Skip to main content

Setting up ADFS

ADFS is an authentication and authorization platform.

You can configure ADFS as an identity provider (IdP) for use with Qlik Sense Enterprise on Kubernetes (QSEoK) and Qlik Sense Enterprise on Windows (QSEfW). You will create an application group, a server application, and a Web API to be used for interactive login (QSEoK). You will also map claims from Active Directory to the ID token.

Creating required ADFS resources for QSEoK for interactive logins

For setting up ADFS, you need an application group and a server application.

Note: The following procedures are examples using ADFS 10. Please review the ADFS documentation for more information and latest instructions.

Adding an application group and creating a server application

Do the following:

  1. Open the Add Application Group Wizard.

  2. Enter a name for the application group.

  3. For Template, select Server application.

  4. Click Next.

    The Server application page is opened.

  5. Enter a name for the application.

    Example: 1234567890

  6. Enter a client identifier for the application, and note it down, it will be used as client ID.

    Example: https://adfs.elastic.example/1234567890.

    Note: In this example, https://adfs.elastic.example is the tenant domain and 1234567890 is a unique identifier for the application. The client identifier must be a URL. ADFS will only include custom claims in the id_token for applications with URL IDs, see Customize claims to be emitted in id_token when using OpenID Connect or OAuth with AD FS 2016.
  7. For Redirect URI, set the redirect URL to the login callback for the tenant in the format https://<host>/login/callback/.

    Example: https://adfs.elastic.example/login/callback

  8. Optionally, enter a description.

  9. Click Next.

    The Configure Application Credentials page is opened.

  10. Select Generate a shared secret. Note down this secret, you will not have access to it again. You will use it as client secret.

  11. Finish the wizard.

Adding a web API to the application group

You will add a web API to the application group that you created.

Do the following:

  1. Open the application group you created earlier.

  2. Select Add application > Web API.

  3. Add the client ID from the application group as in identifier.

  4. Click Next.

    The Choose Access Control Policy page is opened.

  5. Apply a policy and click Next.

    The Configure Application Permissions page is opened.

  6. For Permitted scopes, select the following: allatclaims, email, openid, and profile.

  7. Finish the wizard.

Configure claims for the id_token

Do the following:

  1. Open the application group to edit the web API you created. Open the Issuance Transform Rules tab.

  2. Create a rule from the rule template Send LDAP Attributes as Claims.

  3. Select Active Directory as the attribute store.

  4. Add claims mappings. You may need to type the outgoing claim.

  5. Map Token-Groups - Unqualified Names to groups.

  6. Map Display-Name to display_name.

  7. Finish the claims mapping.