Qlik Sense Enterprise on Windows: Groups not retrieved from Okta when using OIDC authentication

Damien_Villaret · Jan 16, 2023 2:41:46 AM

Groups are not retrieved from Okta when using OIDC authentication in Qlik Sense Enterprise on Windows (client-managed), but they are retrieved in Qlik Cloud.

Environment:

Qlik Sense Enterprise on Windows

Resolution

Qlik Sense for Windows reads the groups from the id_token, while Qlik Sense Cloud reads the groups from the userinfo endpoint.

By default, Okta does not include the groups in the id_token. Please follow the below steps for groups to be included in the id_token so that Qlik Sense for Windows can retrieve them.

Steps:

In the Okta Admin Console, go to Security > API.
On the Authorization Servers tab, select Add Authorization Server and enter the Name, Audience, and Description for the Authorization Server.
After creating the authorization server, go to “Claims” tab.
Click “Add Claim”.
Enter “Name” of the claim as “groups”.
For “Include in token type” dropdown, select “ID Token” and “Always”.
Set “Value type” to “Groups”.
Set “Filter” to Matches regex .*
Click “Create” button.
Now, go to “Scopes” tab.
Click “Add Scope”.
Enter “Name” of the scope as “groups”.
Enable “Include in public metadata”.
Click “Create” button.
Finally, go to “Access Policies” tab.
Click on “Add New Access Policy” button. Enter ‘Name’ and ‘Description’ for the new policy and keep ‘Assign to’ set to ‘All clients’ option. Click “Create Policy” button.
After the new policy is created, add a new rule for the policy by clicking the button “Add Rule”. Enter ‘Rule Name’. Keep the default values as they are for all fields. And click “Create Rule” button.
Go to "Settings" tab and copy the metadata URI.
Enter this URI in virtual proxy settings.

Note: The metadata URI displayed in the Settings tab of the authorization server is for the access token. You can use the URI for the id_token to make this work. You will find more info on the below image and the following link: https://developer.okta.com/docs/guides/customize-tokens-groups-claim/request-token-claim/

Gysbert_Wassenaar · ‎2022-03-29

Is this still the case? Qlik Sense on Windows does NOT support the oidc userinfo endpoint?

Damien_Villaret · ‎2022-03-30

Hello @Gysbert_Wassenaar

Yes, this is correct, Qlik Sense on Windows only reads the groups from the ID token, never from the userinfo endpoint.

Gysbert_Wassenaar · ‎2022-03-31

Thanks for the answer @Damien_Villaret. Do you know if this will be supported in the near future?

Sonja_Bauernfeind · ‎2022-04-05

Hello @Gysbert_Wassenaar

This is not currently on the roadmap. If you would like to raise your interest in this feature, please head over to our Ideas section!

All the best,
Sonja

mehmet_gencsoy · ‎2023-01-13

@Damien_Villaret @Sonja_Bauernfeind

Is this still the case? Qlik Sense on Windows does NOT support the oidc userinfo endpoint? Or did we get any updates??

We are using Ping Federate and there is now way to add userinfo endpoint information to ID token.

Sonja_Bauernfeind · ‎2023-01-16

Hello @mehmet_gencsoy

We only support ID tokens on Qlik Sense Enterprise on Windows and do not currently have support for the oidc userinfo endpoint on our roadmap. I checked our active ideas and couldn't find one there either.

What I would recommend is to log an idea (right here), as this is our most reliable way to voice ideas and feedback suggestions. Our product teams review them regularly.

Feel free to tag me so I can give it a vote (and tie it back to this article).

All the best,
Sonja

Qlik Sense Enterprise on Windows: Groups not retrieved from Okta when using OIDC authentication