Skip to main content

Search the Community

Announcements
QlikWorld 2023, a live, in-person thrill ride. Save $300 before February 6: REGISTER NOW!
cancel
Showing results for 
Search instead for 
Did you mean: 
MadalinaT
Contributor
Contributor

Qlik Sense SaaS : Why the member from the Azure groups do not have proper access in the Qlik Space

Hello,

In Qlik SaaS, we have the option to add users to shared spaces and or to add groups. I have Azure AD and JWT enabled on my SaaS tenant and both of them are running in parallel, where Azure is acting as an OIDC IdP. I have created a group in Azure and added it in Qlik in a shared space as a member. 

But I encountered some delays and some issues.  If I create a new group in Azure, then I log in - logout into Qlik, I can see the new group in Qlik. But if I add that group as a member to that space, some users still do not have permission to access the apps in the Space for a while (although the user is in that custom group in Azure). Same issue if I add new users to the group…Qlik does not recognize them in Qlik for some time (even after I tried the login cycle many times). 

Can you please help figure out what is the issue in this case? Because I would like it to work properly, and after a user is added to the group, to be able to access the application within that space. 

 

Labels (5)
1 Solution

Accepted Solutions
Vinay_B
Support
Support

Hi @MadalinaT 

Generally, this issue occurs when you cross the Azure limitation that Azure Active Directory will add to a token. It is 150 groups for a SAML token, and 200 for a JWT. 

When calling the endpoint https://<your tenant URL>/api/v1/diagnose-claims, you are seeing that all the AD groups are being returned as "extra claims" and than you may not be able to pull users with more than 150 & 200 groups assigned as they will hit the Azure AD limit.

I hope this helps!

If this resolves your query, please click on "Accept as Solution" for confirmation. Thanks!

View solution in original post

2 Replies
Vinay_B
Support
Support

Hi @MadalinaT 

Generally, this issue occurs when you cross the Azure limitation that Azure Active Directory will add to a token. It is 150 groups for a SAML token, and 200 for a JWT. 

When calling the endpoint https://<your tenant URL>/api/v1/diagnose-claims, you are seeing that all the AD groups are being returned as "extra claims" and than you may not be able to pull users with more than 150 & 200 groups assigned as they will hit the Azure AD limit.

I hope this helps!

If this resolves your query, please click on "Accept as Solution" for confirmation. Thanks!
NadiaB
Support
Support

Hi @MadalinaT 

The documentation can be found here:

Qlik Sense SaaS - Azure AD groups limitation per user

https://community.qlik.com/t5/Official-Support-Articles/Qlik-Sense-SaaS-Azure-AD-groups-limitation-p...

 

Kind Regards. 

Don't forget to mark as "Solution Accepted" the comment that resolves the question/issue. #ngm
Community Browser