Skip to main content

Move to SaaS

Discussion board where members can learn and discuss how to move from QlikView and Qlik Sense Client-Managed to Qlik Sense SaaS

Announcements
QlikWorld 2023, a live, in-person thrill ride. Save $300 before February 6: REGISTER NOW!
cancel
Showing results for 
Search instead for 
Did you mean: 
RamiBS
Contributor III
Contributor III

Qlik Cloud - User Group Creation with Google Identity

Hello everyone,

We're trying to create a group for the users in Google Cloud so the SSO will match the group to the user (to grant access to a space upon first login).

We created a group with user emails under the admin section in google console, but the the IDP validation in Qlik doesn't get the group for the user that logged in.

Did anyone else encountered the same problem with google about creating groups for the authentication? There are  tutorials for Okta and Azure but no for google.

Labels (1)
  • cloud

1 Solution

Accepted Solutions
Vinay_B
Support
Support

Hi @RamiBS,

 

The Google OAuth IdP itself does not support providing group membership during login. There are workarounds but they all involve using another IdP such as Okta to proxy requests to Google APIs to provide a login token with group claims included. There would be more advanced approaches and would not be able to share the steps here. That would require having knowledge of your current environment configurations and having an admin who is familiar with OAuth and GCP. 

 

From a support engineer perspective if this is really important for you, then we have a professional services team who assist in doing such configuration on a chargeable basis. This is just a suggestion. 

 

Having said that, I will share the solution tomorrow which we shared with another client who had the same requirement. Please note that this might not work as expected in your deployment but there is nothing harm in validating 🙂

 

Thanks!

 

Vinay

 

 

If this resolves your query, please click on "Accept as Solution" for confirmation. Thanks!

View solution in original post

3 Replies
Vinay_B
Support
Support

Hi @RamiBS,

 

Please check the below post for steps by step guide on how to set up Google IDP:

 

https://community.qlik.com/t5/Deployment-Management/Single-sign-on-with-Google/m-p/1973742#M23134 

 

Let me know if that helps.

 

Vinay

If this resolves your query, please click on "Accept as Solution" for confirmation. Thanks!
RamiBS
Contributor III
Contributor III
Author

Hey @Vinay_B ,

Nice job on posting the tutorial for other to see, Should pin in as community knowledge so it'll be easier for others to find.

I don't have a problem with the IDP setup, it works as intended, my problem is a bit more complex.

Google send in it's JWT limited number of claims for qlik to use for mapping (used this end point to receive the source claims -api/v1/diagnose-claims): sub, name, given_name, family_name, picture, email, email_verified, locale and hd.

Since we want the users to seamlessly get access to the space by group access we wanted to add another claim  to the list above in google. We tried adding attributes to the users in google workspace but that doesn't seem to work, tried to add group api's in google's consent screen and then add it in qlik's scopes but that did'nt work either.

Maybe the problem is with google itself since that they don't allow the creation of other claims to the JWT or the creation of groups under the SSO.

Do you have any knowledge if it's possible to create a group in google identity that  will be included in the source claims google sends to Qlik? In Azure and Okta I saw it's possible and relatively straightforward.  

 

Vinay_B
Support
Support

Hi @RamiBS,

 

The Google OAuth IdP itself does not support providing group membership during login. There are workarounds but they all involve using another IdP such as Okta to proxy requests to Google APIs to provide a login token with group claims included. There would be more advanced approaches and would not be able to share the steps here. That would require having knowledge of your current environment configurations and having an admin who is familiar with OAuth and GCP. 

 

From a support engineer perspective if this is really important for you, then we have a professional services team who assist in doing such configuration on a chargeable basis. This is just a suggestion. 

 

Having said that, I will share the solution tomorrow which we shared with another client who had the same requirement. Please note that this might not work as expected in your deployment but there is nothing harm in validating 🙂

 

Thanks!

 

Vinay

 

 

If this resolves your query, please click on "Accept as Solution" for confirmation. Thanks!