Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hello everyone,
We're trying to create a group for the users in Google Cloud so the SSO will match the group to the user (to grant access to a space upon first login).
We created a group with user emails under the admin section in google console, but the the IDP validation in Qlik doesn't get the group for the user that logged in.
Did anyone else encountered the same problem with google about creating groups for the authentication? There are tutorials for Okta and Azure but no for google.
Hi @RamiBS,
The Google OAuth IdP itself does not support providing group membership during login. There are workarounds but they all involve using another IdP such as Okta to proxy requests to Google APIs to provide a login token with group claims included. There would be more advanced approaches and would not be able to share the steps here. That would require having knowledge of your current environment configurations and having an admin who is familiar with OAuth and GCP.
From a support engineer perspective if this is really important for you, then we have a professional services team who assist in doing such configuration on a chargeable basis. This is just a suggestion.
Having said that, I will share the solution tomorrow which we shared with another client who had the same requirement. Please note that this might not work as expected in your deployment but there is nothing harm in validating 🙂
Thanks!
Vinay
Hi @RamiBS,
Please check the below post for steps by step guide on how to set up Google IDP:
https://community.qlik.com/t5/Deployment-Management/Single-sign-on-with-Google/m-p/1973742#M23134
Let me know if that helps.
Vinay
Hey @Vinay_B ,
Nice job on posting the tutorial for other to see, Should pin in as community knowledge so it'll be easier for others to find.
I don't have a problem with the IDP setup, it works as intended, my problem is a bit more complex.
Google send in it's JWT limited number of claims for qlik to use for mapping (used this end point to receive the source claims -api/v1/diagnose-claims): sub, name, given_name, family_name, picture, email, email_verified, locale and hd.
Since we want the users to seamlessly get access to the space by group access we wanted to add another claim to the list above in google. We tried adding attributes to the users in google workspace but that doesn't seem to work, tried to add group api's in google's consent screen and then add it in qlik's scopes but that did'nt work either.
Maybe the problem is with google itself since that they don't allow the creation of other claims to the JWT or the creation of groups under the SSO.
Do you have any knowledge if it's possible to create a group in google identity that will be included in the source claims google sends to Qlik? In Azure and Okta I saw it's possible and relatively straightforward.
Hi @RamiBS,
The Google OAuth IdP itself does not support providing group membership during login. There are workarounds but they all involve using another IdP such as Okta to proxy requests to Google APIs to provide a login token with group claims included. There would be more advanced approaches and would not be able to share the steps here. That would require having knowledge of your current environment configurations and having an admin who is familiar with OAuth and GCP.
From a support engineer perspective if this is really important for you, then we have a professional services team who assist in doing such configuration on a chargeable basis. This is just a suggestion.
Having said that, I will share the solution tomorrow which we shared with another client who had the same requirement. Please note that this might not work as expected in your deployment but there is nothing harm in validating 🙂
Thanks!
Vinay