Creating a new identity provider configuration
Qlik Cloud provides identity provider (IdP) configuration for user login, API access, and multi-cloud setup. Each Qlik Cloud tenant supports one interactive IdP such as Qlik Account, Microsoft Entra ID (formerly Azure AD), OKTA, Auth0, or another IdP compliant with OpenID Connect (OIDC) or Security Assertion Markup Language (SAML).
Tenant administrators can create various IdP configurations from the Administration activity center:
-
For user login, configure an interactive IdP. Choose between OIDC or SAML, depending on the supported standard of your identity provider.
Information note-
Only one interactive IdP can be active at a time. If you deploy your custom interactive IdP, it will replace the Qlik Account login flow with the authentication process defined by your chosen IdP.
-
Handling SSO failures for your corporate IdP must be configured through your identity provider. Qlik Cloud does not support configuring a fallback redirect URL.
-
-
For seamless multi-cloud identity management, configure a Multi-cloud IdP with your local bearer token.
Creating a new interactive OIDC IdP configuration
Tenant administrators can create new IdP configurations. You can only have one single interactive IdP at a time. If you already have an active one, you need to first deactivate it before you can activate the new one. For more information, see Changing corporate IdP configurations.
This topic describes how to configure the identity provider settings in Qlik Cloud. You also need to make configurations on the identity provider side. For a walk-through of those configurations, refer to the following resources:
Do the following:
-
In the Administration activity center, go to Identity provider and click Create new.
-
For Type, select OIDC.
-
For Provider, select an identity provider from the list, or choose Generic if your specific provider is not listed.
-
Optionally, enter a description for the IdP configuration.
-
Under Application credentials, you can enter the discovery URL. If a discovery URL is not available or does not give proper metadata, you also have the option to manually enter individual values. Manual configuration should be used only when a discovery URL has not been entered.
Do one of the following:
-
Enter the discovery URL. This is the URL to the endpoint that provides configuration data for the OAuth clients to interface with the IdP using the OpenID Connect protocol. The naming conventions for the discovery URL vary based on your chosen provider:
-
ADFS: ADFS discovery URL
-
Auth0: OpenID configuration
-
Keycloak: Keycloak OpenID endpoint configuration
-
Okta or Generic IdP: OpenID Connect metadata URI
-
Salesforce: Salesforce discovery URL
-
or
-
Select Manual configuration.
-
Enter the following values:
-
Authorization endpoint: The URL for interaction with the resource owner, where you get the authorization to access the resource.
-
End session endpoint (optional): The URL used to trigger a single sign-out.
-
Introspection endpoint (optional): The URL to validate reference tokens or JWTs.
-
Issuer: The URL to the identity provider.
-
JWKS URI: The URI to the JSON Web Key Set containing public keys used for verification of a JSON Web Token (JWT).
-
Token endpoint: The URL to get an access token.
-
User info endpoint (optional): The URL to get user information.
-
-
-
Enter the Client ID: The ID of the configured client at the IdP for interactive user authentication.
-
Enter the Client secret: The secret for the client configured at the IdP.
-
Optionally, enter a Realm. This is the name to associate with the IdP. It is the same as the domain name in Qlik Sense Enterprise on Windows and it is used for naming consistency in multi-cloud.
-
Fill in the fields under Claims mapping.
Claims are statements (name/value pairs) about the entity (in many cases the user) and metadata about the OpenID Connect service. Mappings are available for sub, name, groups, email, client_id, picture, and email_verified (optional).
Information note-
You can enter multiple lookup values, separated by a comma, in the input fields. The first non-null value found will be used.
-
The groups claim is needed to receive groups. Note that nested groups are not supported in Microsoft Entra ID.
-
-
Optionally, configure the advanced options. For more details, see Advanced options.
-
Click Create.
A confirmation dialog appears with the option to validate the IdP configuration.
-
To validate now, select Validate IdP and click Create. This will initiate the validation process. Follow the steps in the validation wizard to perform a login and verify that the user profile data is correct.
-
If you prefer to create the configuration now but validate it later, clear the Validate IdP checkbox and click Create. You can validate later by clicking on your IdP configuration and selecting Validate.
-
Adding your tenant URL to the identity provider allowlist
At your identity provider, add your tenant URL to the allowlist. There are different names for this setting, for example, Allowed Callback URLs, Redirect URI, or Login redirect URI.
When you add the URL, you need to append login/callback to your tenant address, as in https://<tenant name>/login/callback.
Advanced options
The advanced options provide additional capabilities for certain identity providers.
Email verified override
Enable this setting to always set the email_verified claim to 'true'. This ensures that email addresses can be used for identity mapping in ADFS and Microsoft Entra ID. It is particularly useful when switching IdPs and helps distinguish between users with identical names in the Administration activity center.
Scope
Scopes define the access privileges that are requested when issuing an access token, according to the OAuth 2.0 specification. Enter values separated by spaces to specify the permissions you want to request from the identity provider. For example, include a groups scope if the IdP requires it to support user group features.
Post logout redirect URI
Use this field to specify a URI to which users will be redirected after logging out. For detailed instructions, see Using post logout redirect URI.
