-configuration.

Example of returned values when accessing https://{IdP_hostname}/.well-known/openid-configuration

This completes the Okta configuration.

Information noteFor an example where a token is used for verification of attributes, see Qlik Sense: How to request an OIDC token manually and check if correct attributes are included (PowerShell)

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!