QnA with Qlik: Qlik Cloud Login Troubleshooting

Hello, everyone, and welcome to this Q&A with Qlik. Today, we're going to be talking about 'Qlik Cloud Login Troubleshooting'. Myself, I am Troy Raney. I largely work running webinars and creating helpful videos like this about Qlik. My partner in crime, Emmanuel Herndon, He is out today. He wasn't feeling too well, so I wish him all the best and hope he gets better soon. But I'll introduce you to our panel today. Eric, you want to introduce yourself? Sure. Thanks, Troy. I'm Eric Thomas. I'm a Senior Technical Support Engineer with Qlik. I've been working with the product since 2017 in a couple of different areas, mainly specialize at this point in SaaS support, application and design, application development and design, and then third party integration stuff with Qlik. So that's my focus. Okay, Frank, over to you. My name is name is Frank Savino, and I've been with Qlik coming up to 10 years of service this coming November. So you might know me from or be familiar with the Nprinting and SaaS Reporting where I focus a lot of my time with you all. But I also do a lot of work with Qlik View, Qlik Sense, and a lot of the other products as well. So looking forward to this call with you today. Thanks, Frank. Vinay? Thanks, Troy. My name is Vinay and I've been with Qlik since 2019. I started with Customer Support and I have moved to SaaS support and I'm currently working on our SaaS support customers. Awesome. Thank you. All right. Well, we will dive in. We already got some questions that have come in. First question today, is it possible to use Qlik Cloud with two IdPs configured? For example, Qlik IdP, plus Azure or something similar? Currently with Qlik Cloud, you can only configure only one IdP at the moment. If you have configured Qlik ID to use, then you cannot configure another IdP. Qlik Cloud support only one IdP at the moment and that is on the roadmap, but there is no ETA on when this can be delivered at this time. Okay! Thanks, Vinay . Next question, how do I find disabled users? Frank, do you want to take that one? Yeah. So to find disabled users, you need to go into your Qlik Cloud tenant as a Tenant admin and find the users panel. And so under the users panel, you'll see a drop down list for... By default, you'll see an active button. And what you may not have realized that there's a whole other set of panels under the active button. So you actually have to click on the active button and you can actually navigate to different areas of the type of users that are on your tenant. So you just click on the active button on the top right corner of your panel and you can navigate down to disabled users. And from there, you can re enable your disabled users. Frank, do you happen to have a tenant open that we could take a look at, or does anybody have something they could share? Yeah. And let me know if you can see my screen. Yeah, we can see it. So let's just do it from end-to-end. So let's go ahead and log in. Now, here is your regular view as you log into your tenant. So what you want to do is you want to navigate over to the QMC, essentially for the cloud, which is the management console. So over here you'll find in your drop downs, here's your Profile ID here, User profile menu. But over to the left of that, you want to click on the nine dots here in this form of a square. And you want to go over to Management Console. And as I was describing, here you'll find over here under Users, your list of users. Remember I was talking about the active button. Here's the active drop down right over here. Here you can see a bunch of my existing users. If you just click on the drop down, you can find a whole set of users disabled users provisioned pending invites and all users on the system. So we can go here. You can see everything in one act in one area. So by default, you'll see active users. If you want to renable disabled users, then that you, for example, somebody calls in and says, it says my account has been disabled, can you enable it? This is the interface you want to come to. That's about it. Pretty straightforward. Thank you. But important to know. You bet. Okay, let's move on to the next question. This is just for Qlik Cloud, or the relevant on premise login as well. Yeah, this session is mostly about Qlik Cloud, but if you have another question, go ahead and submit it. We might have time to answer it. That's great. Moving along. How does the login process user experience vary when using Qlik ID or another IdP? Eric, did you want to take that one? Yeah, sure. So it interacts like a standard single sign on. So if you use the Qlik IdP, you'll be taken to a Qlik single sign on page versus if you use something like Azure, you'll be taken to a Microsoft themed by an Azure sign in page. So it really just depends on what IdP you're using there to what login screen the user sees. Okay. All right. Next question. Follow up on that previous one. What about more than one method, name or email for login? Is that possible with a single IdP? I can take that one try. Basically, if you are using Qlik ID, it only provides you to log in via the