https://community.qlik.com/t5/Management-Governance/Integrating-AD-Users-with-Okta-SSO/m-p/1620769#M14574 <P>Hi,</P><P>We are having similar problem but with reverse item.</P><P>QMC and Virtual Proxies are set to use email address. But whenever User logins through okta authentication, account with SAMAccountName (short user ID) are being created. It use to work and only email address use to create, but after upgrading to Qliksense 2019 we started noticing that duplicate account with Short User ID are being created. I checked the configuration and it seems to be fine. Could you tell me if there is anything else I need to check.</P><UL><LI>QMC--&gt; Pulls email address and CORP through ODBC SQL tables.</LI><LI>Virtual Proxy--&gt; OKTA SAML<UL><LI>User ID: email</LI><LI>User directory : [CORP]</LI></UL></LI></UL><P>But accounts are created as followings</P><OL><LI>useremail@company.com</LI><LI>UserID</LI></OL><P>Anyway to getrid of 2nd duplicate account i.e UserID account.</P><P>More info on another thread I have created below.</P><P>&nbsp;</P><P><A href="https://community.qlik.com/t5/New-to-Qlik-Sense/Duplicate-Users-Issue-Network-Short-Name-and-Email-Address/td-p/1620231" target="_blank">https://community.qlik.com/t5/New-to-Qlik-Sense/Duplicate-Users-Issue-Network-Short-Name-and-Email-Address/td-p/1620231</A></P><P>&nbsp;</P><P>&nbsp;</P><P>Regards,</P><P>Chandru</P><P>&nbsp;</P> Fri, 06 Sep 2019 00:25:54 GMT chandrasjr 2019-09-06T00:25:54Z https://community.qlik.com/t5/Management-Governance/Integrating-AD-Users-with-Okta-SSO/m-p/1336115#M9867 <HTML><HEAD></HEAD><BODY><P>Environment:&nbsp; Qlik Sense Enterprise 3.0.0</P><P></P><P>We use Okta for single sign-on, and all Okta accounts for internal users are sourced from Active Directory (domain = CORP).&nbsp; The user ID used by most of our SSO-enabled applications is Email Address.&nbsp;&nbsp; </P><P></P><P>I have created a User Directory Connector for our CORP AD domain with a filter to only synchronize users in the group 'Okta-Qlik-Users'.&nbsp;&nbsp; This is working fine and the accounts created in Qlik have a User ID equal to the Windows logon name (SAMAccountName).</P><P></P><P>We now want to use Okta SSO with Qlik Sense.&nbsp; I have followed the instructions for creating a virtual proxy to integrate with Okta and have tested it successfully.&nbsp; The problem is that when a user logs into Qlik using Okta SAML it creates another user account using their email address as the User ID and 'OKTA' as the User Directory.&nbsp; </P><P></P><P><IMG alt="Users - QMC_2017-06-08_09-48-56.png" class="jive-image image-1" src="/legacyfs/online/166212_Users - QMC_2017-06-08_09-48-56.png" style="height: 78px; width: 620px;" /></P><P>Instead of creating a new account we would like to simply map the Okta SAML login to the user's existing AD account.&nbsp; Is there a way to do that?</P><P></P><P>Thanks,</P><P></P><P> Michael Mongeau</P><P> IT Applications Manager</P><P> Stratus Technologies</P></BODY></HTML> Thu, 08 Jun 2017 13:55:05 GMT https://community.qlik.com/t5/Management-Governance/Integrating-AD-Users-with-Okta-SSO/m-p/1336115#M9867 Anonymous 2017-06-08T13:55:05Z https://community.qlik.com/t5/Management-Governance/Integrating-AD-Users-with-Okta-SSO/m-p/1336116#M9868 <HTML><HEAD></HEAD><BODY><P>Hi Michael,</P><P></P><P>You can achieve the following requirement.</P><P>Basic Two Things you need here:</P><P>The user ID and user Directory values should be same.</P><P>same means:</P><P>When you login or pulled users from UDC</P><P>and</P><P>When you login from OKTA using</P><P>If both cases matches then same user is refereed in Qlik Sense Database.</P><P></P><P></P><P>1.SAML attribute for user ID</P><P style="font-size: 13.3333px;">By asking the SSO admin (Here OKTA Guys) to send the required user <SPAN style="font-size: 13.3333px;">attribute</SPAN> Value as an attribute in SAML Response.</P><P style="font-size: 13.3333px;">Same attribute you can configure it in Virtual Proxy as SAML attribute for user ID.