https://community.qlik.com/t5/Official-Support-Articles/Security-Rules-Fail-For-SSO-SAML-Users-and-The-Group-or-Other/ta-p/1715208 <P>When a user authenticates with SAML/JWT/Ticket, security rules based on the attributes from the SSO provider do not work and the attributes are not visible in the QMC under the User record.</P> <H4><FONT color="#339966"><STRONG>Environment</STRONG></FONT></H4> <UL> <LI>Qlik Sense Enterprise, all versions</LI> </UL> <P>&nbsp;</P> <P>When a user authenticates with SAML, a list of attributes will be given to Qlik Sense based on what is set up in the virtual proxy.&nbsp; The attributes depend on the implementation.<BR /><BR /><IMG src="https://qlik.my.salesforce.com/servlet/servlet.ImageServer?id=015D0000003sAvG&amp;oid=00D20000000IGPX&amp;lastMod=1491979583000" border="0" alt="User-added image" width="600" /></P> <P><BR />However, these User attribute(s) returned from the SSO provider are<I> <STRONG>only kept for the user session</STRONG></I> and are <STRONG><I>not stored/persisted in the Qlik Sense Repository Database</I></STRONG>. Therefore, they do not appear in the QMC like attributes synchronized via a UDC connection (data which <I>is&nbsp;</I>persisted to the database).<BR />&nbsp;</P> <H3>Resolution:</H3> <P>&nbsp;</P> <OL> <LI>Reference the attributes via&nbsp;<SPAN><I>user.<U>environment</U>.[attribute name]</I></SPAN> (not <SPAN>user.[attribute name]</SPAN>)</LI> <LI>View the exact attributes returned from the SSO provider by examining the logs:<BR /><BR /> <OL class="lia-list-style-type-lower-alpha"> <LI>Set the Proxy Audit Logs to the DEBUG level<BR /><BR /><IMG src="https://qlik.my.salesforce.com/servlet/servlet.ImageServer?id=015D0000003sAvL&amp;oid=00D20000000IGPX&amp;lastMod=1491979611000" border="0" alt="User-added image" /></LI> <LI>After enabling debug logging, the&nbsp;(Trace/Audit) Proxy logs will reveal the extracted attribute(s). No restart is required.&nbsp;<BR /><BR />The default location for this log is in <FONT face="courier new,courier">C:\ProgramData\Qlik\Sense\Log\Proxy\Trace\servername_Proxy_audit.txt</FONT><BR /><BR />Example&nbsp;<SPAN>Headers that will be injected:<BR /><BR /><FONT face="courier new,courier">[X-Qlik-Security, OS=Windows; Device=Default; Browser=Firefox 50.0; IP=fe80::f0bf:12cb:47cd:2086%14; ClientOsVersion=6.3; SecureRequest=true; Context=AppAccess;<STRONG> <U>role=Domain+Users; role=group5;</U></STRONG> ] || [X-Qlik-User, UserDirectory=DOMAIN; UserId=user5] || [X-Qlik-ProxySession, b29118dd-4539-4742-ad65-fe307eb10b54] || [X-Qlik-ProxyId, ProxyId=38daa8e0-5330-4581-9f40-49d7418b858f; Prefix=adfs] || [X-Qlik-Trace, cf2e0117-ee82-4d26-bba8-b781fc4ef19e:::]</FONT></SPAN></LI> </OL> </LI> </OL> Mon, 12 Jan 2026 12:00:55 GMT Damien_V 2026-01-12T12:00:55Z https://community.qlik.com/t5/Official-Support-Articles/Security-Rules-Fail-For-SSO-SAML-Users-and-The-Group-or-Other/ta-p/1715208 <P>When a user authenticates with SAML/JWT/Ticket, security rules based on the attributes from the SSO provider do not work and the attributes are not visible in the QMC under the User record.</P> <H4><FONT color="#339966"><STRONG>Environment</STRONG></FONT></H4> <UL> <LI>Qlik Sense Enterprise, all versions</LI> </UL> <P>&nbsp;</P> <P>When a user authenticates with SAML, a list of attributes will be given to Qlik Sense based on what is set up in the virtual proxy.&nbsp; The attributes depend on the implementation.<BR /><BR /><IMG src="https://qlik.my.salesforce.com/servlet/servlet.ImageServer?id=015D0000003sAvG&amp;oid=00D20000000IGPX&amp;lastMod=1491979583000" border="0" alt="User-added image" width="600" /></P> <P><BR />However, these User attribute(s) returned from the SSO provider are<I> <STRONG>only kept for the user session</STRONG></I> and are <STRONG><I>not stored/persisted in the Qlik Sense Repository Database</I></STRONG>. Therefore, they do not appear in the QMC like attributes synchronized via a UDC connection (data which <I>is&nbsp;</I>persisted to the database).<BR />&nbsp;</P> <H3>Resolution:</H3> <P>&nbsp;</P> <OL> <LI>Reference the attributes via&nbsp;<SPAN><I>user.<U>environment</U>.[attribute name]</I></SPAN> (not <SPAN>user.[attribute name]</SPAN>)</LI> <LI>View the exact attributes returned from the SSO provider by examining the logs:<BR /><BR /> <OL class="lia-list-style-type-lower-alpha"> <LI>Set the Proxy Audit Logs to the DEBUG level<BR /><BR /><IMG src="https://qlik.my.salesforce.com/servlet/servlet.ImageServer?id=015D0000003sAvL&amp;oid=00D20000000IGPX&amp;lastMod=1491979611000" border="0" alt="User-added image" /></LI> <LI>After enabling debug logging, the&nbsp;(Trace/Audit) Proxy logs will reveal the extracted attribute(s). No restart is required.