Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hello everyone,
We're in the midst of transitioning from a ticket-based solution to an Identity Provider (IDP)-based solution in our Qlik Sense environment, leveraging Keycloak for authentication. As of now, our process involves users being redirected to and authenticated by the IDP.
Post successful authentication, they are redirected back to Qlik Sense, leading to the creation of a new user profile in the Qlik Management Console (QMC) under the 'users' section.
Our current challenge is identifying a method to transfer or synchronize user-specific data, such as apps and bookmarks, from the original user directory to these newly created ones. Note:
I've included a screenshot below to give a clearer picture of our current setup.
Do you have any suggestions or best practices on how to achieve this? Your guidance would be greatly appreciated.
Thank you in advance.
Accepted Solutions
Broadly you need to make sure the user is identified the same. You mention Keycloak and not the method (SAML, JWT, OIDC, etc), but in any case the IDP (Keycloak) will need to send at least a User ID claim to match the Ticketing User ID pattern.
- SAML --> SAML Attribute for user ID
- OIDC --> sub
That ought not be too hard. For the User Directory element, this can be handled on the Virtual Proxy config:
- SAML --> SAML Attribute for user directory
- OIDC --> realm
These two can be hard coded. For example in this config, we are parsing the samAccountName claim from a SAML Identity Provider to identify the user's ID but are hard-coding the domain to be QLIK-POC:
Broadly you need to make sure the user is identified the same. You mention Keycloak and not the method (SAML, JWT, OIDC, etc), but in any case the IDP (Keycloak) will need to send at least a User ID claim to match the Ticketing User ID pattern.
- SAML --> SAML Attribute for user ID
- OIDC --> sub
That ought not be too hard. For the User Directory element, this can be handled on the Virtual Proxy config:
- SAML --> SAML Attribute for user directory
- OIDC --> realm
These two can be hard coded. For example in this config, we are parsing the samAccountName claim from a SAML Identity Provider to identify the user's ID but are hard-coding the domain to be QLIK-POC:
Hello Levi,
I appreciate your response!
Just to clarify, we are implementing OIDC and using Keycloak as our IDP, I apologize for not specifying this earlier.
In accordance with your advice, I've modified the realm (user directory) to match that of our pre-existing users. However, this has led to the new user (who logged in via SSO) becoming inactive. Interestingly, this issue doesn't occur when I use a different realm.
Could utilizing a script to match users in the Qlik Sense Repository Service Database (QRS) be a viable option?
I am open to hearing from anyone who might have a different perspective or alternative implementation ideas. Please feel free to contribute.
Hi there, i have a similar Problem migrating from Windows Authentication to Auth0 on Qliksense Server.
The existing Username and UserID Structure is [Test].[User] .
I was able to create a Database in auth0 for the existing Users and to Place the Username / Username into the Auth0 username field.
I was able to configure a virtual Proxy for Auth0 which references to the existing user Directory.
Now i am a little bit lost how to reference in the virtual proxy to the Auth0 username for Name and User ID in Qlik. In the standard Auth0 transfers the Mailadress of the user for the name and the Auth0 User ID ( auth0|[ID] ) for the qlik user ID.
Naturally Qlik creates a new user when i login via the Auth0 login in the existing user directory. How do i reference to the existing users in the directory?
These are my current settings:
Thanks in Advance for the help!
Thnak you very much! This got me in the right direction.
This is the Virtual Proxy configuration which works for me:
"nickname" transfers the Auth0 Username to Qlik.
