Just to confirm, you are trying to set up Google Cloud Platform as IDP for your Qlik SaaS tenant?
Here are the steps which I followed:
- Login to Google Cloud Platform (GCP) and hit Select a project
- Give it a name like QlikSaaSIDP and create it.
- Jump to the OAuth consent screen as part of the panel menu APIs & Services.
- Select External.
Remark: Customer running their business in Google Workspace will probably select Internal here...
- Enter a app name such as QlikSaaS. Select a support email adress (based on your registered user(s)), limit the access to this app by specifying qlikcloud.com as authorized domain and add email addresses of your choice as Developer contact information,
- Hit Save and continue.
- Now you can specify the scope permissions. By default the scopes profile, email and openid are required to successfully register a user in Qlik SaaS.
- Hit add or remove scopes to open the scope selection screen.
- Select the first three "non sensitive" scopes email, profile and openid.
- Hit Update at the bottom of the screen.
- Afterwards these three scopes should appear in the section of non-sensitive scopes.
Hit Save and continue.
- The optional info part on the next screen can be neglected.
it Save and continue.
- Check the summary and complete the app creation process by hitting back to dashboard.
- Next, switch to the menu Credentials and hit Create Credentials.
- Choose OAuth client ID.
- Select Web application in the dropdown menu.
- Enter a name for the application such as Qlik2GCP and enter your SaaS tenant URL extended by the postfix login/callback in the section Authorized redirect URIs.
- Save by hiting Create.
- A Client ID and Client Secret will be generated. Copy it to an editor for later use.
- Hit Ok.
- That's it on the GCP side. Now flip to your Qlik SaaS tenant.
Let's continue with the Qlik SaaS part
- To enable the IDP in QSE SaaS login with a tenant admin and jump to the cloud admin console.
- Open identity provider in the configuration section and create a new one.
- Select Type Interactive and provider Generic. Optionally, enter a description.
- Among application credentials you refer to the discovery endpoint of your GCP authorization server as OpenID Connect metadata URI.
- The Discovery document for Google's OpenID Connect service can be retrieved from https://accounts.google.com/.well-known/openid-configuration.
- Next insert the required Client ID and Client Secret from the previously created GCP application Qlik2GCP.
- The realm setting is optional but can be meaningful to set when you run a Qlik multicloud environment and you want to homogenize license usage across all Qlik Sense Site such as QSE SaaS and QSE on Windows. So you can enter here the user directory attribute you have set in the SAML configuration for a GCP IDP on QSE on Windows - such as Google.
- Moving forward to the claim settings the sub attribute is critical. By default the claim sub delivers a cyrptical string (e.g. 116730270589448078398) when the mapping parameter is retained as "sub". This is the Google ID of a user object. However, the email address or display name of a user object may be required instead for better tracability and license synchronicity (in particular in a multicloud setup). This can be achieved by changing the attribute to email or name.
- The remaining claims can be left untouched.
- Finally, enter the required scopes openid, email and profile as whitespace seperated values in the Scope section.
- Hit Create.
- Now the settings can be saved and the identity provider can be validated.
- Login with a google account which should be promoted to a tenant admin in your Qlik SaaS instance.
- If all claim settings are correct a profile validation windows pops up where you can check the transmitted content of the name, email and sub claim. Confirming these profile data...
- ...promotes your logged in user to a tenant admin (if not set already)...
- ... add you can activate the IDP.
- Final test can be executed by logging in with a test user - in this scenario firstname.lastname@example.org.
- Checking the licensed user in the cloud admin console confirms the correct claim submission.
I hope this helps!
If this resolves your query, please click on "Accept as Solution" for confirmation. Thanks!