Skip to main content

How to configure Qlik Cloud with Okta

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Luis_Arocho-LLantin

How to configure Qlik Cloud with Okta

Last Update:

Nov 9, 2023 5:36:36 AM

Updated By:

Sonja_Bauernfeind

Created date:

Apr 19, 2022 10:57:35 AM

This guide provides the basic instructions on configuring Qlik Cloud with Okta as an identity provider.

This customization is provided as is. Qlik Support cannot provide continued support of the solution. For assistance, reach out to our Professional Services or engage in our active Integrations forum.

Configuring Okta

  1. Go to your Okta Admin Console
  2. Navigate to Applications 
  3. Click Create App Integration

    add new application in okta.png

  4. Choose OIDC - OpenID Connect and Web Application, then click Next

    choose oidc and web application.png

  5. Fill in the App Integration Name (this name identifies the application)
  6. Set Grant type to Authorization Code
  7. Enter your tenant URL in Sign-out redirect URIs, adding /login/callback 

    Example: https://tenant_url/login/callback

    This must be the actual tenant name, not the alias.
    set up the name redirect url and grant type.png

  8. Scroll down to the Assignments section. Set Allow everyone in your organization to access 

    allow everyone in your organization to access.png

  9. Click Save
  10. Copy the Client ID and Client Secret. Both are needed when configuring the IdP on the tenant.
  11. Switch to the Sign On tab

    sign on tab.png

  12. Click Edit on the OpenID Connect ID Token

    edit openid connect id token.png


    1. Set Issuer to the Okta URL
    2. Set Group claim type to Filter
    3. Set Group claim filter to groups, followed by Matches regex  and .*
    4. Click Save

  13. The next step is to add an Authorization Server 

    If you do not have access to Okta's API Access Management, see Using a custom Authorization Server for Okta in Qlik Cloud.

    1. Expand the Okta admin panel menu
    2. Expand Security and open API

      security menu and api tab.png

    3. Click Add Authorization Server.

      add authorizaton server.png


    4. Set Name to QlikAPI (example)
    5. Set Audience to qlik.api
    6. Set Issuer to Okta URL 
    7. Leave everything else default, then click Save

  14. Switch to the Scopes tab

    scopes tab.png

    1. Click Add Scope
    2. Set the Name 
    3. Set a Display phrase
    4. Set a Description
    5. Set User content to Implicit
    6. Mark Set as default scope
    7. Leave Include in public metadata unchecked
    8. Click Save

  15. Switch to Access Policies
    1. Click Add Policy
    2. Set a Name
    3. Set a Description
    4. Set Assign to to All clients
    5. Click Update Policy

  16. Click Add rule

    add new rule.png


    1. Set a Rule Name
    2. Check Client Credentials
    3. Uncheck all items under Client acting on behalf of a user
    4. Check Any user assigned the app
    5. Check Any scopes
    6. Leave the remaining settings at default
    7. Click Create rule
    8. Check Clients Credentials, Any user assigned the app and Any scopes then click Update Rule

      create new rule.png

 

 

Configuring Qlik Cloud Tenant

  1. Open the Qlik Cloud Management Console and browse to Identity Providers 
  2. Click Create New

    Identity Provider.png

  3. Choose Interactive
  4. Choose Okta

    choose okta.png

  5. Fill out the Application credentials as per the Okta Setup

    Application Credentials.png

  6. Provide your claims mapping as per your setup

    Claims mapping.png

  7. Click Create

For additional information on how to create new identity providers in Qlik Cloud, see Creating a new identity provider configuration.

 

Environment:

Qlik Cloud 

 

The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.

Labels (1)
Comments
hkatsu
Partner - Contributor II
Partner - Contributor II

Hi Luis

Please give me a advice.

I followed the steps you provided and set it up.
However, there is no button of "Add Authorization Server" at regarding "12.Then click Add Authorization Server...".

So I have the follwing two questions.

1) Is the procedure different in the latest Okta version?

2) Please let us know the procedure to follow with the latest version.

Best regards.

Hideaki.

mshann01
Contributor III
Contributor III

I have the same concern as Hkatsu.  We have not purchased Okta's API Access Management so we do not have access to the Add Authorization Server option.  Our other integrations are SAML so it has not been needed.  It seems like there should be an alternate setup option that doesn't result in spending lots of extra money.

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @mshann01 and @hkatsu 

We are currently working on getting an updated version made and I will get back to you as soon as possible with an answer regarding the "Add Authorization Server" option. 

All the best,
Sonja 

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @mshann01 and @hkatsu 

Catarina has put together a workaround for you and we've recently published and verified it. Here you go! Using a custom Authorization Server for Okta in Qlik Cloud 

All the best,
Sonja 

mshann01
Contributor III
Contributor III

Excellent @Sonja_Bauernfeind .  Thanks for following up and I'm eager to test it out.  I'll follow up after I get a chance to set it up.

obeyaztas
Contributor
Contributor

@Luis_Arocho-LLantin @Sonja_Bauernfeind can you make a small change in the document. Step 5 says you need to enter the tenant name:

Fill in the App Integration Name, chose Authorization Code and enter your tenant name adding at the end /login/callback 


Might be good to mention that it's NOT the alias name. We struggled with setting it up and were getting the error the the RETURN_URI wasn't linked to a login page. This was just because were using the tenant alias hostname (companyname.eu.qlikcloud.com) instead of the tenant hostname (xy6shdh.eu.qlikcloud.com shown in the about screen)

Could be that this is clear for most of the qlik admins, but it took me few hours before finding the cause of it. Qlik Support wasn't even able to help me with this.

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @obeyaztas 

Thank you for closing the loop with us on this! I updated the article as you suggested (and am actively working on updating it in general).

All the best,
Sonja 

mshann01
Contributor III
Contributor III

@Sonja_Bauernfeind , we found another piece that may be missing.  For us, we needed to expand the Advanced Options on the Qlik setup and add "groups" into the scope even though we mapped it correctly in the claims section.  Without this we weren't pulling in any groups through Okta to our tenant.

Sonja_Bauernfeind
Digital Support
Digital Support

Thank you, @mshann01 I will review this during my article update.

hakeemakibu
Contributor
Contributor

Hi @Luis_Arocho-LLantin and @Sonja_Bauernfeind  I tried the integration and got the error below.


Error: The 'redirect_uri' parameter must be a Login redirect URI in the client app settings:

Version history
Last update:
‎2023-11-09 05:36 AM
Updated by: