Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW

How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP. Now with Groups!

100% helpful (1/1)
cancel
Showing results for 
Search instead for 
Did you mean: 
Jeffrey_Goldberg
Employee
Employee

How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP. Now with Groups!

Last Update:

Jun 12, 2023 2:45:55 AM

Updated By:

Sonja_Bauernfeind

Created date:

Jan 11, 2021 8:55:44 AM

This article provides step-by-step instructions for implementing Azure AD as an identify provider for Qlik Cloud. We cover configuring an App registration in Azure AD and configuring group support using MS Graph permissions.

It guides the reader through adding the necessary application configuration in Azure AD and Qlik Sense Enterprise SaaS identity provider configuration so that Qlik Sense Enterprise SaaS users may log into a tenant using their Azure AD credentials.

Content:

 

Prerequisites

  • An Microsoft Azure account
  • A Microsoft Azure Active Directory instance
  • A Qlik Sense Enterprise SaaS tenant
  • The BYOIDP feature in your Qlik license is set to YES. Contact customer support to find out if you are entitled to bring your own identity provider to your tenant.

 

Helpful vocabulary

Throughout this tutorial, some words will be used interchangeably.

  • Qlik Sense Enterprise SaaS: Qlik Sense hosted in Qlik’s public cloud
  • Microsoft Azure Active Directory: Azure AD
  • Tenant: Qlik Sense Enterprise SaaS tenant or instance
  • Instance: Microsoft Azure AD
  • OIDC: Open Id Connect
  • IdP: Identity Provider

 

Considerations when using Azure AD with Qlik Sense Enterprise SaaS

  • Qlik Sense Enterprise SaaS allows for customers to bring their own identity provider to provide authentication to the tenant using the Open ID Connect (OIDC) specification (https://openid.net/connect/)
  • Given that OIDC is a specification and not a standard, vendors (e.g. Microsoft) may implement the capability in ways that are outside of the core specification. In this case, Microsoft Azure AD OIDC configurations do not send standard OIDC claims like email_verified. Using the Azure AD configuration in Qlik Sense Enterprise SaaS includes an advanced option to set email_verified to true for all users that log into the tenant.
  • The Azure AD configuration in Qlik Sense Enterprise SaaS includes special logic for contacting Microsoft Graph API to obtain friendly group names. Whether those groups originate from an on-premises instance of Active Directory and sync to Azure AD through Azure AD Connect or from creation within Azure AD, the friendly group name will be returned from the Graph API and added to Qlik Sense Enterprise SaaS.

Configure Azure AD

Create the app registration

  1. Log into Microsoft Azure by going to https://portal.azure.com.
  2. Click on the Azure Active Directory icon in the browser Or search for "Azure Active Directory" in the search bar on the top. The overview page for the active directory will appear.

    Azure Active Directory Overview.png

  3. Click the App registrations item in the menu to the left.

    App Registration.png

  4. Click the New registration button at the top of the detail window. The application registration page appears.

    New Registration.png

  5. Add a name in the Name section to identify the application. In this example, the name of the hostname of the tenant is entered along with the word OIDC.

    New Name for OIDC.png

    agree to platform policies.png

  6. The next section contains radio buttons for selecting the Supported account types. In this example, the default – Accounts in this organizational directory only – is selected.

    Supported account types.png

  7. The last section is for entering the redirect URI. From the dropdown list on the left select “web” and then enter the callback URL from the tenant. Enter the URI https://<tenant hostname>/login/callback.

    Redirect URI.png
    The tenant hostname required in this context is the original hostname provided to the Qlik Enterprise SaaS tenant.
    tenant hostname.png

    Using the Alias hostname will cause the IdP handshake to fail.
  8. Complete the registration by clicking the Register button at the bottom of the page.

    Agree to Microsoft Policy.png

  9. Click on the Authentication menu item on the left side of the screen.

    Authentication.png

  10. On the middle of the page, the reference to the callback URI appears. There is no additional configuration required on this page.

    Redirect URIs callback.png

 

Create the client secret

  1. Click on the Certificates and secrets menu item on the left side of the screen.

    Certificiates and Secrets.png

  2. In the center of the Certificates and secrets page, there is a section labeled Client secrets with a button labeled New client secret. Click the button.

