Setting up Okta

Okta is an authentication and authorization platform.

This topic presents how to set up Okta to be used with Qlik Sense Enterprise for elastic deployments and Qlik Sense Enterprise for Windows (QSEfW). You can configure Okta as an identity provider (IdP) for use with Qlik Sense Enterprise for elastic deployments and QSEfW.

You will create the following:

  • an application for interactive login (QSE for elastic deployments)
  • programmatic use of Okta

Creating an Okta application and user for QSE for elastic deployments for interactive logins

Create an Okta application and a user. An Okta application allows an application, (QSEfW/Qlik Cloud Services (QCS)/QSE for elastic deployments), to use Okta for authentication.

We assume that you have an Okta account and tenant created.

Nota: When you install Qlik Sense Enterprise for Windows, with Multi-Cloud, you must use a developer account for Okta, see Okta Developer.

Creating a user

Create a user in Okta. You can skip this step if you have already created users.

Do the following:

  1. Fill in first name and last name.

  2. Username: Use your email address for user name.

  3. Primary email: Same as Username.

  4. For Password, select Set by admin.

  5. Enter a password for the new user.

  6. Optionally, clear the selection User must change password in first login.

Creating a new application in Okta

Create a new application, a tenant for QSE for elastic deployments from Okta.

Do the following:

  1. In Okta, go to Applications and click Add Application.

  2. For Platform, select Web and click Next.

  3. Enter a name for the app.

  4. Enter a base URI.

    Nota: This is the IP address or server name from your QSE for elastic deployments environment. Example: https://40.118.9.61
  5. Enter a login redirect URI.

    As for the base URI, you use the IP address or server name from your environment. Example: https://40.118.9.61/login/callback

  6. In the Grant type allowed section, for client acting on behalf of itself, select Client Credentials.

  7. Click Done.

Configuration for programmatic access

Configure Okta to support usage programmatically (in this case to support distribution to QSE for elastic deployments or QCS).

Creating an Okta API resource server and application for programmatic access

In Okta, you create a new Resource Server API. In this case, the Okta Resource Server API represents the protected QSE for elastic deployments resource API. In OAuth terms, you need to configure Okta for the Client Credentials Grant flow.

First, create a new Authorization Server (under the API tab) for your tenant.

Do the following:

  1. In the top menu, select API.

  2. Open Authorization Servers.

  3. Click Add Authorization Server.

  4. Fill in name, audience (must be qlik.api), and description.

  5. Save the API.

  6. Open the Scopes tab.

  7. Click Add Scope tab.

  8. Enter a name and description, and select Set as default scope.

  9. Click Create.

  10. Open the Access Policies tab.

  11. Click Add Policy.

  12. For name and description, enter Grant Clients.

  13. For Assign to, keep the selection All clients.

  14. Click Create Policy.
  15. Click Add Rule.

  16. Enter a name for the rule.

  17. Clear the selections under Client acting on behalf of a user.

  18. Click Create Rule.

Creating an Okta application for programmatic authentication

Just like you created an Okta application for interactive logins above, you will now create an Okta application for programmatic authentication.

Do the following:

  1. In the Okta top menu, open Applications.

  2. Click Add Application.

  3. For Platform, select Service and click Next.

  4. Enter a name for the app.

  5. Click Done.