How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP. Now with Groups!

Jeffrey_Goldberg · May 13, 2024 1:21:30 AM

This article provides step-by-step instructions for implementing Azure AD as an identify provider for Qlik Cloud. We cover configuring an App registration in Azure AD and configuring group support using MS Graph permissions.

It guides the reader through adding the necessary application configuration in Azure AD and Qlik Sense Enterprise SaaS identity provider configuration so that Qlik Sense Enterprise SaaS users may log into a tenant using their Azure AD credentials.

Content:

Prerequisites
Helpful vocabulary
Considerations when using Azure AD with Qlik Sense Enterprise SaaS
Configure Azure AD
Create the app registration
Create the client secret
Add claims to the token configuration
Add group claim
Collect Azure AD configuration information
Configure Qlik Sense Enterprise SaaS IdP
Recap
Addendum
Related Content (VIDEO)

Prerequisites

An Microsoft Azure account
A Microsoft Azure Active Directory instance
A Qlik Sense Enterprise SaaS tenant
The BYOIDP feature in your Qlik license is set to YES. Contact customer support to find out if you are entitled to bring your own identity provider to your tenant.

Helpful vocabulary

Throughout this tutorial, some words will be used interchangeably.

Qlik Sense Enterprise SaaS: Qlik Sense hosted in Qlik’s public cloud
Microsoft Azure Active Directory: Azure AD
Tenant: Qlik Sense Enterprise SaaS tenant or instance
Instance: Microsoft Azure AD
OIDC: Open Id Connect
IdP: Identity Provider

Considerations when using Azure AD with Qlik Sense Enterprise SaaS

Qlik Sense Enterprise SaaS allows for customers to bring their own identity provider to provide authentication to the tenant using the Open ID Connect (OIDC) specification (https://openid.net/connect/)
Given that OIDC is a specification and not a standard, vendors (e.g. Microsoft) may implement the capability in ways that are outside of the core specification. In this case, Microsoft Azure AD OIDC configurations do not send standard OIDC claims like email_verified. Using the Azure AD configuration in Qlik Sense Enterprise SaaS includes an advanced option to set email_verified to true for all users that log into the tenant.
The Azure AD configuration in Qlik Sense Enterprise SaaS includes special logic for contacting Microsoft Graph API to obtain friendly group names. Whether those groups originate from an on-premises instance of Active Directory and sync to Azure AD through Azure AD Connect or from creation within Azure AD, the friendly group name will be returned from the Graph API and added to Qlik Sense Enterprise SaaS.

Configure Azure AD

Create the app registration

Log into Microsoft Azure by going to https://portal.azure.com.
Click on the Azure Active Directory icon in the browser Or search for "Azure Active Directory" in the search bar on the top. The overview page for the active directory will appear.
Click the App registrations item in the menu to the left.
Click the New registration button at the top of the detail window. The application registration page appears.
Add a name in the Name section to identify the application. In this example, the name of the hostname of the tenant is entered along with the word OIDC.
The next section contains radio buttons for selecting the Supported account types. In this example, the default – Accounts in this organizational directory only – is selected.
The last section is for entering the redirect URI. From the dropdown list on the left select “web” and then enter the callback URL from the tenant. Enter the URI https://<tenant hostname>/login/callback.

The tenant hostname required in this context is the original hostname provided to the Qlik Enterprise SaaS tenant.

Using the Alias hostname will cause the IdP handshake to fail.
Complete the registration by clicking the Register button at the bottom of the page.
Click on the Authentication menu item on the left side of the screen.
On the middle of the page, the reference to the callback URI appears. There is no additional configuration required on this page.

Create the client secret

Click on the Certificates and secrets menu item on the left side of the screen.
In the center of the Certificates and secrets page, there is a section labeled Client secrets with a button labeled New client secret. Click the button.
In the dialog that appears, enter a description for the client secret and select an expiration time. Click the Add button after entering the information.
Once a client secret is added, it will appear in the Client secrets section of the page.

Copy the "value of the client secret" and paste it somewhere safe.
After saving the configuration the value will become hidden and unavailable.

Add claims to the token configuration

Click on the Token configuration menu item on the left side of the screen.
The Optional claims window appears with two buttons. One for adding optional claims, and another for adding group claims. Click on the Add optional claim button.
For optional claims, select the ID token type, and then select the claims to include in the token that will be sent to the Qlik Sense Enterprise SaaS tenant. In this example, ctry, email, tenant_ctry, upn, and verified_primary_email are checked. None of these optional claims are required for the tenant identity provider to work properly, however, they are used later on in this tutorial.
Some optional claims may require adding OpenId Connect scopes from Microsoft Graph to the application configuration. Click the check mark to enable and click Add.
The claims will appear in the window.

Add group claim

Click on the API permissions menu item on the left side of the screen.
Observe the configured permissions set during adding optional claims.
Click the Add a permission button and select the Microsoft Graph option in the Request API permissions box that appears. Click on the Microsoft Graph banner.
Click on Delegated permissions. The Select permission search and the OpenId permissions list appears.

In the OpenID permissions section, check email, openid, and profile. In the Users section, check user.read.
In the Select permissions search, enter the word group. Expand the GroupMember option and select GroupMember.Read.All. This will grant users logging into Qlik Sense Enteprise SaaS through Azure AD to read the group memberships they are assigned.
After making the selection, click the Add permissions button.
The added permissions will appear in the list. However, the GroupMember.Read.All permission requires admin consent to work with the app registration. Click the Grant button and accept the message that appears.

Failing to grant consent to GroupMember.Read.All may result in errors authenticating to Qlik using Azure AD. Make sure to complete this step before moving on.

Collect Azure AD configuration information

Click on the Overview menu item to return to the main App registration screen for the new app. Copy the Application (client) ID unique identifier. This value is needed for the tenant’s idp configuration.
Click on the Endpoints button in the horizontal menu of the overview.
Copy the OpenID Connect metadata document endpoint URI. This is needed for the tenant’s IdP configuration.

Configure Qlik Sense Enterprise SaaS IdP

With the configuration complete and required information in hand, open the tenant’s management console and click on the Identity provider menu item on the left side of the screen.
Click the Create new button on the upper right side of the main panel.
Select OIDC from the Type drop-down menu item, and select Microsoft Entra ID (Azure AD) from the Provider drop-down menu item.
Scroll down to the Application credentials section of the configuration panel and enter the following information:
1. ADFS discovery URL: This is the endpoint URI copied from Azure AD.
2. Client ID: This is the application (client) id copied from Azure AD.
3. Client secret: This is the value copy and pasted to a safe location from the Certificates & secrets section from Azure AD.
4. The Realm is an optional value used if you want to enter what is commonly referred to as the Active Directory domain name.
Scroll down to the Claims mapping section of the configuration panel. There are five textboxes to confirm or alter.
1. The sub field is the subject of the token sent from Azure AD. This is normally a unique identifier and will represent the UserID of the user in the tenant. In this example, the value “sub” is left and appid is removed. To use a different claim from the token, replace the default value with the name of the desired attribute value.
2. The name field is the “friendly” name of the user to be displayed in the tenant. For Azure AD, change the attribute name from the default value to “name”.
3. In this example, the groups, email, and client_id attributes are configured properly, therefore, they do not need to be altered.
  
  In this example, I had to change the email claim to upn to obtain the user's email address from Azure AD. Your results may vary.
Scroll down to the Advanced options and expand the menu. Slide the Email verified override option ON to ensure Azure AD validation works. Scope does not have to be supplied.
The Post logout redirect URI is not required for Azure AD because upon logging out the user will be sent to the Azure log out page.
Click the Save button at the bottom of the configuration to save the configuration. A message will appear confirming intent to create the identity provider. Click the Save button again to start the validation process.
The validation procedure begins by redirecting the person configuring the IdP to the login page for the IdP.
After successful authentication, Azure AD will confirm that permission should be granted for this user to the tenant. Click the Accept button.
If the validation fails, the validation procedure will return a window like the following.
If the validation succeeds, the validation procedure will return a mapped claims window. If the validation states it cannot map the user's email address, it is most likely because the email_verified switch has not been turned on. Go ahead and confirm, move through the remaining steps, and update the configuration as per the previous step. Re-run the validation to map the email.
After confirming the information is correct, the account used to validate the IdP may be elevated to a TenantAdmin role. It is strongly recommended to do make sure the box is checked before clicking continue.
The next to last screen in the configuration will ask to activate the IdP. By activating the Azure AD IdP in the tenant, any other identity providers configured in the tenant will be disabled.
Success.
Please log out of the tenant and re-authenticate using the new identity provider connection. Once logged in, change the url in the address bar to point to https://<tenanthostname>/api/v1/diagnose-claims. This will return the JSON of the claims information Azure AD sent to the tenant. Here is a slightly redacted example.
Verify groups resolve properly by creating a space and adding members. You should see friendly group names to choose from.

Recap

While not hard, configuring Azure AD to work with Qlik Sense Enterprise SaaS is not trivial. Most of the legwork to make this authentication scheme work is on the Azure side. However, it's important to note that without making some small tweaks to the IdP configuration in Qlik Sense you may receive a failure or two during the validation process.

Addendum

For many of you, adding Azure AD means you potentially have a bunch of clean up you need to do to remove legacy groups. Unfortunately, there is no way to do this in the UI but there is an API endpoint for deleting groups. See Deleting guid group values from Qlik Sense Enterprise SaaS for a guide on how to delete groups from a Qlik Sense Enterprise SaaS tenant.

