Qlik Community

Suggest an Idea

Vote for your favorite Qlik product ideas and add your own suggestions.

Announcements
QlikWorld 2022, LIVE in Denver CO., May 16-19, 2022. REGISTER NOW TO RECEIVE EARLY BIRD PRICING

Modify claims in Identity Mapping

erikadvectas
Partner
Partner

Modify claims in Identity Mapping

Using Qlik SaaS solutions (QSEoCS) we intend to connect with multi cloud with our QSEoW setup. Generally things are working, but due to Open ID Connect being a specification and not a standard, some idp providers like Azure AD does not provide all claims that allows such an identity mapping to work.

The consequence is that all apps being deployed to a cloud solution gets published without an owner. This makes the "self-service" not a viable solution when using multi cloud.

In this particular case, the OIDC claim email_verified is missing. The on-prem SAML authentication that connects to this, seems to generally work.

The idea here is to be able to modify, to hardcode, to change or to alter how the identity mapping is enforced between the cloud and the on-prem solution, irrelevant of the idp provider. From the end-user point of view, everything is set up correctly (userid the same, name the same etc), but due to all different IDP providers interpreting OIDC differently, we need to be able to affect the setup in how Qlik handles the identities.

7 Comments
Jeffrey_Goldberg
Employee
Employee

@erikadvectas ,

Thank you for the feedback. There are two parts to your request so let's take them in turn.

RE: Multi-cloud

The multi-cloud challenge with the user stripped in Qlik Sense SaaS upon first synchro with Windows is less about IdP not able to deal with mappings properly, and just that in the synchro the user information is different. We're looking into different transport methods for moving workloads to the cloud that could bring personal content over and offer some remapping of users from the old system to the new. This is going to find it's way into the world in the cli first because it's much more easily scriptable what with all the mappings (users, streams to spaces, etc) involved in making the transport seamless.

For now, you have to go and set the new owner and the new space manually after the first synchro, but then should work after that.

RE: More customization of IdP claims

Acknowledged and understood. I've been trying to find a way to deal with it on the IdP side because you rightly point out the lack of standards. Microsoft does not make it easy and being the big fish doesn't help us much. So we're looking into the effort to enhance customization of claims mapping.

 

jg

Status changed to: Open - Collecting Feedback
erikadvectas
Partner
Partner

Thanks for the feedback @Jeffrey_Goldberg  . 

I mean the second "idea" - 'customization  of IdP claims' is essentially due to the multi cloud doesn't transport the workload as you mention (which is the first one). But I guess it is two separate things, yes. It's really that we have to manually set the owner that causes a pain for a sysadmin, and even though it is Microsofts "fault", we still have the problem. We do have quite a bunch of PS scripts for QSEoW so if there is a way with the new qlik-cli, I'm all open for that.

Jeffrey_Goldberg
Employee
Employee

Yes, the cli will have user commands in an upcoming release along with some access to qrs for app migration and multi-cloud scenarios.

In theory, you can connect to qrs today using the cli by creating a context using a jwt and a jwt vproxy. then use the qlik raw command to issue requests directly to qrs. Like I said, eventually some helper commands to qrs will be available.

 

jg

sfbi
Creator
Creator

same here... the lack of email is a major problem, as we're unable to share apps visualizations by email! also profile picture wont work

Ian_Crosland
Employee
Employee
 
Status changed to: Open - On Roadmap
erikadvectas
Partner
Partner

This appears to be fixed already:

erikadvectas_0-1610528660417.png

 

pavi
Contributor
Contributor

Hi Team,

What to do when User ID and Idp Subject contains multiple characters like (auth0jhabajkfkfkfkfkanknL) instead of Domain\username .Would be grateful if you can suggest on this.