If using ADFS as an IDP (Identity Provider) in order to conform to Qlik's security requirements, ADFS must be configured to use refresh tokens and not access tokens. If refresh tokens are not configured this configuration will not be supported.
To confirm if ADFS is configured correctly to allow refresh tokens, perform the steps set out below.
- In a browser, make the following request:
https://TENANT_URL_VALUE/oauth/authorize?client_id=CLIENT_ID_VALUE&redirect_uri=https://REDIRECT_URL...
This will generate a code in the response URL. The code needs to be copied and used in step 2.
- Using Postman (or a similar tool):
Run this POST request inserting the required values in the body of the request:
Request: https://TENANT_URL_VALUE/oauth/token
The request body needs to be modified as follows:
Insert your CODE_VALUE from step 1,
Insert your applications CLIENT_ID_VALUE, CLIENT_SECRET_VALUE, REDIRECT_URL_VALUE.
Request Body:
{
"code": CODE_VALUE,
"code_verifier": "1234-5678-90-ABC_DEF_GJI~jkl.mno.pqrs~tuvwxyz",
"grant_type": "authorization_code",
"client_id": CLIENT_ID_VALUE,
"client_secret": CLIENT_SECRET_VALUE,
"redirect_uri": REDIRECT_URL_VALUE
}
Steps 1 and 2 need to be completed within a few seconds of each other. As the generated code from Step 1 expires after only some seconds.
If the Request made in Step 2 is successful. ADFS is configured correctly and is using Refresh Tokens.
If the request fails you will need to change your ADFS configuration.
Environment
Qlik Cloud
The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.
Related Content
Using Active Directory Federation Services (ADFS) as an IDP for Qlik Cloud.
ADFS single sign-on settings
