How To: Configure Qlik Sense Enterprise SaaS to use Auth0 as an IdP

TL;DR

• Step-by-step instructions for implementing Auth0 as the identity provider for a Qlik Sense Enterprise SaaS tenant.
• Configure Auth0
• Configure Qlik Sense SaaS

Prereqs

• Qlik Sense Enterprise SaaS Tenant
• Auth0 tenant

Helpful vocab

• Qlik Sense Enterprise SaaS: Qlik Sense hosted in Qlik’s public cloud
• Auth0: Auth0 is an identity access management software as a service product
• Tenant: Your Qlik Sense Enterprise SaaS tenant or instance
• OIDC: Open Id Connect
• IdP: Identity Provider

Considerations when using Auth0 with Qlik Sense Enterprise SaaS

• Qlik Sense Enterprise SaaS allows for customers to bring their own identity provider to provide authentication to the tenant using the Open ID Connect (OIDC) specification (https://openid.net/connect/)
• Given that OIDC is a specification and not a standard, vendors (e.g. Auth0) may implement the capability in ways that are outside of the core specification. In this case, Auth0 is reasonably compliant and more flexible than some other identity provider options. That said, you may receive warnings during validation but they don’t impact the overall functionality of the identity provider in a tenant.

Configure Auth0

1. Log into your Auth0 tenant by going to https://auth0.com.
   Auth0 Dashboard

    

2. Click on the Create Application button on the upper right side of the screen.
   Create Application Button

    

3. Provide a name for your application, select Single Page Web Applications from the application type menu and click Create.
   Auth0 Create Application Form

    

4. When the application page appears, click Settings.
   Top bar for Auth0 application.

    

5. The Basic information section contains the Client ID and Client Secret you need for configuring the IdP in your tenant. Make note of these values.
   Auth0 application basic information section

    

6. Scroll down the page to the Application URIs section. In the Allowed Callback URLs textarea, enter your tenant’s login callback url. The login callback url is in the form of https://{your-tenant-name}.{tenant-region}.qlikcloud.com/login/callback. Here’s an example: https://contoso.us.qlikcloud.com/login/callback. Note: The Callback URL cannot be an Aliased Tenant Name. 
   Auth0 application configuration application urls

    

7. Scroll down to the Show Advanced Settings text and click it.
   Show Advanced Settings

    

   1. Click OAuth and make sure the OIDC Conformant option is green
      Advanced Settings OAuth tab

       

   2. Click Grant Types and make sure Authorization Code has a check mark. NOTE: Implicit and Refresh Token may be checked as well, however, they are not used by Qlik Sense SaaS for authentication.
      Advanced Settings Grant Types tab

       

   3. Click Endpoints and copy the OpenID Configuration entry. This URI is necessary for configuring the IdP in your tenant.
      Advanced Settings Endpoints tab

       

8. Click Save Changes
   Save Changes

    

9. Scroll to the top of the page. Click Connections in the tab menu.
   Auth0 Application configuration top bar

    

10. In this tab, you choose the way users authenticate with Auth0, and subsequently Qlik Sense SaaS. In this example, the user may log in using their Auth0 userid and password, or using Google’s OAuth2 service. Follow Auth0 guides for more information on integrating your application registration with social logins.
    Auth0 application configuration Connections tab

     

Configure Qlik Sense SaaS

1. Log into Qlik Sense SaaS Management console using an account with the Tenant Admin role assigned. https://{yourtenantname}.{tenantregion}.qlikcloud.com/console.
2. Click Identity provider in the console’s side menu.
   Qlik Sense SaaS management console side menu

    

3. On the right side of the screen click Create new.
   Create new button

    

4. In the configuration window, select Interactive from the Type dropdown and Auth0 from the Provider dropdown. You may add a description for your IdP in the description textarea.
   Begin Identity Provider configuration

    

5. Scroll down to the Application credentials section.
   1. In the OpenID configuration text box, enter the OpenID Configuration URI you copied from Auth0.
   2. Add the Client ID from the Auth0 application settings into the Client ID text field.
   3. Add the Client secret from the Auth0 application settings into the Client secret text field.
   4. The Realm is an optional field often used to provide a domain name for the accounts logging into Qlik Sense SaaS through this IdP.
      Identity provider configuration application credentials section
6.  Scroll down to the Claims mapping section.
   1. The sub is the subject claim, a standard claim in any JSON web token sent as part of and OpenID configuration. In Auth0, this value is equivalent to the user_id attribute for the user logging in. In this example, the sub is changed to email. This change can be helpful if your apps use email for the USERID field in section access.
   2. The name claim is the name that will show up in welcome messages within the tenant.
   3. The groups claim contains the groups the user is a member of and imports them into the tenant.
   4. The email claim registers the email of the user in the tenant.
   5. The Client_id is the same value as the client id added to the configuration.
   6. The picture claim is typically a url to the user’s avatarIdentity provider configuration claims mapping section
7. Expand the Advanced options to reveal the Scope text box.
8. Add the openid, profile, and email scopes to the configuration.
   Identity provider configuration advanced settings
9. Click Create, and then confirm the save. The save will trigger the validation procedure.
   Save Identity provider configuration.

    

   confirm save identity provider configuration

    

    

10. To validate the IdP configuration, log into Qlik Sense SaaS using the newly configured IdP.
    Auth0 login modal dialog

     

     

11. When the validation page appears, scroll through to make sure the mapping assigns claims properly. Check the validation box and click Confirm.
    Qlik Sense SaaS validation page top portion.

     

     

    Qlik Sense SaaS validation bottom portion

     

     

12. To complete the configuration, the tenant asks you to promote the validation user to the tenant admin. If this is desired, check the box and click Continue.
    Qlik Sense SaaS tenant admin promotion
13. Congratulations! The new IdP is configured. Log out of Qlik Sense SaaS and authenticate again using the credentials tied to the new IdP.