    New Client Secret.png

  3. In the dialog that appears, enter a description for the client secret and select an expiration time. Click the Add button after entering the information.

    Adding Client Secret.png

  4. Once a client secret is added, it will appear in the Client secrets section of the page.
    Copy the "value of the client secret" and paste it somewhere safe.
    After saving the configuration the value will become hidden and unavailable.

    List of Client Secrets.png

 

Add claims to the token configuration

  1. Click on the Token configuration menu item on the left side of the screen.

    Token Configuration.png

  2. The Optional claims window appears with two buttons. One for adding optional claims, and another for adding group claims. Click on the Add optional claim button.

    Optional Claims.png

  3. For optional claims, select the ID token type, and then select the claims to include in the token that will be sent to the Qlik Sense Enterprise SaaS tenant. In this example, ctry, email, tenant_ctry, upn, and verified_primary_email are checked. None of these optional claims are required for the tenant identity provider to work properly, however, they are used later on in this tutorial.

    Adding Optional Claim Settings.png

  4. Some optional claims may require adding OpenId Connect scopes from Microsoft Graph to the application configuration. Click the check mark to enable and click Add.

    Turn on the Microsoft Graph email and profile permission.png

  5.  The claims will appear in the window.

    Optional Claims overview.png

 

Add group claim

  1. Click on the API permissions menu item on the left side of the screen.

    API permissions.png

  2. Observe the configured permissions set during adding optional claims.

    Configured Permissions.png

  3. Click the Add a permission button and select the Microsoft Graph option in the Request API permissions box that appears. Click on the Microsoft Graph banner.

    Request API permissions.png

  4. Click on Delegated permissions. The Select permission search and the OpenId permissions list appears.

    Request API permissions Microsoft Graph.png

    Request API permissions Users.png
    In the OpenID permissions section, check email, openid, and profile. In the Users section, check user.read.
  5. In the Select permissions search, enter the word group. Expand the GroupMember option and select GroupMember.Read.All. This will grant users logging into Qlik Sense Enteprise SaaS through Azure AD to read the group memberships they are assigned.

    Select Permissions.png

  6. After making the selection, click the Add permissions button.

    confirm by adding permissions.png

  7. The added permissions will appear in the list. However, the GroupMember.Read.All permission requires admin consent to work with the app registration. Click the Grant button and accept the message that appears.

    Configured Permissions overview.png

    grant consent.png
Failing to grant consent to GroupMember.Read.All may result in errors authenticating to Qlik using Azure AD. Make sure to complete this step before moving on.

Collect Azure AD configuration information

  1. Click on the Overview menu item to return to the main App registration screen for the new app. Copy the Application (client) ID unique identifier. This value is needed for the tenant’s idp configuration.

    Application ID unique identifier.png

  2. Click on the Endpoints button in the horizontal menu of the overview.

    OIDC Endpoints.png

  3. Copy the OpenID Connect metadata document endpoint URI. This is needed for the tenant’s IdP configuration.

    Copy OpenID Connect medatdata.png

 

Configure Qlik Sense Enterprise SaaS IdP

  1. With the configuration complete and required information in hand, open the tenant’s management console and click on the Identity provider menu item on the left side of the screen.

    Qlik Cloud Identity Provider.png

  2. Click the Create new button on the upper right side of the main panel.

    Create New.png

  3. Select Interactive from the Type drop-down menu item, and select  'AZURE AD' from the Provider drop-down menu item.

    Select the IDP provider.png

  4. Scroll down to the Application credentials section of the configuration panel and enter the following information:
    1. ADFS discovery URL: This is the endpoint URI copied from Azure AD.
    2. Client ID: This is the application (client) id copied from Azure AD.
    3. Client secret: This is the value copy and pasted to a safe location from the Certificates & secrets section from Azure AD.
    4. The Realm is an optional value used if you want to enter what is commonly referred to as the Active Directory domain name.

      Application Credentials.png

  5. Scroll down to the Claims mapping section of the configuration panel. There are five textboxes to confirm or alter.

    Claims mapping.png

    1. The sub field is the subject of the token sent from Azure AD. This is normally a unique identifier and will represent the UserID of the user in the tenant. In this example, the value “sub” is left and appid is removed. To use a different claim from the token, replace the default value with the name of the desired attribute value.

      sub.png

    2. The name field is the “friendly” name of the user to be displayed in the tenant. For Azure AD, change the attribute name from the default value to “name”.

      name.png

    3. In this example, the groups, email, and client_id attributes are configured properly, therefore, they do not need to be altered.

      groups.png
      In this example, I had to change the email claim to upn to obtain the user's email address from Azure AD. Your results may vary.

      email.png

  6. Scroll down to the Advanced options and expand the menu. Slide the Email verified override option ON to ensure Azure AD validation works. Scope does not have to be supplied.

    advanced options email verification override.png

  7. The Post logout redirect URI is not required for Azure AD because upon logging out the user will be sent to the Azure log out page.
  8. Click the Save button at the bottom of the configuration to save the configuration. A message will appear confirming intent to create the identity provider. Click the Save button again to start the validation process.

    configure update of identity provider.png

  9. The validation procedure begins by redirecting the person configuring the IdP to the login page for the IdP.

    Sign in to Microsoft Account.png

  10. After successful authentication, Azure AD will confirm that permission should be granted for this user to the tenant. Click the Accept button.

    Accept requested permissions.png

  11. If the validation fails, the validation procedure will return a window like the following.

    Authentication Failed Error.png

  12. If the validation succeeds, the validation procedure will return a mapped claims window. If the validation states it cannot map the user's email address, it is most likely because the email_verified switch has not been turned on. Go ahead and confirm, move through the remaining steps, and update the configuration as per the previous step. Re-run the validation to map the email.

    Login Successful.png

  13. After confirming the information is correct, the account used to validate the IdP may be elevated to a TenantAdmin role. It is strongly recommended to do make sure the box is checked before clicking continue.

    Promote User to Tenant Admin.png

  14. The next to last screen in the configuration will ask to activate the IdP. By activating the Azure AD IdP in the tenant, any other identity providers configured in the tenant will be disabled.

    Activate the idP.png

  15. Success.

    Success Message.png

  16. Please log out of the tenant and re-authenticate using the new identity provider connection. Once logged in, change the url in the address bar to point to https://<tenanthostname>/api/v1/diagnose-claims. This will return the JSON of the claims information Azure AD sent to the tenant. Here is a slightly redacted example.

    diagnose claims.png

  17. Verify groups resolve properly by creating a space and adding members. You should see friendly group names to choose from.

    Create a new space.png

    Space Members.png

    Add members.png

    Add members to content-admins.png

Recap

While not hard, configuring Azure AD to work with Qlik Sense Enterprise SaaS is not trivial. Most of the legwork to make this authentication scheme work is on the Azure side. However, it's important to note that without making some small tweaks to the IdP configuration in Qlik Sense you may receive a failure or two during the validation process.

 

Addendum

For many of you, adding Azure AD means you potentially have a bunch of clean up you need to do to remove legacy groups. Unfortunately, there is no way to do this in the UI but there is an API endpoint for deleting groups. See Deleting guid group values from Qlik Sense Enterprise SaaS for a guide on how to delete groups from a Qlik Sense Enterprise SaaS tenant.

Related Content (VIDEO)

Qlik Cloud: Configure Azure Active Directory as an IdP

 

Labels (1)
Comments
Jeffrey_Goldberg
Employee
Employee

@Carl_Hunter , responding to this item in the thread: https://community.qlik.com/t5/Knowledge-Base/How-To-Configure-Qlik-Sense-Enterprise-SaaS-to-use-Azur...

Have a look at SCIM: http://www.simplecloud.info/

This is the direction we are going re: user directory sync and pre-provisioning users and groups to tenants. Azure AD, Okta, and many other IdPs support this API.

Carl_Hunter
Partner Ambassador
Partner Ambassador

Thanks! Looks v interesting @Jeffrey_Goldberg - is this in the product yet?

