Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
gyt
Partner - Contributor
Partner - Contributor

Windows AD name outside of the Cloud

Dear all,

From privacy perspective, our client wants to keep their Windows AD name outside of the Qlik Cloud. Their Windows AD name are defined with first name and last name. Is this possible?

Thanks and best regards

Labels (2)
1 Solution

Accepted Solutions
Marcus_Spitzmiller

Hi, ok that helps.  What I am saying is that Qlik Cloud requires an OIDC complaint IdP, and whatever it supplies is what Qlik Cloud will see.  There is no such thing as defining the users directly in Qlik Cloud, it is reliant on the IdP.

When the IdP is configured, you are able to specify the attribute (claims) mapping as below, so it is really up to the customer what they want to supply.  

Marcus_Spitzmiller_0-1668195563364.png

Finally, to be clear, Qlik Cloud does not support Windows AD directly.  must be an OIDC compliant IdP.  So you could use, for example, ADFS and have that pull from the customer's AD or whatever you like.  Again, Qlik Cloud will just take whatever the IdP supplies.

Hope that helps.

View solution in original post

5 Replies
Marcus_Spitzmiller

Hi, I am a little unclear on the question.  I am assuming you mean they don't want to provide Qlik Cloud SAMAccountName from AD, right?  Or do you mean they don't want to even provide first, last name attributes either?

Assuming the former...Qlik Cloud unless the client wants to use Qlik Account for authentication, they are going to use their own OIDC compatible identity provider.  The IdP is responsible for sending in the info about the user, so they should configure this as they see fit.

Just note that if the 'subject' that the IdP sends in changes, you will need to look at remapping section access tables.  https://help.qlik.com/en-US/migration/Content/Migration/deploying-qlik-cloud-tenant.htm  

let me know if this helps.

gyt
Partner - Contributor
Partner - Contributor
Author

Hi Marcus,

Actually the client does not want to provide any information of user name to the cloud. In Qlik Apps we can make changes as we want. The client is currently having Qlikview and the  authentication is using normal first/last name in their own Windows AD. As I understood from your information, the client needs to have a separate Active Directory with dummy names, which is however mapped to their current one in the background, and the mapping is hosted outside of Cloud. Did I understand it correctly?

Thanks and best regards

Marcus_Spitzmiller

Hi, ok that helps.  What I am saying is that Qlik Cloud requires an OIDC complaint IdP, and whatever it supplies is what Qlik Cloud will see.  There is no such thing as defining the users directly in Qlik Cloud, it is reliant on the IdP.

When the IdP is configured, you are able to specify the attribute (claims) mapping as below, so it is really up to the customer what they want to supply.  

Marcus_Spitzmiller_0-1668195563364.png

Finally, to be clear, Qlik Cloud does not support Windows AD directly.  must be an OIDC compliant IdP.  So you could use, for example, ADFS and have that pull from the customer's AD or whatever you like.  Again, Qlik Cloud will just take whatever the IdP supplies.

Hope that helps.

gyt
Partner - Contributor
Partner - Contributor
Author

Hi Marcus,

Thanks a lot for the explanation.

Does it mean if the client wants to use Qlik Cloud, anyway they have to get a new IdP? How the data in this IdP look like, depends on what they want to provide? They definitely don't want to provide the real names, so if dummy user names and email address like dummyuser1@company.com are used, this will be passed to Qlik Cloud? The users can then use this dummy email address and their password to log in to Qlik Cloud and this ensures the real names will not be visible in Cloud and there is also no need to synchronize this new IdP with the old Windows AD because the users just need to use the dummy email address. Did I understand correctly?

For this client there is another issue that they do not want to provide even the ip address to Qlik Cloud. Do you know whether this information will be retrieved?

Thank you very much again and best regards

Marcus_Spitzmiller

Hi, yes the customer needs to use an OIDC compliant IdP.  Alternatively they can use Qlik Account (same as Qlik community) signin, but in that case they would be providing user information.  You understood correctly about the IdP.

There is no strict requirement to supply the on-prem IP to Qlik Cloud, though I can't say for sure whether Qlik Cloud is capturing the IP from which the browser is coming from in logs.  it is likely that this could be the case.

It would be interesting to learn more about the customers requirement if you would like to direct message me.  It would be a shame to implement somewhat strange requirements if there was a way to make the customer feel comfortable.  See qlik.com/trust.