Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Suggest an Idea

Vote for your favorite Qlik product ideas and add your own suggestions.

Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE

Increase safety and decrease admin work for JWT identity providers in Qlik SaaS

fukicubiq
Partner - Contributor II
Partner - Contributor II
‎2022-02-11 05:36 AM

Increase safety and decrease admin work for JWT identity providers in Qlik SaaS

Currently it is easy to configure JWT as an identity provider in Qlik SaaS but there is a major security flaw: there is no built-in way to restrict the JWT payload so basically whoever has the JWT certificate gets full tenant admin access.

The fix for this would be simple: when configuring JWT identity provider, just add a text field for specifying the user domain and another for entering Group whitelist so only JWT payloads that specify a matching group value, and the user account belongs to the specified group. At its simplestm the whitelist could be just one value and support wildcards e.g. '*customer_*' but of course it would be better to support multiple value whitelists.

Why this matters:

  • Safety is a key concern when organizations move to the cloud. Current JWT setup easily leads to a major security risk and just one bad incident with a high profile customer can tarnish the reputation of Qlik SaaS.
  • Embedding and integrating with 3rd party systems is central to "active intelligence", and JWT plays a major role when cooperating with customers and suppliers. Such cooperation will also help promote Qlik to potential new customers.
  • Although it is possible to circumvent this security flaw by setting up a "JWT proxy" ie. not expose Qlik SaaS JWT itself but external parties would only see a custom middle-man JTW service that includes group whitelists etc. This requires setting up a new service which is never a simple task in a corporate environment, and will require additional admin and maintenance for handling additional certificates etc. Ease of setup and management is a key driver for SaaS adoption so this again would undermine it.

One argument I've heard for not needing restrictions is that if you support JWT then you just need to anyway trust that it is used responsibly, or using a car analogy: if you let someone borrow your car, you just have to trust that they obey traffic laws. I think this argument is flawed: I might be willing to give someone my car keys but why should I be forced to also give my house keys at the same time? There should be an easy way to unbundle my keys.

And yes, as a Qlik partner, we're facing multiple real customer cases that are hindered by this issue.

Status: Closed - Archived Submitted by Partner - Contributor II on ‎2022-02-11 05:36 AM
Tags (2)
151 Views
2 Comments
Meghann_MacDonald
Employee
Employee
‎2023-08-02 11:38 AM

From now on, please track this idea from the Ideation portal. 

Link to new idea

Meghann

NOTE: Upon clicking this link 2 tabs may open - please feel free to close the one with a login page. If you only see 1 tab with the login page, please try clicking this link first: Authenticate me! then try the link above again. Ensure pop-up blocker is off.

Ideation
Explorer II
Explorer II
‎2023-08-02 11:38 AM
 
Status changed to: Closed - Archived
Subscribe by Topic