Azure has a SCIM endpoint (Azure AD Provisioning Service), which I'll take a look into 👍 

Tony_Bravata
Contributor
Contributor

This was very helpful in setting up SSO.  I've noticed that all of my groups are not in the claim when I sign in.  It appears I might be hitting a limit, where only 99-100 groups come through.  That would be in line with use of the Microsoft Graph API if you didn't use pagination -- see here.

@Jeffrey_Goldberg -- Is this a known issue, and do you have any idea of how we could limit which groups Azure includes in the claim, or whether Qlik plans to fix the limitation?

Thanks!

Carl_Hunter
Partner Ambassador
Partner Ambassador

Hey @Jeffrey_Goldberg, has there been anymore movement on my SCIM/ user directory sync and automation of Qlik Sense SaaS onboarding query? Wondering if the new Blendr.io app automation functionality will fill this requirement? 

Carl_Hunter
Partner Ambassador
Partner Ambassador

Quick follow-up, looks like the automatic provision is not enabled against the Enterprise Application, perhaps something Qlik needs to do to wire this up to Azure AD? 

Carl_Hunter_0-1629734230836.png

We could write some PowerShell to push users from Azure AD into QS SaaS and schedule from Azure Automation but its a bit janky... 

pablodelcerro
Partner - Contributor III
Partner - Contributor III

@Jeffrey_Goldberg 

This is an excelent post! Thanks a lot!

But we need your help...

We have a customer with QSEoW with local AD using domain/account login, and we are about to configure SAAS with Azure AD and following your recomendation we will change the sub field to use sAMAccountName and  create a custom extension claim that includes the onpremisessamaccountname.

But our problem is that they have 3 domains, so we cant really set the realm to be the domain name.

Do you have any ideas how we can figure this out?

Another tricky thing is that onPremisesDomainName is FQDN while on QSEoW we see users as just domain/user. Not sure if that will be a problem for QLS.

They have +150 users on QSEoW so we dont want them to change login on QSEoW to be email address and loose SSO. We rather prefer them to login to SAAS using domain\user.

Of course the underlying issue is that we dont want licenses to be duplicated and we want login to be the same in both platforms.

Thanks for your help!

RickardPH
Partner - Contributor
Partner - Contributor

Thanks for as very useful guide! Especially the Idp configuration steps helped me to move a customers Qlik Sense site from Qlik accounts to MS accounts on Azure.

It really worked smothly, and the users are now able to log on using their regular Microsoft login credentials.

However, there were no trace of the expected user groups from Azure, and using the /api/v1/diagnose-claims command in the browser did not show any either, as it should. As I didn't configure the Azure part, that was done by someone else, I was not sure it was set up correctly in Azure.

After some hours trying to figure out what was wrong, I sifted through some qlik help documentation and stumbled upon what I missed: I had not  enabled the setting for auto-creation of groups under Settings in the Management console!

I flipped the switch, logged out and when logged in again, the user groups appeared in the Add members list - Success!

Here you can read about the  auto-creation of groups setting:

https://help.qlik.com/en-US/cloud-services/Subsystems/Hub/Content/Sense_Hub/Admin/mc-create-idp-conf...

Tips: The /api/v1/diagnose-claims command should return a list of whatever groups the user is a member of :

"groups":[*,...

That is if the auto-creation of groups setting is enabled 😉

anderslinden
Partner - Contributor III
Partner - Contributor III

Hi!

We managed to get the connection working following this instruction. The existing users are ok and can login via the new routine, but we cannot se any other users or groups from the AD, so we cannot add new users. What triggers the sync? What can be wrong?

/@anderslinden 

StephenDunn
Contributor III
Contributor III

Anderslinden, I've just hit the same snag, did you get it sorted?  I've found a permission in Azure API permissions which is named 'Directory.AccessAsUser.All' and is described 'Access directory as the signed in user', which looks promising.  I've just activated it myself, and will find out if it's made a difference tomorrow ( it's hometime for me 😄 ).

 

anderslinden
Partner - Contributor III
Partner - Contributor III

@StephenDunn Thanks for replying. We can now see group AllUsers, and I'm just checking with the people administrating the AzureAD if there are more groups. Note that (as an earlier post says) you have to check the box in settings to "allow groups to be crated".

/Anders

Version history
Last update:
‎2023-06-12 02:45 AM
Updated by: