Qlik Community

Ask a Question

Knowledge Base

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
Live chat with experts, bring your API Integration questions. June 15th, 10 AM ET. REGISTER TODAY

Example auth0 authentication setup with Qlik Sense Enterprise on Kubernetes

Andre_Sostizzo
Digital Support
Digital Support

Example auth0 authentication setup with Qlik Sense Enterprise on Kubernetes

The steps below are for an example test setup authentication using auth0 as Identity Provider with Qlik Sense Enterprise on Kubernetes (QSEoK).

Environment:
  • Qlik Sense Enterprise on Kubernetes (QSEoK), February 2020
  • Auth0

Resolution:


! The information in this article is provided as-is and to be used at own discretion. Ongoing support on the solution is not provided by Qlik Support.

Note: These steps assume an auth0 "Developer" account has already been created

On Auth0 site:

1. Logon to the auth0 Dashboard and click on + NEW APPLICATION.
2. Give it an appropriate name (e.g. "QS_interactive_logon")
3. Chose an application type: Single Page Web Applications
4. Click on Create and ignore any tutorials
5. Go to Connections > Database
6. Click on + CREATE DB CONNECTION
7. Give it an appropriate name (e.g: "QS_interactive_Users"), and click on Create
8. Then go to the Applications tab and enable the connection only for the new application created above.
9. Go to Users & Roles > Users and click on + CREATE USER
10. Auth0 will send out an email message to the user to verify the account.
11. On the new user's Details page, scroll down to the Metadata > user_metadata section
12. Add the following in the JSON formatted text box in order to associate the "Everyone" group to this user:

 

 

 

user_metadata:

{
 "groups": [
   "Everyone"
 ]
}

 

 

 

13. Go back to Applications and select your new application
14. Under the Connections make sure no other Database connections are enabled
15. Go to Rules and click on + CREATE RULE
16. Select the </> Empty rule options under Empty
17. Give it the name "Add groups to claim"
18. Add the following to the Script box:

 

 

 

function (user, context, callback) {
if((user.user_metadata || {} ).groups){
context.idToken['https://qlik.com/groups'] = user.user_metadata.groups;
}
callback(null, user, context);
}

 

 

 

19. Go to Rules and click on + CREATE RULE
20. Select the </> Empty rule options under Empty
21. Give it the name "Add sub as email"
22. Add the following to the Script box:

 

 

 

function (user, context, callback) {
 context.idToken['https://qlik.com/sub'] = user.email;
 callback(null, user, context);
}

 

 

 

23. Under Connections > Database select the connection created.
24. Click on the Try Connection tab and a authentication page will open on a new browser tab.
25. If the setup is correct a page displaying "It Works!" should be displayed with user profile metadata information further down the page.
26. Under Applications > Settings > Allowed Callback URLs, configure the URL with the following format:

Allowed Callback URLs: https://<QSEoK server hostname>:<Port>/login/callback

Where:
- <QSEoK server hostname> is the DNS record created for reaching the Qlik Sense Kubernetes cluster servers. This value should match what is configured in the the .yaml file hostname parameter in the QSEoK steps below.
- <Port> should match the port listed as ingress NodePort or LoadBalancer port in QSEoK. This can be checked by running the command "kubectl describe service qliksense-nginx-ingress-controller" or "kubectl get services".

On QSEoK:

27. The original .yaml file may have an edge-auth section with the built-in IdP information which needs to be removed and substituted by identity-providers.
 

Original yaml file content:

 

 

 

devMode:
  enabled: true
 
engine:
  acceptEULA: "yes"

edge-auth:
  oidc:
    redirectUri: https://<QSEoK server hostname>:32443/login/callback
elastic-infra:
  nginx-ingress:
    controller:
      service:
        type: NodePort
        nodePorts:
          https: 32443
      extraArgs.report-node-internal-ip-address: ""

 

 

 


New yaml file content with identity-providers:

 

 

 

devMode:
  enabled: true

engine:
  acceptEULA: "yes"

identity-providers:
  secrets:
    idpConfigs:
      - discoveryUrl: "https://<Tenant>.auth0.com/.well-known/openid-configuration"
        clientId: "<Client ID from Application>"
        clientSecret : "<Client Secret from Application>"
        realm: "<Name for this IdP>"
        hostname: "<QSEoK server hostname>"
        claimsMapping:
          client_id: [ "client_id", "<id>" ]   
          groups: "/https:~1~1qlik.com~1groups"
          sub: ["/https:~1~1qlik.com~1sub", "sub"]

 

 

 

 
Where:
- <Tenant> needs to be substituted by the tenant identifier in auth0 domain created. This domain can be check in the auth0 site under Applications > Settings > Domain.
- <Client ID from Application> can be retrieved from the auth0 site under Applications > Settings > Client ID.
- <Client Secret from Application> can be retrieved from the auth0 site under Applications > Settings > Client Secret.
- <Name for this IdP> can be set to simply Auth0
- <QSEoK server hostname> is the DNS record created for reaching the Qlik Sense Kubernetes cluster servers. If no record is in place the system's /etc/hosts file can be edited with the proper IP to hostname mapping.

Example hosts file mapping:

 

 

 

127.0.0.1   <hostname>
::1         <hostname>

 

 

 


28. Update the deployment by running the Helm command below, where <filename> is the name given to the yaml file.

Note1: The command below will upgrade the qliksense deployment with the latest release listed in the helm repository. If this is not desired for better controlling the environment see the next comment below.
Note2: In order to see what releases of qliksense helm has in its Qlik repository, run the command helm search qlik --versions. The CHART VERSION column references the release version.  To update the repository references run helm repo update.

helm upgrade qliksense qlik/qliksense -f <filename>.yaml

In order to stay on the current release while updating the deployment, perform the following:
helm upgrade qliksense qlik/qliksense -f <filename>.yaml --version <version>

Where:
<version> is the desired CHART VERSION value for the QSEoK deployment. The sense CHART column for the existing deployment can be outputted by the command helm ls which references the name of the chart which includes the version. (e.g. qliksense-<version>)

29. Check that new configuration has been applied with the command helm get values qliksense
30. Test the access to the Qlik Sense Enterprise Administration console via the URL below:
https://<QSEoK server hostname>:<port>/console

Where:
- <QSEoK server hostname> is the DNS record created for reaching the Qlik Sense Kubernetes cluster servers. This value should match what is configured in the the .yaml file hostname parameter in the QSEoK steps below.
- <Port> should match the port listed as ingress NodePort or LoadBalancer port in QSEoK. This can be checked by running the command "kubectl describe service qliksense-nginx-ingress-controller" or "kubectl get services".
 

Version history
Revision #:
6 of 6
Last update:
‎2021-02-23 04:20 AM
Updated by:
 
Contributors