Qlik Cloud is designed to support a single interactive Identity Provider (IdP) per tenant.
This approach enhances security, governance, and operational control while simplifying authentication management. Organizations that require multiple identity sources can achieve this by using a federated IdP (such as Azure Entra, Auth0, Keycloak, or Okta) to consolidate authentication and seamlessly connect it to Qlik Cloud, as described by @Leigh_Kennedy in Using Multiple concurrent Identity Providers with Qlik Cloud.
Rationale
Understanding interactive IdPs in Qlik Cloud
Qlik Cloud allows organizations to configure an interactive IdP to manage user authentication. Options include:
Qlik Account (default for new, non-government tenants).
A standards-compliant OIDC or SAML provider, such as Azure Entra, Okta, Auth0, or Keycloak.
Any unauthenticated user attempting to access the tenant is redirected to the configured interactive IdP for authentication, ensuring a streamlined and secure login experience.
Why Qlik Cloud only supports one interactive IdP
Using a single interactive IdP is a best practice for identity management and ensures consistency, security, and simplified administration.
Key reasons include:
User Identity Consistency: Qlik Cloud relies on a user's subject and email as unique identifiers. Managing a single interactive IdP helps prevent duplicate identities and ensures seamless user access, reducing risk of users gaining unauthorized access to sensitive data or permissions.
Streamlined Identity & Access Management: Since Qlik Cloud does not transform incoming claims beyond remapping keys, keeping authentication centralized prevents unintended variances in usernames, email formats, or group names. This improves security and reduces maintenance of licenses and entitlements.
Optimized Group Management: A single interactive IdP provides a consistent structure for groups, ensuring they align with an organization’s access policies. By managing group filtering in one place, organizations can maintain clear and structured permissions. Managing groups across multiple IdPs can quickly become unmanageable, leading to inconsistencies in user access.
Simplified Access Control: Groups in Qlik Cloud are referenced by name, making it more efficient to manage access through a single federated IdP rather than multiple sources.
Efficient Token Management: A unified IdP helps maintain consistency in authentication tokens, reducing administrative overhead and ensuring a smooth user experience.
Enhanced Security & Auditability: By centralizing authentication through a single IdP, organizations can apply security controls, enforce device policies, and monitor user access through audit logs.
A federated IdP ensures that organizations retain full control over authentication policies, while providing a seamless experience for users accessing Qlik Cloud.
Why Federate Identity In-House?
Many organizations choose to use a federated identity provider to streamline identity management, enhance security, and improve user experience across multiple applications. Benefits include:
Centralized User Lifecycle Management: Users from different sources can be managed in a single system, reducing duplication and inconsistencies.
Improved Security Policies: Organizations can enforce multi-factor authentication (MFA), conditional access policies, and device trust settings at the IdP level.
Single Sign-On (SSO) Across Applications: Users authenticate once and gain seamless access to multiple platforms, including Qlik Cloud.
Comprehensive Logging & Compliance: A federated IdP provides consolidated audit trails and governance controls for user authentication.
By implementing a federated identity provider, organizations can maintain flexibility in their authentication strategy while ensuring compatibility with Qlik Cloud.
Solution: Federate IdPs with an enterprise-grade IdP
The recommended approach for organizations that need to authenticate users across multiple identity sources is to configure a federated IdP that consolidates authentication. Solutions like Azure Entra ID or Okta can be used to unify identity management and connect to Qlik Cloud via OIDC or SAML.
How to Implement a Federated IdP
Set Up a Federated IdP (Azure Entra ID, Okta, or another identity management solution).
Sync Identity Sources within the federated IdP to ensure unique identities across different user groups.
Configure OIDC/SAML Authentication in Qlik Cloud with the federated IdP.
This approach ensures a secure, efficient, and scalable authentication strategy that aligns with best practices for enterprise identity management.
Conclusion
Qlik Cloud is designed to integrate seamlessly with a single interactive IdP, providing a robust and secure authentication framework. Organizations that need to consolidate multiple identity sources can achieve this through a federated IdP, ensuring centralized management, improved security, and a streamlined user experience. By leveraging enterprise-grade IdPs like Azure Entra ID or Okta, organizations can enhance their identity management strategy while maintaining full control over authentication policies and governance.