email. It doesn't have the name option. However, if you have configured any third party IdPs, which allows the users to log in via their Windows end to name or any stuff like that, then you would be able to use your Windows Server account name and then log in. But it really depends upon the IdP you have configured on Qlik Cloud. Yeah, because all those settings are how you log in on the IdP, right? Yes, correct. Okay, thanks. Okay, next question. What's the standard session duration or timeout limit? And can you change it? And at what point after a session expires, do you need to click to reactivate that session or log in again? And does this vary depending on whether you're using an IdP or the standard Qlik ID? It's all about session timeouts. Who wants to take that one? Yeah, maybe you guys have a better answer than me, but I was under the assumption it's 30 minutes across the board. That's the user session time out. And that's when you'll get that icon that pops up that asks you, are you still there? Kind of click here to sign in again. So I think it's 30 minutes across the board. And that's in activity, right? If you're still active and clicking, it stays open. Right. Yeah. That's not like, how long will sessions stay open connected to a database? That's like, how long can you idle on Qlik cloud interface before it times out? Great. Let's see if we got everything. And if it does time out, is there a way to reactivate it? Yeah. It just gives you that Netflix. Are you still there? Sign back in. Okay, thanks. And just a follow up for me. Do you guys know if there is a max session limit, even if you're active? I've never heard of a max session. I don't know if people ever run into that, but all right, I'm just curious. Okay, moving on. Questions are coming in. Next one. What all possible issues could occur regarding logging into Qlik sense SaaS Cloud? Since Qlik is managing the authentication part in default login, Qlik will be responsible for troubleshooting. Kindly correct if I'm wrong. In case we have challenged the ID change the IdP Azure, then it will be customer responsible to troubleshoot from their side. And in case we need to create a support case regarding login troubleshooting, what will be required from the customer side regarding troubleshooting issues? So first, if people are having issues logging in and it's the Qlik ID, what do they need to bring to the table? And we'll take the second part. I think you just need the tenant ID and the user ID and the user and the tenant URL. That's the first three things we would probably need to start looking at anything. The time that you attempted to log in. I think those four things, guys, would that be sufficient? Yeah, I think if we have the tenant ID and the error screenshot, we can get started and look at the back end logs and we can see what error is happening. At first, we just need the tenant ID and the screenshot of the error message. Okay. The second part then, if it's a third party IdP and they need to troubleshoot some login issues, how could they go about that? Yeah, we'll definitely assist in any way we could. If it is client secret update, or any configuration that has to be updated, we'll get notified via the error message we see when they use a slide to log in. So yeah, we'll be able to assist in any login issues via IdP, whether it might be Qlik or Azure, any IdP, it will be able to assist. Great. So with regards to the case details for third party IdPs, we just need to know which IdP is exactly configured. Azure, which IdP is there, and then a screenshot or the trace ID for us to start looking at the logs. And on both those scenarios, is it important to have the ID of the users? I've been trouble logging in. Not particularly. We just need the tenant URL to start with. And with the screenshot, we can get the trace ID and from that we can get the details we need to looking at the logs. Awesome. Okay, next question. It's a comment about using Okta and some of the names are too long. Might need a little more information about that. But are you guys familiar with long names when you're using Okta as an identity provider? Do we have any limitations with long Okta names? I guess that's the question. That's something we'll have to put in parking lot and come back to, I guess, and look into it. Not aware of anything, but yeah, we'd have to go further. Yeah, we'd have to put in the lot and come back to it. Yeah, it'd be interesting. Just according to Okta, they require a minimum length of two characters and a maximum length of 20 characters. So if you're outside of that somehow, and I would imagine we wouldn't support that either. But if it's within that range, it would be something to look into. Thanks for your quick Google, Eric. Yeah, awesome. All right, next question. On a hybrid environment, is it possible to open On-premise apps and SaaS apps, supposing you have the same IdP? So like a unified login, essentially between On-premise and cloud. Are you seeing that one, Vinay? Maybe, yeah, Eric can explain on that. But with the hybrid environment, you'd need to use the separate URL login for your on premise and for the