Changing IdP Autentication - Qlik Sense SaaS

rob_insley — Thu, 29 Feb 2024 10:34:45 GMT

My client wishes to change their current IdP Authentication in Qlik Sense SaaS. Current they login using their Network login but this is going to be changed to use an email address.

EMail Address is a an existing Claim attribute so I am trying to understand what the process will be to change the iDP Authentication and a whether existing users will somehow get automatically mapped when the new IdP is configured. Having a single tenancy means we do not have a Qlik Sense SaaS Environment to try out the change so that we can fully identify the potential impacts.

I understand it will be a 2 step process-

Step 1 . Revert to Qlik Account Authentication and ensure we have the recovery account to be able to re-login.

Step 2. Configure the new IdP Authentication

So after configuring and establishing the new iDP Authentication we need to understand the impact to understand if we will need to re-establish all Spaces permissions to the new users or whether the new users will inherit the existing permissions by automated mapping via email?

HAs anyone done something similar?

Re: Changing IdP Autentication - Qlik Sense SaaS

Levi_Turner — Thu, 29 Feb 2024 14:52:54 GMT

Let's start out with how a user is identified in Qlik Cloud. Let's take this user's record:

In tabular format, the user is:

User ID (created by Qlik)	User Subject (from your IDP)	User Email (from your IDP)	User Name (from your IDP)
65e093f29fac8999db04512e	856bcab5-64db-4aa1-bce8-d90e98d322c2	levi.turner@demo.dev	Levi Turner

User records in Qlik Cloud have dual primary keys: subject and email. This means, if your IDP changes the user's subject or the user's email, the user's Qlik Cloud identity will remain the same. If you change both the user's subject and email, Qlik Cloud will treat this as a new user. In my example user, I can change the email like so:

User ID (created by Qlik)	User Subject (from your IDP)	User Email (from your IDP)	User Name (from your IDP)
65e093f29fac8999db04512e	856bcab5-64db-4aa1-bce8-d90e98d322c2	levi.turner2@demo.dev	Levi Turner

Or I can change the subject like so:

User ID (created by Qlik)	User Subject (from your IDP)	User Email (from your IDP)	User Name (from your IDP)
65e093f29fac8999db04512e	BrandNewSubject	levi.turner2@demo.dev	Levi Turner

If I change both, then I will have a new user:

User ID (created by Qlik)	User Subject (from your IDP)	User Email (from your IDP)	User Name (from your IDP)
65e093f29fac8999db04512e	BrandNewSubject	levi.turner2@demo.dev	Levi Turner
65e0984ad099feece9adaead	856bcab5-64db-4aa1-bce8-d90e98d322c1	levi.turner@demo.dev	Levi Turner

So back to your questions:

> So after configuring and establishing the new iDP Authentication we need to understand the impact to understand if we will need to re-establish all Spaces permissions to the new users or whether the new users will inherit the existing permissions by automated mapping via email?

After configuring and establishing the new IDP, you should ensure either the user's subject or email is the same. This will ensure that the user is considered the same to Qlik Cloud. From there,

any permissions set by user name will automatically inherit. Ownership of apps, automations, sheets, data connections will all work seamlessly

But access by name isn't the only way to provide access, groups can be used.

any permissions set by groups will automatically inherit assuming that the new IDP also sends the same groups. If the old IDP sent 3 groups and the new IDP sends the same 3 groups, this will work. If the groups change names or aren't being sent, then this access will break

In this space:

If I continue to send the group "Domain Admins", then an IDP change on Qlik Cloud will not be problematic. If the new IDP doesn't send "Domain Admins", then I would need either grant access to the space via the new group or by user name.

Re: Changing IdP Autentication - Qlik Sense SaaS

rob_insley — Fri, 01 Mar 2024 10:28:14 GMT

Thanks Levi for the detailed breakdown and explanation. This has been really useful. Thanks, Rob

topic Re: Changing IdP Autentication - Qlik Sense SaaS in Management & Governance

Changing IdP Autentication - Qlik Sense SaaS

Re: Changing IdP Autentication - Qlik Sense SaaS

Re: Changing IdP Autentication - Qlik Sense SaaS