Related Content (VIDEO)

Qlik Cloud: Configure Azure Active Directory as an IdP

reinaerts · ‎2021-03-01

Dear Jeff,

thanks a lot for the link. Just got a follow-up question: when I clean unwanted groups from Azure AD, then just some new unwanted groups pop up. Is there a possibility in Azure or Qlik to allow only certain groups to be synchronized and shown in the member list?

Cheers, Maurits

Carl_Hunter · ‎2021-03-22

Hey @Jeffrey_Goldberg, I was struggling to get the "friendly" group names to appear in SaaS, however, after a lot digging and hacking about with Azure AD, I found your YouTube video:

https://www.youtube.com/watch?v=d3WpPGTmmC0

In the video, there is a step where you need to activate "Enable creation of groups" within the management console. Without this, you do not get the friendly names in the diagnose-claims nor when changing access in spaces

After un-doing all my hacking about in Azure AD, and creating a new IDP as per the video, it all worked as expected 🙂

s_kabir_rab · ‎2021-03-25

Hi,

Wondering if someone can help. We have a scenario where client is moving to hybrid model (QSEoW and QSE on SaaS). on QSEoW they are using SAML authentication against AAD. We have set up the SaaS as well against the same AAD as IDP.

We have issue with user name across both environments. Since they are using signed license key, all their assigned users are showing up in the SaaS tenant, but with "IDB subject" different than the one we can achieve via OpenID tokens in azure. e.g., Their license tab in SaaS shows their "Idp Subject" as - "DOMAINNAME\user.name", where at best we were able to map in email address of each users to the "Idp sub" using the Azure AD token mapping.

Anyone know of any ways to resolve this issue? The same user end up being recognised/treated as two different users between the environments, causing lichenising issues.

Any help would be greatly appreciated, as we need to tackle this. We can of course update/manipulate/use transform on the SAML tokens, but can't do that to OpenID tokens, which is leaving me to wonder how to add the old format "domain\user.name" to each user?

@Jeffrey_Goldberg Can you help and point towards someone who can assist please?

Jeffrey_Goldberg · ‎2021-03-25

@s_kabir_rab in the configuration for Qlik Sense SaaS IdP change the sub field to use sAMAccountName.

Resources to review: https://securecloud.blog/2019/06/06/add-samaccountname-to-azure-ad-access-token-jwt-with-claims-mapp...

and here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping?WT.m...

You basically need to create a custom extension claim that includes the onpremisessamaccountname. You can set the realm to be the domain name if it does not appear in this claim.

AlexOmetis · ‎2021-03-25

@s_kabir_rab / @Jeffrey_Goldberg - The alternative is that you can configure both environments to use email address as the User ID and a custom domain as the User Directory/Realm. You can still sync your User Directory Connector but you have to use a Generic LDAP connection instead of Active Directory so you can customise the User ID. I wrote this up in a blog: Setting up a Qlik Sense Hybrid Environment - Ometis Blog

s_kabir_rab · ‎2021-03-25

Thanks to both of you.

@AlexOmetis - I have setup the generic LDAP with email as user id, only to get overruled by the client's IT department, who preferred the old setup. I guess now it's time to either go through the hustle of claims mapping policy like @Jeffrey_Goldberg suggested or go back to my original suggestions of using email.

But really appreciate the help guys.

Carl_Hunter · ‎2021-03-25

Has anyone put much thought into the on-boarding experience of new SaaS users when using Azure AD as the IDP? From our testing, it seems like the best route is to control access via the Azure 'Enterprise Application', and turning on automatic assignment of analyser licenses. Or if Analyser Capacity is in use, let them consume x minutes before assigning a license.

Unless I'm missing something, the new user needs to present themselves to SaaS before SaaS being aware of the new user. This isn't great.

It would be good to see a User Directory Connector implementation in SaaS, to sync from Azure AD (or whatever IDP) then assign a license (or Capacity). Auto assignment can be dangerous, if not controlling access via Azure (or other means)

Thoughts guys? @Jeffrey_Goldberg @s_kabir_rab @AlexOmetis

s_kabir_rab · ‎2021-03-26

@Carl_Hunter - there are some API available but not sure if they are documented that allows running of license allocation rules based on user groups. I will test this next week to confirm. But you are right, we do not want lots of pro and analyser users comsuming capacity allocations on their first land when the other 2 auto allocations are switched off.

Carl_Hunter · ‎2021-03-26

Thanks Kab @s_kabir_rab - we'll do some digging too, shall we update this thread with our findings?

Alastair_Ometis · ‎2021-03-26

@s_kabir_rab

We had a similar problem in our test envrionment. we solved it by using the (preview) feature of azure ad which allows for emitting custom claims.

The custom claim we used was email name part which we then mapped as the subject. and used a static domain

then the idp subject was DOMAIN\emailnamepart as was the case in our QSEoW environemnt and so only one license was consumed across both envrionmnets

How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP. Now with Groups!