You can achieve the following requirement.
Basic Two Things you need here:
The user ID and user Directory values should be same.
When you login or pulled users from UDC
When you login from OKTA using
If both cases matches then same user is refereed in Qlik Sense Database.
1.SAML attribute for user ID
By asking the SSO admin (Here OKTA Guys) to send the required user attribute Value as an attribute in SAML Response.
Same attribute you can configure it in Virtual Proxy as SAML attribute for user ID.
May be SAM-Account-Name is used not sure.(Your proxy configuration and AD attributes will provide the mapping here)
2.SAML attribute for user directory:
By asking the SSO admin (Here OKTA Guys) to send the required User Directory Value as an attribute in SAML Response.
Same attribute you can configure it in Virtual Proxy as SAML attribute for user directory.
domain = CORP
This is only based on login of the user.
But if you have some some security rules written utilizing the groups info received from UDC pulling data directly from AD.
Then we need to send those groups info also in SAML Response matching the groups info received from UDC.
Thanks so much for the suggestion. Here is how I got it working.
In the Okta Qlik SAML application:
- on the Sign On tab set the username format to 'AD SAM Account Name'
- on the General tab added a custom attribute called 'username' and set it to 'appuser.userName'
In the Qlik Virtual Proxy for Okta, in the Authentication section:
- set SAML attribute for User ID = username
- set SAML attribute for user directory = [CORP]
I decided to just use a static attribute for the user directory name since I do not expect it to change.