Using Okta as an IdP for Qlik Sense Enterprise on Kubernetes

You can configure Qlik Sense Enterprise on Kubernetes (QSEoK) to use Okta as an identity provider.

After completing the steps, you will be able to log into a QSEoK tenant using an Okta user name and password as well as interact with the QSEoK tenant programmatically.

We assume that you are running QSEoK on a Mac which has Kubernetes running using Docker for Mac. Also without this exact configuration, you should be able to use the same concepts if running Kubernetes in other supported ways.

Configuring QSEoK to use Okta IdP

Before you start, make sure you have the following:

  • Okta account

  • Okta tenant

  • Okta app, configured with interactive login and programmatic access.

  • Configuration settings from your Okta application:

    • discoveryUrl: The OpenID Connect Discovery URL which allows applications, such as QSEoK, to use Okta with minimal configuration.
    • clientId: Uniquely identifies the client that is using Okta for authentication.
    • clientSecret: Secret that the client uses along with the Client ID to use Okta for authentication.
Note: Many of the code examples contain placeholder values that need to be replaced by your own values.

You provide configuration to QSEoK by using a values.yml file. The values.yml file should look like the following example:

devMode:
  enabled: true

engine:
  acceptEULA: "yes"

identity-providers:
  secrets:
    idpConfigs:
      - discoveryUrl: "<OpenID Configuration from Application>"
        clientId: "<Client ID from Application>"
        clientSecret : "<Client Secret from Application>"
        realm: "<Name for this IdP>"
        hostname: "<Hostname for your QSEoK tenant>"
       

You need to enter the values for discoveryUrl, clientId, clientSecret, realm, and hostname.

In Okta, you can find your Client ID and Client secret under the General tab in the Client Credentials section for the application you created.

Applying the configuration to your cluster

Use Helm (see https://helm.sh/) to apply the configuration in your values.yml file to our Kubernetes cluster:

$ helm upgrade qliksense qlik/qliksense -f values.yml 

To make sure that your configuration has been applied you can run get values command to see the resolved configuration:

$ helm get values qliksense
devMode:
  enabled: true
engine:
  acceptEULA: "yes"
identity-providers:
  secrets:
    idpConfigs:
      - discoveryUrl: "https://dev-<tenantid>.oktapreview.com/.well-known/openid-configuration"
        clientId: "<clientID code>"
        clientSecret : "<clientsecret code>"
        realm: "Okta"
        hostname: "<hostname>"

Configuring your hosts file

Note: This section is only relevant if there is no DNS.

For <hostname> to resolve, add the following to your /etc/hosts file:

127.0.0.1   <hostname>
::1         <hostname>

Log in to your tenant

You are now set to log into your tenant. In your browser, go to https://<tenant address> and you should be redirected to an Okta login page. After a successful login you reach a home page to which apps are distributed.

Adding programmatic configuration to QSEoK

You now need an IdP configuration to QSEoK to point to the application and authorization server created above. Note that a primary: true was added to the existing configuration you had.

devMode:
  enabled: true

engine:
  acceptEULA: "yes"

identity-providers:
  secrets:
    idpConfigs:
      - discoveryUrl: "https://dev-<tenantid>.oktapreview.com/.well-known/openid-configuration"
        clientId: "<client ID coder"
        clientSecret : "<client secret code>"
        realm: "Okta"
        hostname: "<hostname>"
        primary: true
      - discoveryUrl: "https://dev-<tenantid>.oktapreview.com/oauth2/<resource-server-id>/.well-known/openid-configuration"
        primary: false
        realm: "Okta"
        hostname: "<hostname>"
        claimsMapping:
          client_id: ["client_id", "cid"]

 

Use Helm to apply the configuration in your values.yml file to your Kubernetes cluster:

$ helm upgrade qliksense qlik/qliksense -f values2.yml