Skip to main content
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Showing results for 
Search instead for 
Did you mean: 
AlexOmetis
Partner Ambassador
Partner Ambassador

Avoiding duplication of users between QSE Client Managed and SaaS

We have a licence that includes both Client Managed and Saas (but not multi-cloud).

We have configured both environments to use the same Identity Provider (Azure AD) - following some helpful guides on the topic.

We want our users to be able to access either environment but of course only want them to use up one licence.

In the initial setup from Azure AD the SaaS version uses "sub" as the identifier which is a GUID from Azure AD as far as I can tell - whereas Client Managed uses the email address.

So I changed the SaaS version to use email address as the "sub" to try and get them to line up.

However when you look in SaaS the licence allocation shows User IDs in the format DIRECTORY\user.name@domain.com for all Client Managed allocations but just user.name@domain.com for all SaaS allocations meaning they're still duplicated.

When you look in Client Managed the SaaS licence allocations (and users) show with Directory of UNKNOWN.

I tried changing the directory name to UNKNOWN (in both User Directory Connector - which had to be changed to Generic LDAP - and Virtual Proxy) but this doesn't remove the duplication.

I tried setting a blank directory in the Virtual Proxy (or just []) but this isn't allowed - it won't save.

I looked at adding the on-prem version of the user ID (DOMAIN\user.name) to the Azure AD claims for SaaS but it's not an option in the Token configuration for a user - although weirdly it's a simple click for groups (link). I could look at extensions for Azure AD to get that detail to come through (see here) but that seems like overkill. 

Am I crazy or is this a pretty fundamental issue with synchronising users & licences across environments? Am I missing something? Is it because Azure AD isn't fully supported in SaaS yet? Does it work with other providers? 

Qlik Partner Ambassador 2024
Labels (6)
1 Solution

Accepted Solutions
agigliotti
Partner - Champion
Partner - Champion

Hi @AlexOmetis  ,

Could you try to set USER DIRECTORY (from QSE on premise) as Realm in your SaaS idP settings?
Please let me know if that solve the issue.
Best Regards
Andrea

View solution in original post

6 Replies
agigliotti
Partner - Champion
Partner - Champion

Hi @AlexOmetis  ,

Could you try to set USER DIRECTORY (from QSE on premise) as Realm in your SaaS idP settings?
Please let me know if that solve the issue.
Best Regards
Andrea

AlexOmetis
Partner Ambassador
Partner Ambassador
Author

Awesome - thanks @agigliotti - I hadn't spotted that box and probably wouldn't have thought of that before. Looks like it's working! 

Qlik Partner Ambassador 2024
heosupplink
Contributor II
Contributor II

How can I achieve the same thing, but if  I did my installation using the local bearer token?

AlexOmetis
Partner Ambassador
Partner Ambassador
Author

The local bearer token is for Machine-to-Machine communication in a multi-cloud setup right? I haven't tried to set that up myself, but don't you still need user authentication as well as the M2M authentication and therefore you'd follow the same/similar steps? 

Qlik Partner Ambassador 2024
marcos_herrera
Partner - Creator III
Partner - Creator III

Hi Dear @agigliotti 

Thanks for the answer, i have the same situation, but with an aAuth0 IdP, i made the changes to guarantee that QSE Client Managed User has the same User ID (auth0|5d83da2d459ce60dfff658c1) and User Directory (UNKNOWN) that Qlik Cloud, on cloud worked fine, the user can Access with Profesional Token assigned, but on  QSE Client Managed, the hub show the same error when does not have license, if you check the user in License Management, the profesional license are allocated to  User ID (auth0|5d83da2d459ce60dfff658c1) and on User section (QMC QSE Client Managed) are not duplicated the users.

Can you suggest me any solution or idea please?

marcos_herrera
Partner - Creator III
Partner - Creator III

Hello dear @heosupplink @AlexOmetis 

Thank you very much for the answer, I read all the suggested articles and finally I made a test lab with Azure AD, but adapting it to Auth0, under what the article mentions, I got the user in Cloud (auth0|5d83da2d459ce60dfff658c1) , was the same as Client Managed (auth0|5d83da2d459ce60dfff658c1) and in the case of Client Managed remained UNKNOW user directory. I also configured in the Client Managed multitenant console the deployment to cloud with Local bearer token with its respective IdP in Cloud, I tried instead of Local bearer token, to use IdP Integration, but it always gave me an error.

The problem I have is that although both users have the same ID (auth0|5d83da2d459ce60dfff658c1) and are in the same directory (UNKNOW), when assigning the license in Client Managed to that user, it says that he has no access to open apps or create apps, that is the same error message when a user has no license assigned.

Can you suggest me any solution or idea please?