cloud. However, you could consume a single license if you have configured the same IdP with both your on premise and the Qlik cloud. So we have some documentation on how you can make sure that you have configured the same IdPs and what all properties. You need to check in the IdPs part to make sure that the users are consuming a single license. Most essential part of the hybrid configuration is to use the single license for On-premise and Cloud both. We just need to make sure that you have followed the right documentation to set it up. I would agree. You can certainly use the same IdP for On-premise and Qlik cloud. Like Vinay said, if you only want to consume one license for the same user, there are some additional configurations that need to take place. Then as far as consuming both the apps, I guess you'd have the choice at that point. If you have it deployed on premise, you could just log into the on premise site, or if you have it deployed in the cloud, you could use that URL to go to the cloud. Maybe I'm missing part of that question, but hopefully we answered it. I guess it could be some confusion because you can publish apps from On-premise to the Cloud hub, and so maybe it's just the interface. If they're going through the Cloud hub to open apps, they're going through the On=premise hub to open apps. Yeah. Maybe that's it. All right, thanks, guys. Next question. Are there any watchouts or things to be aware of when implementing an IdP on a SaaS tenant that already has user created content, for example, apps, data connections? Could there be any problems with object ownership? Yeah, I'll take this one. You can change the ownership of apps. I don't think there's any initial got yous there. The one thing that popped up to my mind when I saw that question is the order of operations of how you're inviting users. I've seen problems if you're using the Qlik IdP, invite a bunch of people to the tenant, and then switch over to something like Azure or Okta, and you have all these pending invites in limbo out there, that's the only gut drive I've seen people get caught up by because you have to go through the process of just temporarily disabling the third party IdP, going back in, clearing out those invites, and then reinvite them where it's better off to implement the third party IdP, then get your users squared away if that's the route you're going to go. That's the first thing that jumped in my mind. Thanks. Just to add on to that, the data connections created by different IdPS cannot be moved over. If you have created the data connection with your Qlik ID and then you switch to any other IdPS like Azure ADFS, then the data connection has to be recreated. There is no option to switch out the data connections because it is specifically asked in the question of the data connection. So just wanted to point it out. Next question. Any considerations when your email address is the same for your Qlik ID and IdP, and you're working with multiple tenants which use a mixture of Qlik ID and IdP? That's an interesting one. So if you're using multiple tenants and you try to sign in through the Qlik sign in, it usually shows you all the tenants you have available. It'll show every single tenant. So I've done that on my set up before, so I know it does that. And I have a mixture of Qlik IdPs and third party. I use Azure on one of mine. So yeah, if you use the Qlik interface, it'll show all the tenants you have available. And that's basically going from Qlik.com logging in at the upper right corner and going to click that to that login. It will ask you to choose your tenant. Okay. Some follow up to that long username limitation with Okta. They're using a long Saml name and yeah, anything greater than 20 characters, that seems to be where they're running into a problem. So it sounds like that's a limitation with Okta is the 20 character limit. Right. I can post that to you, Troy. Okay. It helps. So there's a link here to some documentation I'm going to try and send through the chat. I don't think there's any limit to the number of groups you can use in Qlik Cloud. Let's get to the question before you answer it. Oh, sorry. All right, so this question... My bad. Spiler alert. Are there any limitations around the number of groups created in Qlik Cloud via the IdP? You want to take that one, Frank, since you already have? Well, I'm not aware of any, but that doesn't mean I know everything. So I'm just going to defer to my esteemed colleagues here on the board this morning. Number of groups. Yeah. If you're using specifically Azure, then Azure has a group limitation of 200 groups a user can be part of. If the user is exceeding that limitation, then there would be an issue with adding the user to multiple groups in Qlik Cloud. Yeah, Qlik Cloud can read whatever that third party providers groups has limitations on them. Okay. Next question, our users aren't showing up in the cloud and when they are added, it takes away their on premise access. Any suggestions? Sounds like we have a few more followups to be able to answer that one properly, but anyone want to address that one? Sounds to me like they're