Block offline_access
When using Google Identity or OneLogin as the identity provider, enable this setting to block passing the offline_access scope to the identity provider. This ensures that the configuration works correctly with Qlik Sense Mobile SaaS and OAuth 2.0 applications.
ID token signature algorithm
The RSA signature algorithm ensures the authenticity and integrity of ID tokens. Qlik Cloud supports two options:
-
RS256 (default)
-
RS512
Select algorithm based on your security needs.
Token signature verification and decryption
Generate key pairs to verify signatures and decrypt encrypted JSON Web Tokens (JWT). For detailed instructions, see Managing key pairs for signed and encrypted ID tokens.
Creating a new interactive SAML IdP configuration
Tenant administrators can create new IdP configurations. You can only have one single interactive IdP at a time. If you already have an active one, you need to first deactivate it before you can activate the new one. For more information, see Changing corporate IdP configurations.
This topic describes how to configure the identity provider settings in Qlik Cloud. You also need to make configurations on the identity provider side. For a walk-through of those configurations, refer to the following topics:
Do the following:
-
In the Administration activity center, go to Identity provider and click Create new.
-
For Type, select SAML.
-
For Provider, select an identity provider from the list, or choose Generic if your specific provider is not listed.
-
Optionally, enter a description for the IdP configuration.
-
Under Configuration, you have the option to either upload the SAML XML metadata from your identity provider or manually enter individual values.
Do one of the following:
-
Select Use IdP metadata.
-
Click Upload file under SAML IdP metadata and choose the file containing metadata from your identity provider. Alternatively, if your identity provider metadata isn't available as a file, you can copy and paste the metadata directly in the IdP metadata field.
or
-
Click Upload file under Signing certificates to upload the certificate file.
This is the certificate used by the identity provider to sign the SAML assertions sent to Qlik Cloud. -
Enter the Entity ID of your identity provider.
-
Enter the Single sign-on URL.
This is the endpoint where the SAML authentication requests are sent. It is the URL to which the user is redirected for authentication.
-
Select a Name ID format.
-
-
Optionally, select Enable IdP-initiated login.
The default login flow is that the user first goes to Qlik Cloud and is then redirected to the IdP for authentication. Enable IdP-initiated login if you want the user to first login to the identity provider and then be redirected to Qlik Cloud.
-
Modify the fields under Claims mapping or keep the default values.
Claims mappings define how user attributes from your identity provider are associated with fields in the Qlik Cloud user model. Mappings are available for sub, name, email, groups, and picture. Adjust the values to fit your organization's needs and the attributes from your identity provider.
Information note-
You can enter multiple lookup values, separated by a comma, in the input fields. The first non-null value found will be used.
-
The groups claim is needed to receive groups. Note that nested groups are not supported in Microsoft Entra ID.
-
-
Optionally, configure Post logout redirect URI under Advanced options.
This it used to redirect a user to a defined URI after logout. For an example of how to use post logout redirect URI, see Using post logout redirect URI.
-
Click Create.
A confirmation dialog appears with the option to validate the IdP configuration.
The SAML service provider metadata and signing certificate are available only after creating the IdP configuration. If you need this information to set up the identity provider, you can create the IdP without validation initially, and validate once the configuration at your identity provider is completed.
-
To validate now, select Validate IdP and click Create. This will initiate the validation process. Follow the steps in the validation wizard to perform a login and confirm that the user profile data is valid.
-
If you prefer to create the configuration now but validate it later, clear the Validate IdP checkbox and click Create. You can validate later by clicking on your IdP configuration and selecting Validate.
-
Uploading the service provider metadata to your identity provider
Do the following:
-
In the Administration activity center, on your newly created IdP configuration, click and select View provider configuration.
A dialog shows the service provider metadata and the URL to the metadata endpoint.
-
Depending on the setup at your identity provider, either download the metadata file or copy the URL and save it for later use. Download the signing certificate file, if needed. Click Done.
-
At your identity provider, enter the service provider metadata. Ensure to configure the following required settings:
-
Assertion Consumer Service (ACS) URL. This is where the identity provider sends the SAML assertions after authentication.
-
Entity ID of the service provider.
-
The certificate for validating authentication requests. This is used by the identity provider to verify the authenticity of the service provider.
-
-
Once the configuration at your identity provider is complete, you can validate your IdP configuration in the Administration activity center. Click on your configuration and select Validate. Follow the steps in the validation wizard to perform a login and verify that the user profile data is correct.
Enabling auto-creation of groups
Groups are used to control user access and can be automatically created from IdP groups. When auto-creation of groups is enabled, groups are inherited from the identity provider so that access can be granted to the same groups of users that exist in the IdP. This simplifies access administration compared to granting access to one user at a time.
As users log in, new IdP groups dynamically appear in Qlik Cloud. These groups are not imported all at the same time; rather, IdP groups are discovered during the login process. Only the groups associated with Qlik Cloud users are available.
To configure groups, you must use single sign-on and have administrative access to your IdP.
Do the following:
- In the Administration activity center, go to the Settings page.
- Under Feature control, select Creation of groups.