topic Re: Set alternate claim for the mapped sub in Azure in Integration, Extension & APIs

Set alternate claim for the mapped sub in Azure

eyalnir_qlik — Thu, 15 Feb 2024 07:38:59 GMT

Hi,

We set OIDC authentication with azure in SaaS, as default we authenticate as "sub" it's exposing inside the claim sub "UserId", which cause for duplicate license use, the customer have unified license.

since we authenticate with OnPREM environment as "name" claim attribute with SAML, we aimed to have both authenticate as "name".

https://community.qlik.com/t5/Official-Support-Articles/How-to-match-users-between-Qlik-Sense-Client-Managed-and-Qlik/tac-p/2413459#M12469

https://community.qlik.com/t5/Support-Updates/OpenID-Connect-configuration-in-Qlik-Cloud-Services-Ex...

we tried to create alternate claim an "name" for the mapped sub with no success, it seems that "sub" claim of OIDC can't have filled with other claim such as "name".

we need advise how to do so, the article above didn't elaborate much

hope someone can advise

Thanks

Eyal

@Damien_V @Albert_Candelario

Re: Set alternate claim for the mapped sub in Azure

Damien_V — Thu, 15 Feb 2024 07:41:58 GMT

Hello @eyal
You should be able to use a different claim by just specifying it in the "sub" field in the Identity provider configuration in the Qlik Cloud console.

When you log in with the user that has the issue, what do you see when you open

https://tenantname.eu.qlikcloud.com/api/v1/diagnose-claims ? Do you see the claim you've specified listed in the ClaimsFromIdP section?

https://community.qlik.com/t5/Official-Support-Articles/Qlik-Cloud-How-to-see-if-claims-for-USER-and-GROUPS-are-passing/ta-p/1938548

Re: Set alternate claim for the mapped sub in Azure

eyalnir_qlik — Wed, 18 Dec 2024 14:10:47 GMT

Hi @Damien_V

You can see below in "internalClaims" the "sub": "Axxx@xxxx.co.il" (which seems correct) but in "claimsFromIdp" "sub": "GepTdu327M6MPBU206LQQbxLrv2iV8dG_olVNlFKg1k" (Difference from internalClaims ) it cause for duplicate license use.

we aimed that both authenticate sub will set as "Axx@xxx.co.il"

*************************************************************************************************************

"subType": "user",
"internalClaims": {
"sub": "Axxx@xxx.co.il",
"tenantId": "_ZZHqcIecaxxxRb-ySwGxvk0mruRv0um",
"subType": "user",
"userId": "657eade8b11b11084ff3e157",
"encodedPermissions": "data&colon;application/vnd.qlik.permissions;base64,AQBL/////9//////+/8P/+//v/3////Piigef4gH////Af///d/h///////////////////////////////9//////////Cv////e/AD/////////ff/////2/////////v/x/////////44",
"level": "admin",
"name": "Axx Bxi",
"email": "Antonb@xxx.co.il",
"email_verified": true,
"userTag": "1707981153",
"sid": "HnBeuCvaJqTwRK0D7BUrsPlMai0xaWzGh4bdfo3zQDY=",
"jti": "bJDFbRyStM-EqF83VhBBQ_UGnj5ABlTl",
"iat": 1707985256,
"exp": 1707911156,
"aud": "qlik.api.internal",
"iss": "qlik.api.internal"
},
"claimSource": "id-token",
"claimsFromIdp": {
"aud": "f9726de1-bb96-111a-8bce-5def1811ca28",
"iss": "https://login.microsoftonline.com/9c70d10e-03a6-4f14-b491-e6319ca91ae7/v2.0",
"iat": 1707984112,
"nbf": 1707984112,
"exp": 1707988112,
"aio": "AWQAm/8VAAAALO2pHjBI5W6Nk5fU93lPyHQT0nrLSBqTQjGA8D//NiZsTjF8wj33E2IDWgfhkIy3ntCzcrnMKWyqOR+1VnX70EJAOaTiIUeuedCZCLvSx1b0oSOxIF2Z9DlI4",
"email": "Axx@xxx.co.il",
"family_name": "xxski",
"given_name": "Axx",
"name": "Axxx Bxx",
"nonce": "Ts6a6E3cFXrezXGcrA1yNAyD85hvCIoCA_TQPg-pGBs",
"oid": "0a7202d0-eb59-4c25-a5d6-de350136e20d",
"preferred_username": "Axx@xxx.co.il",
"rh": "0.AQoADtFwnKYDFE-0keYxnKka5-FtcvmWu9pBi85d7xh2yigKABQ.",
"sub": "GepTdu327M8MPBU245LQQbxLrv2iV8dG_olVNlFKg1k",
"tid": "9c70d10e-03a6-4f14-b491-e6319ca91ae7",
"upn": "Axx@xxx.co.il",
"uti": "HE5qvXexkU-Ni0YkUg-4AQ",
"ver": "2.0"
},
"extraClaims": {},
"mappedClaims": {
"sub": "Axx@xxx.co.il",
"name": "Axx Bxx",
"email": "Axx@xxx.co.il",
"email_verified": true
}
}

Re: Set alternate claim for the mapped sub in Azure

Damien_V — Wed, 21 Feb 2024 08:48:57 GMT

Hi @eyalnir_qlik

"internalClaims" is post processed claimed by Qlik Cloud, which in your case is "Antonb@xxxx.co.il" "claimsFromIdp" is raw claims from IdP, so it looks you've overwritten the sub correctly, there's nothing wrong with how the product behaves here.

However if you're trying to match user names on your on-premise Qlik Sense environment, the "sub" claim should not only contain the username but also the domain.
Basically what you see in Qlik Client Client Managed (on-premise) in the "Users" screen you have "User Directory" and "User Id", both of those elements should be in "sub"(IdP subject) when in Qlik Cloud.

Example:
User Directory: DOMAIN

User Id: User1

You're expected to have the below in Qlik Cloud to avoid duplicate licenses

sub: DOMAIN\\User1

If your user ID in Client managed is already Antonb@xxx.co.il, then the easiest way is to add your domain name in the "Realm" field in the Identity Provider configuration in Qlik Cloud.

Best regards,