sharing a license between environments and they may be hitting the cap of how many they have available. So as they're assigning licenses to a user, they're taking away from the on premise. That would be my guess, unless Vinay or Frank has something else. Seems real reasonable. Yeah. We need to have more information to have a better idea. Yeah. Well, that's a good one for a support case. If you want us to help you with some more details there, we'll probably need a few more details as well. But yeah, it's a good place to start, guys. Okay, next question. If we're hosting a cloud environment for multiple clients, example, one division has one email address domain, another division has a different domain, is there a way to ensure that when the user logs in, they are directed to the correct stream? Currently, On-prem or users using a load balancing application gateway back end pool to redirect the user to the appropriate URL endpoint to their stream. But with cloud, how could they do that? Yeah. With single tenant option, this is not possible. However, we have multi tenant provisioning option where it consumes a single license across multiple tenants, where you can create multiple tenants and then redact the users to different IdPs or domains users. One tenant can use Qlik IdP and another tenant can use Azure or any search IdPs and then redact them to that particular page. That is possible via multiple tenant provisioning option available. If you can reach out your Qlik Account Manager, you'd be able to assist you with those queries and set things up. That's great. I haven't heard that solution, but that sounds like a pretty easy way to resolve that. Yeah, because if you have multiple users want to use one tenant for development, and then once that is verified, people want to move that to a production tenant and do not want to make any changes in the production that way. There's an option of multi tenant provisioning option. Awesome. Thanks. This question is a little bit out of context, but the user is migrating our customer from Qlik View to Qlik Sense SaaS. One challenge is Nprinting reports. We've heard that. They have few reports which also need to be supported after migration. We're not sure what alternative we could take in this regard since Nprinting is not supported with SaaS Cloud. Can you suggest any suitable alternative in this regard? Okay, just trying to find the question. Yeah. So I'm just going to post. I just got the news and I can't see it. Not off the press. Yeah, I can't seem to put it directly as an answer for some reason. So I'm just going to go ahead and give it to you, Troy. The Qlik Nprinting application readiness tool has just been published, literally, this morning. That was promised over at Qlik World. There was a demo about it. And what this application does is it allows you to evaluate your On-premise applications and printing reports. It will give you an indication which ones are ready to go across and which ones, for example, it will say good candidate. Wait, that link you gave me was to an external site. It looks like it Do you have an external one? I posted it in the chat. There's different chats going on here. Here, I'll just give it to your Teams chat. In any case, this link that Troy will be sharing shortly is But that's a Confluence is what I'm saying. People have to deal with it. Is it a Confluence? Oh, I'm sorry. Okay. We'll have to get it out to you. But it's probably out on... Sorry about that all. It's probably out in the wild now. I assumed that was the correct link to the public article. So we will get that out to you. Just be confident to know that that is now available and we will definitely get that out to you. So you'll want to use that application to check which of your On-premise apps are ready to go up to the Cloud. Okay. And in the fall, I can't remember exact date, but there will be a Q&A with Qlik session or Techspert Talks. To be honest, I run both programs, so I can't remember off top of my head which one it is. But our product manager for Nprinting and Cloud reporting is going to be doing a session on how to do all the Nprinting capabilities that are now possible in the Cloud. So we are definitely addressing that and product management is addressing that. But great question. Keep them coming. Next question. Back to the session duration timeout question. It seems like sometimes when you come back to an app, sometimes it just asks you to click on the screen to reactivate the session. But sometimes it wants you to log in again. Do you know what the difference is? Is it a 30 minute thing like you mentioned? Yeah. So basically the 30 minutes timeout is for the idle timeout when you're in the hub. So basically when you log in and leave the screen idle for 30 minutes, you'll be marked as inactive and then would be asked to log in back. So for example, if you have opened the data load editor or data managers, there's an engine timeout which is set for 20 minutes. So basically, if you have opened the app and then leave it unattended for 20 minutes, you'd be asked to relogin back. The session disconnected and the option will be popped