Skip to main content

Suggest an Idea

Vote for your favorite Qlik product ideas and add your own suggestions.

Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW

Modify claims in Identity Mapping

ergustafsson
Partner - Specialist
Partner - Specialist

Modify claims in Identity Mapping

Using Qlik SaaS solutions (QSEoCS) we intend to connect with multi cloud with our QSEoW setup. Generally things are working, but due to Open ID Connect being a specification and not a standard, some idp providers like Azure AD does not provide all claims that allows such an identity mapping to work.

The consequence is that all apps being deployed to a cloud solution gets published without an owner. This makes the "self-service" not a viable solution when using multi cloud.

In this particular case, the OIDC claim email_verified is missing. The on-prem SAML authentication that connects to this, seems to generally work.

The idea here is to be able to modify, to hardcode, to change or to alter how the identity mapping is enforced between the cloud and the on-prem solution, irrelevant of the idp provider. From the end-user point of view, everything is set up correctly (userid the same, name the same etc), but due to all different IDP providers interpreting OIDC differently, we need to be able to affect the setup in how Qlik handles the identities.

10 Comments
Jeffrey_Goldberg
Employee
Employee

@ergustafsson ,

Thank you for the feedback. There are two parts to your request so let's take them in turn.

RE: Multi-cloud

The multi-cloud challenge with the user stripped in Qlik Sense SaaS upon first synchro with Windows is less about IdP not able to deal with mappings properly, and just that in the synchro the user information is different. We're looking into different transport methods for moving workloads to the cloud that could bring personal content over and offer some remapping of users from the old system to the new. This is going to find it's way into the world in the cli first because it's much more easily scriptable what with all the mappings (users, streams to spaces, etc) involved in making the transport seamless.

For now, you have to go and set the new owner and the new space manually after the first synchro, but then should work after that.

RE: More customization of IdP claims

Acknowledged and understood. I've been trying to find a way to deal with it on the IdP side because you rightly point out the lack of standards. Microsoft does not make it easy and being the big fish doesn't help us much. So we're looking into the effort to enhance customization of claims mapping.

 

jg

Status changed to: Open - Collecting Feedback
ergustafsson
Partner - Specialist
Partner - Specialist

Thanks for the feedback @Jeffrey_Goldberg  . 

I mean the second "idea" - 'customization  of IdP claims' is essentially due to the multi cloud doesn't transport the workload as you mention (which is the first one). But I guess it is two separate things, yes. It's really that we have to manually set the owner that causes a pain for a sysadmin, and even though it is Microsofts "fault", we still have the problem. We do have quite a bunch of PS scripts for QSEoW so if there is a way with the new qlik-cli, I'm all open for that.

Jeffrey_Goldberg
Employee
Employee

Yes, the cli will have user commands in an upcoming release along with some access to qrs for app migration and multi-cloud scenarios.

In theory, you can connect to qrs today using the cli by creating a context using a jwt and a jwt vproxy. then use the qlik raw command to issue requests directly to qrs. Like I said, eventually some helper commands to qrs will be available.

 

jg

sfbi
Creator
Creator

same here... the lack of email is a major problem, as we're unable to share apps visualizations by email! also profile picture wont work

Ian_Crosland
Employee
Employee
 
Status changed to: Open - On Roadmap
ergustafsson
Partner - Specialist
Partner - Specialist

This appears to be fixed already:

erikadvectas_0-1610528660417.png

 

pavi
Contributor
Contributor

Hi Team,

What to do when User ID and Idp Subject contains multiple characters like (auth0jhabajkfkfkfkfkanknL) instead of Domain\username .Would be grateful if you can suggest on this.

Meghann_MacDonald

From now on, please track this idea from the Ideation portal. 

Link to new idea

Meghann

NOTE: Upon clicking this link 2 tabs may open - please feel free to close the one with a login page. If you only see 1 tab with the login page, please try clicking this link first: Authenticate me! then try the link above again. Ensure pop-up blocker is off.

Ideation
Explorer II
Explorer II
 
Status changed to: Closed - Archived
Meghann_MacDonald
 
Status changed to: Delivered