Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Woohoo! Qlik Community has won “Best in Class Community” in the 2024
Khoros Kudos awards!
This is a quick guide on how to set up SAML authentication in Qlik Cloud using Keycloak as the Identity Provider.
Environment:
KeyCloak Configuration
- In Keycloak, navigate to General and Realm Settings and download the IdP metadata
- In Keycloak, set up a test user:
- Click Save and go to Credentials to set the password
- In Keycloak, add a new Client and set the Qlik Cloud tenant original URL as the Client ID. For example: https://kxvfihtburc1m5j.ap.qlikcloud.com
-
Add https://<tenant URL>/login/saml in Valid redirect URIs and in Master SAML Processing URL
-
In Settings, under SAML capabilities, set the Name ID format to persistent and make sure that Force POST binding is checked.
- In Settings locate Signature and encryption and make sure that either Sign Assertions or Sign Documents is enabled (Having both enabled is also fine).
- Switch to the Keys tab and disable Client Signature Required.
- The last step is to add the needed attributes (username, email, display name) that we will use in Qlik Cloud. Before that, please make sure to set the role_list to "optional" so that Keycloak doesn't send the role list attribute several times which Qlik Cloud won't be able to understand.
Then, under "Client Scopes", click on the name of client scope that has the description "Dedicated scope and mappers for this client", in the below screenshot the name is https://kxvfihtburc1m5j.ap.qlikcloud.com-dedicated. - Choose Configure new mapper and choose User Attribute then click Add. For simplicity, we will use firstname as the display name for this example in order to not have to create a custom attribute.
- Repeat the same for email and username by choosing Add mapper > By configuration > User Attribute
- If you also want to fetch groups for the user, choose Add Mapper > By Configuration > Group List and configure the mapper as below.
Qlik Cloud Settings
- In Qlik Cloud, go to Identity Provider and create a new interactive Identity provider configuration
- Select SAML as the type and generic for the Provider
- Check Use IdP metadata and upload or paste the content of the IdP metadata file downloaded from Keycloak in the first step of the Keycloak configuration section.
- If needed, check Enable IdP-initiated login
- Under Claim mapping, fill in the SAML claims name created previously. In this case username for sub, displayname for name and email for email.
- You can now click on Create but do not Validate yet.
- Once created, Edit the Identity Provider again and make sure to set the Name ID format to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- Once done, save and validate the configuration and make sure everything is working fine.
Qlik Cloud
Qlik Cloud
Hi, I followed this method but when I validate, I'm correctly redirected to keycloak but I get this error:
{
"status": "callbackError",
"protocol": "SAML",
"error": "SAML Response validation failed, unable to query 'Attributes'",
"traceId": "e5df8289a6302b5cfd7a6f365fa83eef"
}
(picture below)
Any advice for the resolution? We also tried connecting with OIDC but got a similar error.
Thank you very much,
Gianluca
