Skip to main content
Announcements
Qlik Introduces a New Era of Visualization! READ ALL ABOUT IT

Qlik Sense and Azure AD: what is supported vs what is not when using Azure Active Directory

100% helpful (2/2)
cancel
Showing results for 
Search instead for 
Did you mean: 
Damien_Villaret
Support
Support

Qlik Sense and Azure AD: what is supported vs what is not when using Azure Active Directory

Last Update:

Mar 8, 2024 9:46:25 AM

Updated By:

Joseph_Musekura

Created date:

Mar 29, 2017 4:37:06 AM

This article explains what is supported and what is not when using Azure Active Directory.

The content is split into:

     

    Authentication with Azure AD as an Idp for Qlik Cloud

    How to: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP

     

    Authentication with Azure

    In any Qlik Sense Enterprise for Windows version 2.0 and higher, Azure Active Directory is tested and confirmed as supported as a SAML Identity Provider with Qlik Sense.

    Regarding the implementation of SAML Authentication with Azure, please see instructions at the following link: Tutorial: Azure AD SSO integration with Qlik Sense Enterprise Client-Managed | Microsoft Learn 
     

    User Directory Connector with Azure AD

    Unlike a regular Active Directory, Azure AD does not support the LDAP protocol and therefore cannot be used in Qlik Sense at the moment.


    A User Directory Connector is solely used to synchronise groups and user attributes from the directory so that you can build your security rules based on those and do not impact authentication.

    For groups, as a workaround, you can use group attributes sent in the SAML request by Azure and build your security rules based on those.

    You just need to be aware that those attributes will not show up in the user information in the QMC as they are session-based.

    The group attribute received from a SAML provider is stored in the user.environment.group variable instead of the user.group variable.

    If you are uncertain of what group attributes were received, you can enable Debug log on the Qlik Proxy service to check those. See instructions in:
    How to see SAML attributes received by Qlik Sense (user.environment)
     

    User Directory Connector with Azure AD DS

    Azure AD DS and Azure AD are 2 different offers and have different features. Please see the below link about the differences: Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Act...

    As said above, Azure AD does not support LDAP, but Azure AD DS does.

    Below are a few helpful links when setting up Azure AD DS in Qlik Sense:

    Tutorial: Configure secure LDAP for an Azure Active Directory Domain Services managed domain | Micro...
    Qlik Sense: Does User Directory Connector supports LDAPS?

    Once the User Directory Connector is setup correctly in Qlik Sense, use the user.group variable in your security rules to assign the access rights.

     

     

    Environments:

    Qlik Sense Enterprise on Windows 
    Qlik Cloud 

    Labels (1)
    Comments
    kanhomcake
    Contributor III
    Contributor III

    Dear Experts, 

    Is there any update (good news) on the User Directory Connector with Azure AD topic please?

    Thank you 🙂
    KC

    Sonja_Bauernfeind
    Digital Support
    Digital Support

    Hello @kanhomcake 

    The short answer: As Azure AD still does not support LDAP it cannot be used as a Directory Service Connector.

    And a little more detail in case context is needed:

    The User Directory Connector is used to sync attributes ahead of time and assign permissions and licenses before a user logs on to Qlik Sense for the first time. As Azure AD does not support LDAP, this is currently not possible.

    When authentication through Azure AD (SAML or OIDC), when the user logs in, the user is created in Qlik Sense and you can also sync their groups through SAML/OIDC attributes, but you wont see them in Qlik Sense until they actually log in. You can still write security rules and license assignment rules based on their groups though if you know the name of the groups, you wont get the group name in the autocomplete when you write the rule.

    All the best,
    Sonja 

    Version history
    Last update:
    ‎2024-03-08 09:46 AM
    Updated by: