Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Mar 23, 2023 6:56:03 AM
Mar 23, 2023 6:56:11 AM
By the time I’m writing this article Qlik Cloud Service does not support yet the GCP user group during the authentication phase. Thus allow GCP users to access Qlik Cloud, base on their groups is not (yet) an option.
This is expected to be a temporary situation and Qlik will deliver soon (or later) also this feature. Nevertheless timing is important and it may avoid the SaaS adoption for Qlik enthusiast with the hard constraint to relay on Google groups.
In the context above, in this article I'm going to propose an alternative way to achieve the same business scope granting users to spaces based on their membership groups. Therefore, acting on the Authorization instead, the Authentication. This solution is imperfect, widely improvable (anyone is welcome to contribute) and to some extent graceless, but it just works and sometime could make the difference between adopting Qlik SaaS or something else.
Any authenticated user (through GCP or any other solution) will land on Qlik Cloud creating a new user for their first access. This solution is triggered on that specific event “User Creation”. Qlik Application Automation is triggered on the User creation event, and go through the following steps
Here you can find the Google API documentation . The HTTP request retrieve a paginated list of users belonging to the same {groupKey}. This HTTP request needs an authentication method, for this you need to create a service account on the google platform.
Pay attention to paste the Private Key. It is made of 3 lines. The first line is the “BEGIN PRIVATE KEY” the second line is the key itself without any carriage return line feed, the third line is the “END PRIVATE KEY” line. You should end up with something like this:
-----BEGIN PRIVATE KEY-----
<Your private Key in one single line, remove all the CR+LF or /n>
-----END PRIVATE KEY-----
Private Key id from the variable
Private Key from the variable
Time as: {number: {date: 'now', 'U'}}
Select Python as language and paste these lines:
import jwt
iat = inputs['time']
exp = iat + 3600 * 1000
payload = {'iss': 'qlik-user-sync@qliksaasidp-377811.iam.gserviceaccount.com',
'sub': 'qlik-user-sync@qliksaasidp-377811.iam.gserviceaccount.com',
'aud': 'https://admin.googleapis.com/',
'iat': iat,
'exp': exp}
additional_headers = {'kid': inputs['Private Key Id'],"alg": "RS256","typ": "JWT"}
signed_jwt = jwt.encode(payload, inputs['Private Key'], headers=additional_headers,
algorithm='RS256')
print (signed_jwt)
For more details please check this page.
Remember to use as parameter the pageToken
And in the header the authorization Bearer as follow:
Here attached to this article you can find the Automation. Remember to replace the placeholder in the Variable Private Key Id and Variable Private Key with your own keys as well as the group in the two call url blocks.
@Vincenzo_Esposito thanks for creating this documentation. I had a question about its functionality. Is the idea that only 1 Google IDP group is queried? If I want to use Google's IDP groups to control who has access to which space (for example, a Sales group in Google will have access to a Sales space in Qlik, and then a Finance Google group will have access to the Finance space in Qlik), is that achievable with your workaround?