up and you need to relogin back. So basically the authentication when you do that, it is a 30 minutes timeout. But when you open the app or work with the apps, when you do that multiple options inside the app, then the timeout is 20 minutes. Thanks. And especially if you are working on a dedicated space, the timeout is more than 60 minutes. It is 60 minutes timeout for the dedicated space apps. If you are working with apps in a dedicated space. Nice to know that difference. Continuing on that thread back to the same email question, when I log in using my Qlik ID, I can see all the tenants related to that Qlik ID. When I log in using, for example, Office 365 or Azure IdP, I can't see the same. In fact, it redirects me to my list of Qlik ID tenants. That's interesting. Yeah, that is because with the Qlik ID, you have the option to visit My Qlik Portal. But if you have configured anb of the third party IdPs, you'll not be created My Qlik Portal profiles due to which you can't... The system will not be able to detect. The only way to log into any IdP configured tenant is via the tenant URL. You would need to make sure that you have the tenant URL bookmarked or listed with you, and then only you'll be able to access the tenant via multiple line or other IdPs except Qlik. Great. Thanks, Vinay. Okay, moving on to the next question. We have an Azure Active Directory IdP that works fine internally for our users. If we wanted to create a separate space that external users can access and they do not have our ID, how can we do this? If not, there are plans to make this available. So trying to get some anonymous access to their public site. I believe that's possible. Yeah. The anonymous access, it only gives you the view option. You can't edit or will not give you the edit option. It only gives you the view option. That is the basic usage of anonymous access. But I think Azure supports the external users, but they need to be a part of that. I know ID structure. If they're not part of the ID structure, then you'll not be able to add those users onto the tenant. However, there's an option in Azure to add external users to their ID. Okay, great. Is there a resource that contains instructions for configuring the IdP before it is added to Qlik Sense? For example, the settings, app registrations required, and Azure portal. Yeah, there's a really good community article on that. I can find that and put it in the chat real quick, but that's the one I followed to set up my tenant with Azure, and it was really in detail and thorough on how to set it up on the Azure side. So I'll try to find that for you. That's great. Thanks, Eric. Okay, next question. How to fix a situation where an invite for a user has expired? How to resolve that? Frank, do you want to take that one? Yeah. So it's possible that the user had... I actually recently encountered this myself. If a user is out there and using the tenant normally, and then suddenly in the same day, they try to log in again, and suddenly they'll see a screen that says invitation expired. You're just using it earlier in the day, everything's fine. So what happens sometimes is when you have two connections in the same day or within the same hour, not exactly sure how that happened, but it was simply resolved by clearing my cash and closing all the browsers, logging in again, and the issue was resolved. So I had no issues and no more warnings when going back into my tenant. So clearing the cash, using a private mode browser, probably do the same thing. But that's what you would need to do if you get an invitation, expired message. Assuming your invitation hasn't actually expired and you're a first time user. Great. Thanks, Frank. Next question, is it possible in Qlik Cloud to set up a group manually before users logged in to Qlik Cloud with the group? This will assist in setting permissions for a new group and user. That's what we actually covered in that textbook talk we did, Troy. You can pre set up the group provided that Qlik's already aware of it. There's some API endpoints you can use to check what groups are already available in your tenant. So provided you have some users that have already came over from Azure or Okta and you have groups enabled, you could go to a Manage Space permissions the members section and pre input a group that you know. So for example, the sales team has access to ReadEdit, that thing. You could pre set that up. So as new users come in from the sales team, they already have their permissions set up, so you can go that route instead of setting it up one by one for individual users. Yeah, and Eric did a great demo of that in our latest Techspert, so I'll include the link to that as I find it. Thanks. Next question is specific to Google. How to set up Google Cloud as the IdP with Qlik Cloud? Anybody want to take that one? Yep, I think we have the documentation on how to set up Google IdP. I'll just quickly grab the link on how to set that up. Just looking for that. Okay. Yeah, I was looking for the the Techspert link. So while we're looking for links, oh, you found one. Great. Let me just copy that. Okay. So there's a link to a