I've been back at Qlik for almost six months now and I can't believe this is my first security related post since my return. I'm over the moon to be a product manager now, and grateful one of my main responsibilities is charting the course for identity management in the Qlik platform.
For those of you who know me, I enjoy discussing security topics in the Qlik ecosystem. In addition, I've spent a good amount of time creating enablement - videos, blogs, and how-to articles - for customers to help them to integrate their identity management systems to the Qlik platform. With the introduction of Qlik Sense Enterprise SaaS and Qlik Cloud Services, it's time to spin up the flywheel of enablement again to demonstrate what's possible, and communicate to you all the tips and tricks needed that make configuring an identity provider easy to do.
Recently, I've been asked a lot about Azure Active Directory. Questions like:
These are all fair and great questions to ask. Let me take another moment of your time to answer them.
Is Azure AD a supported identity provider on Qlik Sense Enterprise SaaS?
The help documentation for cloud editions of Qlik Sense states in the IdP Requirements:
"Both Qlik Cloud Services and Qlik Sense Enterprise on Kubernetes integrate with an IdP using the OpenID Connect (OIDC) standard. This is a standard that allows both interactive login, where a user logs in via a browser, and automated login, using APIs via a software product."
The Good News: Azure AD supports OIDC, therefore, you should be able to use it on Qlik Sense Enterprise SaaS without issue. Check out: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP where I go through a step-by-step setup.
The Bad News: OIDC is not a standard. It's a specification. The distinction is important because a standard: "It must be done this way" is different than a specification: "Meh, it's more of a guideline." Being a specification means Microsoft can implement OIDC in a way they see fit. As a result, it can cause problems for platforms (like Qlik) for whom customers wish to integrate.
Mind you, this isn't an issue only for Azure AD. Almost every vendor supplying an OpenID Connect capability has done something proprietary with their implementation of the specification.
Do groups from Azure AD work properly?
The Good News: Groups do get added to the ID token upon a successful authentication with Azure AD. Here's the catch:
The Bad News: It's not possible to resolve the native group guids to friendly group names and add them to the ID token. That is, that I know of. To resolve the guids to names, Microsoft provides the Graph API which one calls using a REST connection with the ID token received post authentication. Unfortunately, there is no way for the identity provider configuration on Qlik Sense Enterprise SaaS to call this API, and it's not possible to call the API in the middle of the authentication handshake. Again...that I know of.
So it's not great news for native Azure AD users regarding groups, however, we are researching alternatives to help customers overcome this challenge with the Qlik platform. If you have a suggestion, add it to the Idea forum.
What is the correct identity provider to choose from the list?
All Good News!
If you have tried to configure Azure AD with Qlik Sense Enterprise SaaS in the past and thought to yourself "which one do I pick?" I'm sorry you have had to go through that pain. The answer, as of today, is pick the ADFS option from the drop-down. It offers the best match to the OIDC settings for Azure AD. You can learn more about how to configure Azure AD with Qlik Sense Enterprise SaaS by clicking here. Do not pick the general option from the drop-down when setting up Azure AD. It adheres to the OIDC specification.
That's it for now. If you have questions about authentication and access control with Qlik products, give me a shout here in community or use the Idea forum.