Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
mgranillo
Specialist
Specialist
‎2024-04-04 01:01 PM

Okta Integration Qlik SaaS: Not receiving group claim under mapped claims

using the diagnose claim link: /api/v1/diagnose-claims I do not see the group claim under mapped claims.  is this a configuration issue with Okta? What are some troubleshooting steps? 

Labels (2)
Labels
202 Views
3 Replies
Levi_Turner
Employee
Employee
‎2024-04-04 01:28 PM

It could be on either side. In the diagnose-claims endpoint, you will see two sections: claimsFromIdp and mappedClaims. The claimsFromIdp section will enumerate the information sent from the Identity Provider. The mappedClaims section will enumerate how the Tenant is configured to inteprete these claims. Let's take an example from a tenant of mine:

{
	<... truncated these details ...>
  },
  "claimSource": "id-token",
  "claimsFromIdp": {
	<... truncated these details ...>
    "groups": [
      "Domain Admins",
      "Domain Users",
      "Qlik Sense Tenant Admins",
      "Qlik Users",
      "Enterprise Architects",
      "Presales"
    ],
	<... truncated these details ...>
    "winaccountname": "QLIK-POC\\ltu",
	<... truncated these details ...>
  },
  "mappedClaims": {
    "sub": "QLIK-POC\\ltu",
	<... truncated these details ...>
    "groups": [
      "Domain Admins",
      "Domain Users",
      "Qlik Sense Tenant Admins",
      "Qlik Users",
      "Enterprise Architects",
      "Presales"
    ],
	<... truncated these details ...>
  }
}

 

For this example, we have two claims from the IDP: winaccountname and groups. My Qlik config is as so:

Levi_Turner_0-1712251591078.png

 

So in this example, I am telling Qlik to consume the claim named groups and map it to the user's groups. For the claim winaccountname, I am telling Qlik to map it to the user's sub (or subject).

Back to your question. If you don't see the groups in the claimsFromIdp section, Okta isn't sending this information. If you are seeing this information in the claimsFromIdp section, then configure the IDP in Qlik to map to the name of the claim from the IDP.

 

192 Views
0 Likes
mgranillo
Specialist
Specialist
Tuesday
Author

In response to Levi_Turner

@Levi_Turner we managed to get the group claims coming through.  The key for us was calling out the group in the advanced section scope per this comment on the original article: "we found another piece that may be missing.  For us, we needed to expand the Advanced Options on the Qlik setup and add "groups" into the scope even though we mapped it correctly in the claims section.  Without this we weren't pulling in any groups through Okta to our tenant."

Is it abnormal to need to call it out in the scope? Wondering what the driver is here and why it's not called out in the main article.  

Thanks,

Mike

56 Views
Levi_Turner
Employee
Employee
Tuesday

In response to mgranillo

It looks like Okta requires that scope to retrieve that information (ref https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/#request-an-id-token-that-...) although I am sure there is variability / configurability on the Okta side. It's a fair point to call this out about the docs, I'll see about pinging the individuals who own them to see about updating them.

47 Views