video guide for Azure. Is that the one, Vinay? No, that one has got. Another question? Yeah. Sorry. Well, you're looking for that. Go ahead. That's the link to the latest Techspert Qlik Cloud Best Practices with Eric. He actually did a little demo of how to set up user groups. I can't remember if we covered in that talk or not, but here's the example URL to check what groups exist. If they want to try that out and make sure the groups already exist within Qlik Cloud. Nice. Okay, moving on to the next question. I can't get Azure AD group member. Read. All to work. Any tips? I'm not familiar with that. Is that an API call? I'm assuming that's a specific Graph API permission. I don't have a good answer on that one, unfortunately. No, I think I would put that out in SaaS Community and see if anybody else is doing it out in the world. That we're talking about. Correct. Edge, an Edge case, it sounds like might be useful. Yes. Moving to SaaS, something like this. I would suggest posting your question out here in case others have tried it or trying it. Unfortunately, we don't have every single answer, so this is a great place to come. And here you have a broad base of users that have tried various things and are successful to varying degrees. So please, I would recommend posting it out there. Yeah. There's currently 8,000, 8,500 people online might be interested in helping you. Exactly. And subject matter experts out there. We'll ask, or will actually be out there answering questions as well, but I don't think any of us here have seen that one before, unfortunately. Good question then. Yeah, for sure. Stumping the experts here with the details. All right, just a couple more questions. How to bulk ad users when using active directory IdP? That could be similar to what you were talking about, Eric, with groups. I don't know. Is there a better way? The user is starting to log in for them to be added. And there are technically APIs you can use to create users. Our discussion earlier was more on permission sets for a specific space. So you could set up a space to already have a concept of your sales team or your IT team, whatever. You could already have those distinctions set up and roll permissions. But as far as bulk adding users, I think they still just need to go through the login process as normal. But if they already have those claims coming from the IdP and you set it up to know about those groups, then it should just be plug and play. As soon as they log in, they'll have access to the spaces you want them to. Great. Thanks. I just threw up a QR code to survey for today. If you have time to fill it out, we'd love getting your feedback. Oh, and you found the link. Awesome. Next question. How do I log into Qlik Sense desktop with Qlik Cloud? I can probably actually show that one real quick if you want. Yeah, stop sharing. Okay. This is one of my Qlik Cloud tenants. You go up to Profile Settings up here. Then you'll go under Tools. You have this section here for Qlik Sense desktop specifically. It'll actually give you the download. I've had customers ask where you can download Qlik Sense desktop for SaaS. Right here, it'll get you the latest version. Then it'll have an authenticate button here. Once you click this button, it'll basically just have you... It'll pull up a URL that motivates your Qlik desktop instance. So that's all you have to do to get it authenticated against Qlik Cloud. Great. Thank you for sharing. Okay, looks like the last couple of questions, but there's still time if you want to answer a question. How do I resolve the you cannot access the selected hub because you have no access pass error? Is anybody familiar with that error message? That sounds like an On-premise question. Probably is. Yeah. So just quickly, your question is based on it sounds like you're using Qlik Sense on premise, which is like on a BMW, the traditional Qlik Sense and not Qlik cloud. So if you're having a no access pass, that means you're probably on click sense on premise and that user simply doesn't have an access token professional or analyzer license assigned to them. Okay. So to resolve it, you'd have to go into the Qlik Sense QMC under users panel, licenses and allocate a license professional or analyzer license to them. Right. And if you don't have access to QMC, talk to your admin who does. Thanks, Troy. Exactly. Yeah. Right on the money. Great. All right. Last question. Can you explain how capacity licensing works? That's a big one. I think it's more in the account manager realm. I think we have a link here, but yeah, that might be... Yeah, I tend to default to what's on a Qlik.com. when it talks about licensing when it comes to other things. Yeah. Okay. Well, everybody, I appreciate all the questions you've brought today. Just as a reminder, our next session is Tuesday, June 27, and I'll be all about upgrading Qlik Sense, and that's more of an on premise, obviously, on premise question. With Qlik Sense. And thank you so much to our panel today. It's been great getting experts like you all to share with us. And thanks to everybody for attending and I hope you have a great rest of your day.