Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Open Lakehouse is Now Generally Available! Discover the key highlights and partner resources here.

Using Multiple concurrent Identity Providers with Qlik Cloud

No ratings
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Leigh_Kennedy
Employee
Employee

Using Multiple concurrent Identity Providers with Qlik Cloud

Last Update:

May 22, 2025 6:45:09 PM

Updated By:

Leigh_Kennedy

Created date:

May 20, 2025 8:34:23 AM

Content

 

Introduction

Qlik Cloud is designed to support a single interactive Identity Provider (IdP) per tenant.

As my friend @DaveChannon explains in Why Qlik doesn't support multiple interactive identity providers on a Qlik Cloud tenant, only one interactive identity provider can be enabled at any one time for Qlik Cloud (Which includes Qlik Cloud Analytics and Qlik Talend Cloud Data Integration).  Without restating the points Dave made, the short answer is we do not plan to change this as we don't consider this good practice.

So, if your organisation needs to support multiple IDPs, what can you do?  There are many use-cases that require this, such as:

  • Providing access to external parties without adding them to your Organisation's IDP.
  • OEM use-cases with customers who have their own IDPs
  • Company mergers (This is one we've used ourselves a few times)

These are just a few examples but this is a very common use case for most large organisations.  So what do you have to do?  Well, you could solve this with multiple tenants, but that's often a high-maintenance solution and isn't ideal.  That's why, as Dave mentioned, we recommend that customers use Identity federation to address this. 

Identity Federation

Identity federation is a mechanism that links a user's identity across multiple identity management systems, allowing them to access different applications and resources without needing separate logins or credentials.  Almost all major providers support this.  For example, these IDPs all support federation:

  • Microsoft Entra ID
  • Google Workspace
  • Okta
  • Auth0
  • Ping Identity
  • OneLogin
  • Amazon Cognito
  • IBM Cloud Identity
  • Cisco Duo
  • Microsoft ADFS (Active Directory Federation Services)
  • KeyCloak

Case Study - KeyCloak Federating with Auth0

So, how complex is this and how does it look to my users and Qlik Cloud tenant?
 
I set up a simple example of this using KeyCloak and Auth0. The way this works is:
  1. The user tries to connect to their Qlik Cloud tenant
  2. Qlik sends the user to KeyCloak for authentication
  3. KeyCloak provides the user the option to either log in directly with KeyCloak or be directed to Auth0 to log in.
  4. After logging in, KeyCloak received user metadata, such as e-mail, groups, etc.
  5. KeyCloak then provides this to Qlik Cloud
  6. The user gains access to Qlik Cloud.
 
Leigh_Kennedy_0-1747717044796.png

 

While this is not a 'how-to' article, at a high level, what I've set up is:

  1. KeyCloak is the IDP for my Qlik Cloud tenant:

    Leigh_Kennedy_1-1747718291654.png

  2. In Keycloak I have my Groups and users set up as group members:

    Leigh_Kennedy_2-1747718515225.png

    Leigh_Kennedy_4-1747718612436.png

    Leigh_Kennedy_3-1747718567534.png


  3. And I have also set up Auth0 as an Identity provider for KeyCloak:

    Leigh_Kennedy_0-1747723232958.png

  4. And hard-coded the 'External' group to any users coming from Auth0:

    Leigh_Kennedy_6-1747718856532.png

 


This may not always be what you want to do.  You may wish to use the groups coming from Auth0 also, and that is possible, but not needed for my use case.

Finally, here are my users set up in Auth0:

 

Leigh_Kennedy_7-1747719045047.png

User Experience and Security

So what happens when I log in?

First, let's look at jane@qmi.com.  Jane is set up in KeyCloak. After opening the URL for our Qlik Cloud tenant, I am redirected to the keycloak login screen:

 

Leigh_Kennedy_8-1747719193185.png

 

I can log in directly here or choose to sign in with Auth0.  Jane logs into KeyCloak directly and is then sent back to the Qlik Tenant:

 

Leigh_Kennedy_9-1747719342741.png

 

To understand what information Qlik Clouid has been provided, we can append "/api/v1/diagnose-claims" to the end of our tenant URL. This will show us the metadata Qlik has received about Jane, such as: 

 

Leigh_Kennedy_10-1747719530667.png

 

We are most concerned about Jane's groups, as that is how we will control access. Jane is in the Finance and Human Resources groups. 

In our tenant, we have the following spaces and access rules:

Space Name Space Type Groups with Access
External Managed External:  Read Only
External_development Shared Finance: full access
Sales: full access
Human Resources: full access
Finance Shared Finance: Read Only
Sales Shared Sales: Read Only
Human Resources Shared Human Resources: Read Only

 

So Jane sees the Finance, Human Resources, and External_development spaces:

 

Leigh_Kennedy_12-1747720650835.png

 

 
What happens when a user logs in through Auth0? This time joe.public@company1.com will log in via Auth0:
 
Leigh_Kennedy_0-1747721429306.png

 

As this user has never logged in before, KeyCloak asks for some details:

 

Leigh_Kennedy_1-1747721463955.png

 

After logging in, we can look at the "/api/v1/diagnose-claims" endpoint to see the user's metadata.  We see the External group, which we hard-coded for Auth0 users in KeyCloak:


Leigh_Kennedy_2-1747721474974.png

 

And when looking at the user's space access, we can only see the External space as expected:

Leigh_Kennedy_3-1747721688707.png

 

Final Thoughts

This is a simple example I put together in a couple of hours. I selected KeyCloak and Auth0 simply because I have some experience with them - most IDPs could do this (and also, I could have chosen to reverse the order and have Auth0 as the primary IDP).

Neither Qlik nor I make any specific recommendations as to what identity providers customers should use.

While we haven't looked at it here, it's also possible to use social services (such as LinkedIn, GitHub, Facebook, etc.) as external Identity providers, which may well be a better solution for some use-cases. And you can support many of these at the same time as your needs require.  

If you require assistance in this, your friendly neighbourhood Qlik Services team can assist, as can our partners.  

844 Views
Was this article helpful? Yes No
Version history
Last update:
‎2025-05-22 06:45 PM
Updated by:
Employee