Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
My client wishes to change their current IdP Authentication in Qlik Sense SaaS. Current they login using their Network login but this is going to be changed to use an email address.
EMail Address is a an existing Claim attribute so I am trying to understand what the process will be to change the iDP Authentication and a whether existing users will somehow get automatically mapped when the new IdP is configured. Having a single tenancy means we do not have a Qlik Sense SaaS Environment to try out the change so that we can fully identify the potential impacts.
I understand it will be a 2 step process-
Step 1 . Revert to Qlik Account Authentication and ensure we have the recovery account to be able to re-login.
Step 2. Configure the new IdP Authentication
So after configuring and establishing the new iDP Authentication we need to understand the impact to understand if we will need to re-establish all Spaces permissions to the new users or whether the new users will inherit the existing permissions by automated mapping via email?
HAs anyone done something similar?
Let's start out with how a user is identified in Qlik Cloud. Let's take this user's record:
In tabular format, the user is:
User ID (created by Qlik) | User Subject (from your IDP) | User Email (from your IDP) | User Name (from your IDP) |
65e093f29fac8999db04512e | 856bcab5-64db-4aa1-bce8-d90e98d322c2 | levi.turner@demo.dev | Levi Turner |
User records in Qlik Cloud have dual primary keys: subject and email. This means, if your IDP changes the user's subject or the user's email, the user's Qlik Cloud identity will remain the same. If you change both the user's subject and email, Qlik Cloud will treat this as a new user. In my example user, I can change the email like so:
User ID (created by Qlik) | User Subject (from your IDP) | User Email (from your IDP) | User Name (from your IDP) |
65e093f29fac8999db04512e | 856bcab5-64db-4aa1-bce8-d90e98d322c2 | levi.turner2@demo.dev | Levi Turner |
Or I can change the subject like so:
User ID (created by Qlik) | User Subject (from your IDP) | User Email (from your IDP) | User Name (from your IDP) |
65e093f29fac8999db04512e | BrandNewSubject | levi.turner2@demo.dev | Levi Turner |
If I change both, then I will have a new user:
User ID (created by Qlik) | User Subject (from your IDP) | User Email (from your IDP) | User Name (from your IDP) |
65e093f29fac8999db04512e | BrandNewSubject | levi.turner2@demo.dev | Levi Turner |
65e0984ad099feece9adaead | 856bcab5-64db-4aa1-bce8-d90e98d322c1 | levi.turner@demo.dev | Levi Turner |
So back to your questions:
> So after configuring and establishing the new iDP Authentication we need to understand the impact to understand if we will need to re-establish all Spaces permissions to the new users or whether the new users will inherit the existing permissions by automated mapping via email?
After configuring and establishing the new IDP, you should ensure either the user's subject or email is the same. This will ensure that the user is considered the same to Qlik Cloud. From there,
But access by name isn't the only way to provide access, groups can be used.
In this space:
If I continue to send the group "Domain Admins", then an IDP change on Qlik Cloud will not be problematic. If the new IDP doesn't send "Domain Admins", then I would need either grant access to the space via the new group or by user name.
Let's start out with how a user is identified in Qlik Cloud. Let's take this user's record:
In tabular format, the user is:
User ID (created by Qlik) | User Subject (from your IDP) | User Email (from your IDP) | User Name (from your IDP) |
65e093f29fac8999db04512e | 856bcab5-64db-4aa1-bce8-d90e98d322c2 | levi.turner@demo.dev | Levi Turner |
User records in Qlik Cloud have dual primary keys: subject and email. This means, if your IDP changes the user's subject or the user's email, the user's Qlik Cloud identity will remain the same. If you change both the user's subject and email, Qlik Cloud will treat this as a new user. In my example user, I can change the email like so:
User ID (created by Qlik) | User Subject (from your IDP) | User Email (from your IDP) | User Name (from your IDP) |
65e093f29fac8999db04512e | 856bcab5-64db-4aa1-bce8-d90e98d322c2 | levi.turner2@demo.dev | Levi Turner |
Or I can change the subject like so:
User ID (created by Qlik) | User Subject (from your IDP) | User Email (from your IDP) | User Name (from your IDP) |
65e093f29fac8999db04512e | BrandNewSubject | levi.turner2@demo.dev | Levi Turner |
If I change both, then I will have a new user:
User ID (created by Qlik) | User Subject (from your IDP) | User Email (from your IDP) | User Name (from your IDP) |
65e093f29fac8999db04512e | BrandNewSubject | levi.turner2@demo.dev | Levi Turner |
65e0984ad099feece9adaead | 856bcab5-64db-4aa1-bce8-d90e98d322c1 | levi.turner@demo.dev | Levi Turner |
So back to your questions:
> So after configuring and establishing the new iDP Authentication we need to understand the impact to understand if we will need to re-establish all Spaces permissions to the new users or whether the new users will inherit the existing permissions by automated mapping via email?
After configuring and establishing the new IDP, you should ensure either the user's subject or email is the same. This will ensure that the user is considered the same to Qlik Cloud. From there,
But access by name isn't the only way to provide access, groups can be used.
In this space:
If I continue to send the group "Domain Admins", then an IDP change on Qlik Cloud will not be problematic. If the new IDP doesn't send "Domain Admins", then I would need either grant access to the space via the new group or by user name.
Thanks Levi for the detailed breakdown and explanation. This has been really useful. Thanks, Rob