Skip to main content
Announcements
Talend Data Catalog 8.0 End of Support: December 31, 2024 Get Details

Qlik Cloud: How to set up Keycloak as a SAML Identity Provider

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Damien_V
Support
Support

Qlik Cloud: How to set up Keycloak as a SAML Identity Provider

Last Update:

Jul 1, 2024 4:26:11 AM

Updated By:

Damien_V

Created date:

Mar 11, 2024 10:47:38 AM

This is a quick guide on how to set up SAML authentication in Qlik Cloud using Keycloak as the Identity Provider.

 

Environment:

Qlik Cloud 

 

KeyCloak Configuration

  1. In Keycloak, navigate to General and Realm Settings and download the IdP metadata 

    Damien_Villaret_0-1671765374463.png

  2. In Keycloak, set up a test user:

    Damien_Villaret_1-1671765491608.png

  3. Click Save and go to Credentials to set the password

    Damien_Villaret_2-1671765595894.png

  4. In Keycloak, add a new Client and set the Qlik Cloud tenant original URL as the Client ID. For example: https://kxvfihtburc1m5j.ap.qlikcloud.com

    Damien_Villaret_0-1710077146157.png

  5. Add https://<tenant URL>/login/saml in Valid redirect URIs and in Master SAML Processing URL

    Damien_Villaret_1-1710077401715.png

  6. In Settings, under SAML capabilities, set the Name ID format to persistent and make sure that Force POST binding is checked.

    Damien_Villaret_2-1710077625637.png

     

  7. In Settings locate Signature and encryption and make sure that either Sign Assertions or Sign Documents is enabled (Having both enabled is also fine).

    Damien_Villaret_4-1671765741225.jpeg

  8. Switch to the Keys tab and disable Client Signature Required

    Damien_Villaret_5-1671767133315.png

  9. The last step is to add the needed attributes (username, email, display name) that we will use in Qlik Cloud. Before that, please make sure to set the role_list to "optional" so that Keycloak doesn't send the role list attribute several times which Qlik Cloud won't be able to understand.

    Then, under "Client Scopes", click on the name of client scope that has the description "Dedicated scope and mappers for this client", in the below screenshot the name is https://kxvfihtburc1m5j.ap.qlikcloud.com-dedicated.

    Damien_V_0-1719822252671.png

     

     

  10. Choose Configure new mapper and choose User Attribute then click Add. For simplicity, we will use firstname as the display name for this example in order to not have to create a custom attribute.

    Damien_Villaret_0-1710166026116.png

     

  11. Repeat the same for email and username by choosing Add mapper > By configuration > User Attribute

    Damien_Villaret_2-1710166334889.pngDamien_Villaret_3-1710166400105.pngDamien_Villaret_4-1710166452628.png

  12. If you also want to fetch groups for the user, choose Add Mapper > By Configuration > Group List and configure the mapper as below.

    Damien_Villaret_5-1710166705913.png

 

Qlik Cloud Settings

  1. In Qlik Cloud, go to Identity Provider and create a new interactive Identity provider configuration
  2. Select SAML as the type and generic for the Provider
  3. Check Use IdP metadata and upload or paste the content of the IdP metadata file downloaded from Keycloak in the first step of the Keycloak configuration section.
  4. If needed, check Enable IdP-initiated login
  5. Under Claim mapping, fill in the SAML claims name created previously. In this case username for sub, displayname for name and email for email.
    Damien_Villaret_3-1710079065744.png

     

  6. You can now click on Create but do not Validate yet.
  7. Once created, Edit the Identity Provider again and make sure to set the Name ID format to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

    Damien_Villaret_4-1710079565697.png

  8. Once done, save and validate the configuration and make sure everything is working fine.
Comments
GianlucaFerri
Partner - Contributor III
Partner - Contributor III

Hi, I followed this method but when I validate, I'm correctly redirected to keycloak but I get this error:

 

{
  "status": "callbackError",
  "protocol": "SAML",
  "error": "SAML Response validation failed, unable to query 'Attributes'",
  "traceId": "e5df8289a6302b5cfd7a6f365fa83eef"
}

(picture below)

Any advice for the resolution? We also tried connecting with OIDC but got a similar error.

 

Thank you very much,

Gianluca

GianlucaFerri_0-1718197502245.png

 

Damien_V
Support
Support

Hi @GianlucaFerri 

Since we got a few reports of that error recently, we would like to investigate if that is due to a defect or a configuration problem.

Could you please open a support case and provide us with all information listed in the below article so that we can investigate?

https://community.qlik.com/t5/Official-Support-Articles/Qlik-Cloud-Information-needed-to-troubleshoo...

GianlucaFerri
Partner - Contributor III
Partner - Contributor III

Hi damien,

I indeed did it, it seems deleting role_list scope in client_scopes made it work.

Now I don't get groups mapped from keycloak to qlik and I'd like to map to the full name instead of firstName, I asked this into the issue also, but maybe these are more related to this page.

 

Thank you!

Gianluca

Damien_V
Support
Support

Hi @GianlucaFerri 

For groups it's straightforward, in Keycloak scopes, choose "Add mapper" "By configuration" "Group list", choose "Single group attribute" and input a name for the attribute.

In the Qlik Console Identity Providers configuration, make sure that you have the same attribute name in the "groups" fields.
Also in the Qlik Console settings section, make sure that "Creation of groups" is enabled.

 

For the full name it's a bit more complicated in recent versions of Keycloak since it seems they removed the Javascript mapper. The easiest would be to sync the full name from a directory service.

https://stackoverflow.com/questions/51060080/how-add-dynamic-user-attribute-value-in-keycloak-with-s...

 

Version history
Last update:
‎2024-07-01 04:26 AM
Updated by: