Skip to main content

Qlik Community

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Move to SaaS

Discussion board where members can learn and discuss how to move from QlikView and Qlik Sense Client-Managed to Qlik Sense SaaS

Announcements
Action-Packed Learning Awaits! QlikWorld 2023. April 17 - 20 in Las Vegas: REGISTER NOW
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
gyt
Partner - Contributor
Partner - Contributor
‎2022-11-11 07:09 AM

Windows AD name outside of the Cloud

Dear all,

From privacy perspective, our client wants to keep their Windows AD name outside of the Qlik Cloud. Their Windows AD name are defined with first name and last name. Is this possible?

Thanks and best regards

Labels (2)
Labels
199 Views
0 Likes
1 Solution

Accepted Solutions
Marcus_Spitzmiller
Employee
Employee
‎2022-11-11 02:42 PM

In response to gyt

Hi, ok that helps.  What I am saying is that Qlik Cloud requires an OIDC complaint IdP, and whatever it supplies is what Qlik Cloud will see.  There is no such thing as defining the users directly in Qlik Cloud, it is reliant on the IdP.

When the IdP is configured, you are able to specify the attribute (claims) mapping as below, so it is really up to the customer what they want to supply.  

Marcus_Spitzmiller_0-1668195563364.png

Finally, to be clear, Qlik Cloud does not support Windows AD directly.  must be an OIDC compliant IdP.  So you could use, for example, ADFS and have that pull from the customer's AD or whatever you like.  Again, Qlik Cloud will just take whatever the IdP supplies.

Hope that helps.

View solution in original post

163 Views
0 Likes
5 Replies
Marcus_Spitzmiller
Employee
Employee
‎2022-11-11 08:41 AM

Hi, I am a little unclear on the question.  I am assuming you mean they don't want to provide Qlik Cloud SAMAccountName from AD, right?  Or do you mean they don't want to even provide first, last name attributes either?

Assuming the former...Qlik Cloud unless the client wants to use Qlik Account for authentication, they are going to use their own OIDC compatible identity provider.  The IdP is responsible for sending in the info about the user, so they should configure this as they see fit.

Just note that if the 'subject' that the IdP sends in changes, you will need to look at remapping section access tables.  https://help.qlik.com/en-US/migration/Content/Migration/deploying-qlik-cloud-tenant.htm  

let me know if this helps.

174 Views
0 Likes
gyt
Partner - Contributor
Partner - Contributor
‎2022-11-11 09:02 AM
Author

In response to Marcus_Spitzmiller

Hi Marcus,

Actually the client does not want to provide any information of user name to the cloud. In Qlik Apps we can make changes as we want. The client is currently having Qlikview and the  authentication is using normal first/last name in their own Windows AD. As I understood from your information, the client needs to have a separate Active Directory with dummy names, which is however mapped to their current one in the background, and the mapping is hosted outside of Cloud. Did I understand it correctly?

Thanks and best regards

169 Views
0 Likes
Marcus_Spitzmiller
Employee
Employee
‎2022-11-11 02:42 PM

In response to gyt

Hi, ok that helps.  What I am saying is that Qlik Cloud requires an OIDC complaint IdP, and whatever it supplies is what Qlik Cloud will see.  There is no such thing as defining the users directly in Qlik Cloud, it is reliant on the IdP.

When the IdP is configured, you are able to specify the attribute (claims) mapping as below, so it is really up to the customer what they want to supply.  

Marcus_Spitzmiller_0-1668195563364.png

Finally, to be clear, Qlik Cloud does not support Windows AD directly.  must be an OIDC compliant IdP.  So you could use, for example, ADFS and have that pull from the customer's AD or whatever you like.  Again, Qlik Cloud will just take whatever the IdP supplies.

Hope that helps.

164 Views
0 Likes
gyt
Partner - Contributor
Partner - Contributor
‎2022-11-16 11:21 AM
Author

In response to Marcus_Spitzmiller

Hi Marcus,

Thanks a lot for the explanation.

Does it mean if the client wants to use Qlik Cloud, anyway they have to get a new IdP? How the data in this IdP look like, depends on what they want to provide? They definitely don't want to provide the real names, so if dummy user names and email address like dummyuser1@company.com are used, this will be passed to Qlik Cloud? The users can then use this dummy email address and their password to log in to Qlik Cloud and this ensures the real names will not be visible in Cloud and there is also no need to synchronize this new IdP with the old Windows AD because the users just need to use the dummy email address. Did I understand correctly?

For this client there is another issue that they do not want to provide even the ip address to Qlik Cloud. Do you know whether this information will be retrieved?

Thank you very much again and best regards

141 Views
0 Likes
Marcus_Spitzmiller
Employee
Employee
‎2022-11-28 01:55 PM

In response to gyt

Hi, yes the customer needs to use an OIDC compliant IdP.  Alternatively they can use Qlik Account (same as Qlik community) signin, but in that case they would be providing user information.  You understood correctly about the IdP.

There is no strict requirement to supply the on-prem IP to Qlik Cloud, though I can't say for sure whether Qlik Cloud is capturing the IP from which the browser is coming from in logs.  it is likely that this could be the case.

It would be interesting to learn more about the customers requirement if you would like to direct message me.  It would be a shame to implement somewhat strange requirements if there was a way to make the customer feel comfortable.  See qlik.com/trust. 

 

115 Views
0 Likes