&nbsp;<BR /><BR />The default location for this log is in <FONT face="courier new,courier">C:\ProgramData\Qlik\Sense\Log\Proxy\Trace\servername_Proxy_audit.txt</FONT><BR /><BR />Example&nbsp;<SPAN>Headers that will be injected:<BR /><BR /><FONT face="courier new,courier">[X-Qlik-Security, OS=Windows; Device=Default; Browser=Firefox 50.0; IP=fe80::f0bf:12cb:47cd:2086%14; ClientOsVersion=6.3; SecureRequest=true; Context=AppAccess;<STRONG> <U>role=Domain+Users; role=group5;</U></STRONG> ] || [X-Qlik-User, UserDirectory=DOMAIN; UserId=user5] || [X-Qlik-ProxySession, b29118dd-4539-4742-ad65-fe307eb10b54] || [X-Qlik-ProxyId, ProxyId=38daa8e0-5330-4581-9f40-49d7418b858f; Prefix=adfs] || [X-Qlik-Trace, cf2e0117-ee82-4d26-bba8-b781fc4ef19e:::]</FONT></SPAN></LI> </OL> </LI> </OL> Mon, 12 Jan 2026 12:00:55 GMT https://community.qlik.com/t5/Official-Support-Articles/Security-Rules-Fail-For-SSO-SAML-Users-and-The-Group-or-Other/ta-p/1715208 Damien_V 2026-01-12T12:00:55Z https://community.qlik.com/t5/Official-Support-Articles/Security-Rules-Fail-For-SSO-SAML-Users-and-The-Group-or-Other/tac-p/2514326#M15684 <P>Thanks for the article!</P><P>I'm having some problems, though, while trying to use the new field in a security rule.</P><P>I've mapped the SAML field I receive to environment.group and it's detected correctly. If I go to Users and click the information of the user, a lot of environment.group appear for that user with the groups I need. But when I create a security rule trying to use the new user.environment.group, and I put the value as received (as I see it in the user's description), the rule doesn't work. I tried to use an "=" for the condition and tried different cases, also tried to use LIKE and combine the complete name of the group or a partial one with * and the rule doesn't work.</P><P>Is there a way to see why the rule doesn't apply? The claim mapping is working correctly.</P><P>Regards</P> Mon, 14 Apr 2025 20:35:30 GMT https://community.qlik.com/t5/Official-Support-Articles/Security-Rules-Fail-For-SSO-SAML-Users-and-The-Group-or-Other/tac-p/2514326#M15684 jpbartolomeo1 2025-04-14T20:35:30Z https://community.qlik.com/t5/Official-Support-Articles/Security-Rules-Fail-For-SSO-SAML-Users-and-The-Group-or-Other/tac-p/2520783#M15932 <P><a href="https://community.qlik.com/t5/user/viewprofilepage/user-id/29425">@Damien_V</a>&nbsp; <A href="https://community.qlik.com/t5/user/viewprofilepage/user-id/28597" target="_blank" rel="noopener"><SPAN class="">@Sonja_Bauernfeind</SPAN></A></P><P><SPAN class=""><SPAN>We are currently in the process of integrating our Qlik system with OKTA SSO and have a couple of questions regarding this integration. Specifically, we would like to verify whether it is possible to populate the "Name" field and if we can also populate custom properties on user accounts through a SAML attribute assertion.</SPAN></SPAN></P><P><SPAN class=""><SPAN>We've encountered this issue while trying to configure SAML attributes mapping in Qlik QMC. We've attempted to set different values for user id, email, names, etc. However, despite these efforts, the update only appears in the proxy logs and is not reflected in QMC. The QMC seems to be populating the name field solely with the value we have for user Id, completely ignoring the configurations we've made in the SAML attributes mapping. Please let us know. Thanks</SPAN></SPAN></P> Tue, 10 Jun 2025 20:44:18 GMT https://community.qlik.com/t5/Official-Support-Articles/Security-Rules-Fail-For-SSO-SAML-Users-and-The-Group-or-Other/tac-p/2520783#M15932 yeheyies 2025-06-10T20:44:18Z https://community.qlik.com/t5/Official-Support-Articles/Security-Rules-Fail-For-SSO-SAML-Users-and-The-Group-or-Other/tac-p/2520793#M15934 <P><a href="https://community.qlik.com/t5/user/viewprofilepage/user-id/182427">@yeheyies</a>&nbsp;</P> <P>It's not possible to populate the name (display name) with a SAML attribute, please see</P> <P><A href="https://community.qlik.com/t5/Official-Support-Articles/Qlik-Sense-Is-it-possible-to-use-a-SAML-attribute-for-the/ta-p/1712576" target="_blank">https://community.qlik.com/t5/Official-Support-Articles/Qlik-Sense-Is-it-possible-to-use-a-SAML-attribute-for-the/ta-p/1712576</A></P> <P>&nbsp;</P> Wed, 11 Jun 2025 01:21:15 GMT https://community.qlik.com/t5/Official-Support-Articles/Security-Rules-Fail-For-SSO-SAML-Users-and-The-Group-or-Other/tac-p/2520793#M15934 Damien_V 2025-06-11T01:21:15Z