</P><P style="font-size: 13.3333px;">here:</P><P style="font-size: 13.3333px;">May be SAM-Account-Name is used not sure.(Your proxy configuration and AD attributes will provide the mapping here)</P><P></P><P><SPAN style="font-size: 13.3333px;">2.SAML attribute for user directory:</SPAN></P><P>By asking the SSO admin (Here OKTA Guys) to send the required User Directory Value as an attribute <SPAN style="font-size: 13.3333px;">in SAML Response.</SPAN></P><P>Same attribute you can configure it in Virtual Proxy as SAML attribute for user directory.</P><P>here:</P><P>domain = CORP</P><P></P><P></P><P>This is only based on login of the user.</P><P>But if you have some some security rules written utilizing the groups info received from UDC pulling data directly from AD.</P><P>Then we need to send those groups info also in SAML Response matching the groups info received from UDC.</P><P></P><P></P><P>Thanks,</P><P>Suraj</P></BODY></HTML> Tue, 13 Jun 2017 06:40:29 GMT https://community.qlik.com/t5/Management-Governance/Integrating-AD-Users-with-Okta-SSO/m-p/1336116#M9868 Suraj_Lal 2017-06-13T06:40:29Z https://community.qlik.com/t5/Management-Governance/Integrating-AD-Users-with-Okta-SSO/m-p/1336117#M9869 <HTML><HEAD></HEAD><BODY><P>Thanks so much for the suggestion.&nbsp; Here is how I got it working.</P><P></P><P>In the Okta Qlik SAML application:</P><P></P><UL><LI>on the Sign On tab set the username format to 'AD SAM Account Name'</LI><LI>on the General tab added a custom attribute called 'username' and set it to 'appuser.userName'</LI></UL><P></P><P>In the Qlik Virtual Proxy for Okta, in the Authentication section:</P><P></P><UL><LI>set SAML attribute for User ID = username</LI><LI>set SAML attribute for user directory = [CORP]</LI></UL><P></P><P>I decided to just use a static attribute for the user directory name since I do not expect it to change. </P><P></P><P>&nbsp; Michael</P></BODY></HTML> Tue, 13 Jun 2017 15:46:01 GMT https://community.qlik.com/t5/Management-Governance/Integrating-AD-Users-with-Okta-SSO/m-p/1336117#M9869 Anonymous 2017-06-13T15:46:01Z https://community.qlik.com/t5/Management-Governance/Integrating-AD-Users-with-Okta-SSO/m-p/1620769#M14574 <P>Hi,</P><P>We are having similar problem but with reverse item.</P><P>QMC and Virtual Proxies are set to use email address. But whenever User logins through okta authentication, account with SAMAccountName (short user ID) are being created. It use to work and only email address use to create, but after upgrading to Qliksense 2019 we started noticing that duplicate account with Short User ID are being created. I checked the configuration and it seems to be fine. Could you tell me if there is anything else I need to check.</P><UL><LI>QMC--&gt; Pulls email address and CORP through ODBC SQL tables.</LI><LI>Virtual Proxy--&gt; OKTA SAML<UL><LI>User ID: email</LI><LI>User directory : [CORP]</LI></UL></LI></UL><P>But accounts are created as followings</P><OL><LI>useremail@company.com</LI><LI>UserID</LI></OL><P>Anyway to getrid of 2nd duplicate account i.e UserID account.</P><P>More info on another thread I have created below.</P><P>&nbsp;</P><P><A href="https://community.qlik.com/t5/New-to-Qlik-Sense/Duplicate-Users-Issue-Network-Short-Name-and-Email-Address/td-p/1620231" target="_blank">https://community.qlik.com/t5/New-to-Qlik-Sense/Duplicate-Users-Issue-Network-Short-Name-and-Email-Address/td-p/1620231</A></P><P>&nbsp;</P><P>&nbsp;</P><P>Regards,</P><P>Chandru</P><P>&nbsp;</P> Fri, 06 Sep 2019 00:25:54 GMT https://community.qlik.com/t5/Management-Governance/Integrating-AD-Users-with-Okta-SSO/m-p/1620769#M14574 chandrasjr 2019-09-06T00:25:54Z https://community.qlik.com/t5/Management-Governance/Integrating-AD-Users-with-Okta-SSO/m-p/1746065#M16709 <P>Thank you for this.&nbsp; Solved my issue with duplicate accounts.</P> Tue, 22 Sep 2020 14:40:52 GMT https://community.qlik.com/t5/Management-Governance/Integrating-AD-Users-with-Okta-SSO/m-p/1746065#M16709 david_smee 2020-09-22T14:40:52Z