Issue with License Consumption and Orphan Users using Mixed Authentication (Native vs AWS Cognito)
Hello everyone,
In a customer environment, I am running into a strange behavior regarding identity management across our Qlik Cloud tenants.
Current Setup:
We manage multiple tenants.
Most tenants use the standard Qlik Cloud Native Authentication (No IDP).
One specific tenant uses AWS Cognito as the Identity Provider.
The Issue: Authentication via Cognito works fine for the specific tenant. However, I am regularly seeing "orphans" users appearing across all tenants with only a technical ID. These users seem to be consuming license entitlements.
Although the tenants are logically disjoint, it feels like the license pool is centralized. I suspect there is a conflict or a mapping mismatch between the Native Qlik users and the Cognito users, despite having carefully configured the claim mapping in Cognito.
Has anyone encountered this cross-tenant user duplication/license consumption issue? Any insights on how Qlik reconciles user identities between Native (no IdP) and a custom OIDC (Cognito) would be greatly appreciated.
This is going to be a problem for you because the license server uses the IDP Subject to evaluate if the users are the same person. This most commonly occurs with customers with Qlik Sense on Windows and Qlik Cloud we solve it by setting the IDP subject in the cloud to the value of the samAccountName from the on prem Active Directory (DOMAIN\USERID)
In your case you have two Identity Providers that you can't just configure to match. While you may be able to change the claims for Cognito you will have to find the Subject from Qlik's Identity provider in order to make it work.
The solution I would offer is to implement a different default Identity provider so you can configure it to do what it needed but this would be a pretty big change, I guess it depends how many tenants there are.
As Chris says, there is a centralized license service which does share license assignments across all tenants on the license.
One of our roadmap items (in design) reworks the pattern for customers with more than 1 tenant on a subscription. They will be able to define what entitlement from their subscription goes to each of their tenants, meaning each tenant is then fully isolated for licensing.
Thank you for these answers. I have to admit I am surprised (even flabbergasted). Basically, there is a native feature for IDP settings per tenant, but are you saying that Qlik Cloud cannot connect tenants that don't use the same IDP, and that this will cause licensing problems? I don't know what to say ... 🙂
There is no impact to your consumption. If a user joins tenant A and is assigned a license, they are then free to join any other tenant on that license at no additional cost. Equally, they may never be invited to any of those other tenants. The cost is constant and counted as 1 user irrespective of number of tenants the access on that subscription.
A user is identified by their subject. You control the subject through your choice of IdP, and which field you choose to match to the subject field in Qlik Cloud.
If you want a user to be able to access multiple tenants using a single license, you can match your subject on cognito to the Qlik Account subject. Or, even better, use cognito on all tenants, since using our IdP means we (Qlik) own those user accounts and you cannot manage them yourself or on behalf of your customer.
