article How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP. Now with Groups! in Official Support Articles

Re: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP

ergustafsson — Tue, 09 Jun 2020 12:03:14 GMT

Hi Jeff,

I hope all is well. Awesome guide, we set this up a couple of months ago and got it to work. We intended to sync multicloud to a onprem solution (where we have SAML auth). In general, works fine, but when we use the QSEoCS at x.eu.qlikcloud.com there is no identity mapping from the on-prem solution. So users exists with the same credentials (sub) as DOMAIN\user@domain.com on both on-prem and cloud, but when deploying apps to a cloud environment the apps don't get any ownership, which is a bit annoying. When setting up the idp on QSEoCS it actually says "The email claim is not valid. The identity mapping feature will not work for the users in the tentant" which would explain the behavior. Any idea of a workaround to actually hard-core/manually add the claim "email_verified" as true? It appears to be the only thing missing.

Cheers,

Erik

Re: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP

AlexOmetis — Fri, 12 Jun 2020 15:53:00 GMT

Very similar issue as @ergustafsson ...

We are working through changing a customer from one Azure AD tenant to another. Changing IdP in QSEoCS is apparently fairly seamless as long as the email addresses of the new & old users match. However with this config, the email addresses, whilst passed in the authentication process, don't show in the user list and this seems to be a problem. I assume this must be to do with the missing email_verified field. Is there any way to manually add a mapping for this like you would with SAML or similar? I find it weird there's no box to map a claim to that field - although perhaps since it's part of the underlying OpenID Connect spec it's meant to be included by default.

Re: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP

sfbi — Mon, 29 Jun 2020 18:57:12 GMT

Does anyone was able to retrieve users email and picture from the azure AD?

Re: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP

AlexOmetis — Tue, 30 Jun 2020 10:05:16 GMT

@sfbi No - I wasn't able to get email address or picture. The email address appears to be to do with the lack of email_verified field coming from Azure. I haven't managed to figure out if it's possible to send a static value as part of the auth process for this, so email addresses can show in QSE SaaS... As for pictures, I haven't looked but assume it's a similar issue with it not being passed by Azure.

Re: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP

ergustafsson — Tue, 30 Jun 2020 10:49:29 GMT

I wasn't either. I added a support case but nothing they could do, so I added an idea. Feel free to upvote it:

https://community.qlik.com/t5/Ideas/Modify-claims-in-Identity-Mapping/idi-p/1723386

If you have any input on the actual "idea", please let me know.

Cheers

Re: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP

Jeffrey_Goldberg — Tue, 30 Jun 2020 11:14:29 GMT

@ergustafsson and @AlexOmetis I've been trying to figure out if there is a way in Azure to add an email_verified claim. And I found one! But... it adds a prefix in the claim name "extn." Here's the document: https://docs.microsoft.com/en-us/powershell/azure/active-directory/using-extension-attributes-sample?view=azureadps-2.0

@ergustafsson I commented on your idea and it's a good place to put it.

This issue along with groups is aggravating for me as much as I know it is for you. We are researching what the art of the possible is without a large amount of customization per IdP.

I hate to say stay tuned so I'll say "keep a sharp eye". If you see something that may work let me know!

Re: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP

sfbi — Tue, 30 Jun 2020 13:29:19 GMT

Email:
I was able to get the email with "email" claim. Still, IDP config won't create user with the current email. All auth user emails are set as null.

Profile Picture:
It look likes azure ad doesn't support profile picture as claim.
https://stackoverflow.com/questions/39936877/microsoft-openid-login-flow-picture-access

picturePhoto is supported using MicrosoftGraph only:
https://graph.microsoft.com/v1.0/me/photo/$value

have no idea on how to get it working on IDP...

Re: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP

sfbi — Tue, 30 Jun 2020 17:05:22 GMT

@Jeffrey_Goldberg

I suggest you to add at the top of this How To, the advise about SESSION ACCESS... it is an important step that is described on help, but some people (like myself) might ignore prior to implement the IdP.

Re: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP

Jeffrey_Goldberg — Tue, 30 Jun 2020 20:53:24 GMT

@sfbi if I play it back you mean changing the SUB to something a bit more friendly than the actual subject. Like Email or something else. Good feedback to add to the considerations section.

thanks,

Re: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP

sfbi — Wed, 01 Jul 2020 13:18:17 GMT

@Jeffrey_Goldberg
Here is an example on Users MC page. The first line is the new user create from the Azure AD IdP (no email) and the second line is the "old" QlikID user created before implement the IdP...

It's not affecting the usability, but when you need to add a lot of users, it might get a lit bit complicated to manage it by users Names instead users Emails.

What I don't understand is why I'm getting the email from the email claim, and its not been set as user email on the MC User page.

Also, I added the folowing API permissions at Azure AD.

Thank you

Re: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP

Jeffrey_Goldberg — Wed, 01 Jul 2020 13:40:01 GMT

The email isn't mapping because Azure AD does not send a specific claim named "email_verified". This is a claim Qlik Sense SaaS is expecting and not getting, therefore, no mapping your email to the user account created.

We are working on adding the ability to specify the claim that represents "email_verified" so the mapping will work properly. No timeframes of course but I do have an appreciation for the urgency to implement this in SaaS.

The other thing is from your screenshot is you are showing permissions, but not the optional claims you are sending. You need to send the email as an optional claim AND the "primary_verified_email" claim as an optional claim. Once we have the customization in platform (described above) you will be able to tell Qlik Sense IdP config to look for "primary_email_verified" as the claim for email_verified.

Re: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP

sfbi — Wed, 01 Jul 2020 13:49:30 GMT

ok now I got it... all claims are set correctly and I'm geeting it at the diagnose

"verified_primary_email":["henrique@....."]

as ...api/v1/diagnose-claims

Re: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP

sfbi — Mon, 06 Jul 2020 17:43:03 GMT

@Jeffrey_Goldberg

is it on the roadmap to allow anonymous user on SaaS?

Re: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP

ergustafsson — Sun, 23 Aug 2020 09:48:29 GMT

Did anybody figure out a workaround or a solution?

Re: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP

sfbi — Wed, 09 Sep 2020 21:45:56 GMT

Updated configuration now enables to set the email_verified on the IDP config.
email_verified

PS:
for current users to get the appropriate email address at the users table (MC) and be able to be notified by emails, you'll need to exclude the current users and ask them to login again as a new user after updating the IDP config. After you'll need to allocate again spaces authorizations. (at least that was the only way for me).

user tab MC

That's not a good idea if you need to exclude app owners as you'll need to reset app ownership on the MC (App Tab) and republish all apps on manage spaces as you can't change it's ownership within the MC. So if you do, do it carefully.

Users IDP Entity remains the same after the new login, so you won't need to update any table used on section access (if its the case).

Re: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP

ergustafsson — Fri, 11 Sep 2020 09:10:07 GMT

Nice!

I noticed that too. But using "verified_primary_email" still doesn't make Azure AD provide proper identity mapping. I belive "email_verified": true needs to be in the claims. I can verify at https://xx.eu.qlikcloud.com/api/v1/diagnose-claims that there no such attribute. Any ideas?

Re: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP

sfbi — Fri, 11 Sep 2020 13:21:16 GMT

your are not getting the email_verified claim on the diagnose?

I'm getting both email and primary and

"email_verified":["henrique@xxxxxxx"]

"verified_primary_email":["henrique@xxxxxxxx"]

Re: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP

ergustafsson — Fri, 11 Sep 2020 13:51:02 GMT

I do. And that works to add, but it doesn't help with the identity mapping for Azure AD. Tried to sync an app and it loses the owner.

Re: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP

sfbi — Fri, 11 Sep 2020 18:16:17 GMT

understood... same here, no idea on how to manage it too...

Re: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP

Jeffrey_Goldberg — Fri, 11 Sep 2020 19:52:13 GMT

Hi folks, allow me to chime in here. You've stumbled upon the first phase of addressing the email_verified problem some identity providers have with Qlik Sense SaaS configuration. Qlik requires email_verified as a claim in the OIDC handshake because we want to make sure the email is indeed unique and the email intended to be supplied with the credential sent from the IdP.

The email_verified input has been added to the configuration to help you point to a custom claim that you would create in your IdP that would map the custom claim to the email_verified attribute required by Qlik's OIDC implementations.

With respect to Azure AD, just because we've added the input doesn't mean Azure AD will now surface this attribute. In fact, Azure AD will not because Azure AD does not have this claim to send, full stop.

What you can do is add what is called an extension attribute to your app registration (link: https://docs.microsoft.com/en-us/powershell/azure/active-directory/using-extension-attributes-sample?view=azureadps-2.0) and then send this as an optional claim using the optional claims configuration in the app registration. You would then map this custom claim to the email_verified input in the Qlik Sense SaaS IdP config for Azure AD.

screenshot of azure ad:

While doable, it's an inelegant solution.

I feel this is a bit clunky, so I've asked our R&D team to investigate implementing a toggle that will set email_verified to true when using AzureAD.

This toggle, in addition to adding group resolution from AzureAD object ids from an Azure AD menu item in the IdP config will be available in the not too distant future.

When it becomes available, I will update the document.

Cheers,

Jeff G