Qlik Community

Qlik Support Updates Blog

Important and useful support information about end-of-product support, new service releases, and general support topics.

Announcements
QlikWorld, June 24-25, 2020. Free virtual event for DI and DA gurus. Register Now
Employee
Employee

I answer some not so random questions about Azure Active Directory and Qlik Sense Enterprise SaaS identity provider configuration, and offer a new document to walk through the configuration.

TL;DR

  • Great to be back at Qlik!
  • Answer some questions about Azure AD and Qlik Sense Enterprise SaaS
  • Read the tutorial here if you want to configure Azure AD to work with Qlik Sense Enterprise SaaS

Hello everyone!

I've been back at Qlik for almost six months now and I can't believe this is my first security related post since my return. I'm over the moon to be a product manager now, and grateful one of my main responsibilities is charting the course for identity management in the Qlik platform.

For those of you who know me, I enjoy discussing security topics in the Qlik ecosystem. In addition, I've spent a good amount of time creating enablement - videos, blogs, and how-to articles - for customers to help them to integrate their identity management systems to the Qlik platform. With the introduction of Qlik Sense Enterprise SaaS and Qlik Cloud Services, it's time to spin up the flywheel of enablement again to demonstrate what's possible, and communicate to you all the tips and tricks needed that make configuring an identity provider easy to do.

Recently, I've been asked a lot about Azure Active Directory. Questions like:

  • Is Azure AD a supported identity provider on Qlik Sense Enterprise SaaS?
  • Do groups from Azure AD work properly?
  • I don't see Azure AD in the list of identity providers in the configuration. What is the correct identity provider to choose from the list?

These are all fair and great questions to ask. Let me take another moment of your time to answer them.

Is Azure AD a supported identity provider on Qlik Sense Enterprise SaaS?

The help documentation for cloud editions of Qlik Sense states in the IdP Requirements:

"Both Qlik Cloud Services and Qlik Sense Enterprise on Kubernetes integrate with an IdP using the OpenID Connect (OIDC) standard. This is a standard that allows both interactive login, where a user logs in via a browser, and automated login, using APIs via a software product."

The Good News: Azure AD supports OIDC, therefore, you should be able to use it on Qlik Sense Enterprise SaaS without issue. Check out: How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP where I go through a step-by-step setup.

but...

The Bad News: OIDC is not a standard. It's a specification. The distinction is important because a standard: "It must be done this way"  is different than a specification: "Meh, it's more of a guideline." Being a specification means Microsoft can implement OIDC in a way they see fit. As a result, it can cause problems for platforms (like Qlik) for whom customers wish to integrate.

Mind you, this isn't an issue only for Azure AD. Almost every vendor supplying an OpenID Connect capability has done something proprietary with their implementation of the specification.

Do groups from Azure AD work properly?

Yes...with conditions:

The Good News: Groups do get added to the ID token upon a successful authentication with Azure AD. Here's the catch:

  • If the Azure AD uses Azure AD Connect, a service that synchronizes an on-premises Windows Active Directory with Azure AD, then it is possible to set up an optional group claim that will send the sAMAccountName (the friendly group name).
  • Native groups in Azure AD - those created in the Azure portal - will be sent in the ID token. Unfortunately, the groups are represented as globally unique identifiers (guid) and aren't useful. So you get groups, just not the way one wants to see them.

The Bad News: It's not possible to resolve the native group guids to friendly group names and add them to the ID token. That is, that I know of. To resolve the guids to names, Microsoft provides the Graph API which one calls using a REST connection with the ID token received post authentication. Unfortunately, there is no way for the identity provider configuration on Qlik Sense Enterprise SaaS to call this API, and it's not possible to call the API in the middle of the authentication handshake. Again...that I know of.

So it's not great news for native Azure AD users regarding groups, however, we are researching alternatives to help customers overcome this challenge with the Qlik platform. If you have a suggestion, add it to the Idea forum.

What is the correct identity provider to choose from the list?

All Good News!

If you have tried to configure Azure AD with Qlik Sense Enterprise SaaS in the past and thought to yourself "which one do I pick?" I'm sorry you have had to go through that pain. The answer, as of today, is pick the ADFS option from the drop-down. It offers the best match to the OIDC settings for Azure AD. You can learn more about how to configure Azure AD with Qlik Sense Enterprise SaaS by clicking hereDo not pick the general option from the drop-down when setting up Azure AD. It adheres to the OIDC specification.

That's it for now. If you have questions about authentication and access control with Qlik products, give me a shout here in community or use the Idea forum.

Cheers,

Jeff G

Labels