Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
rob_insley
Partner - Contributor III
Partner - Contributor III
‎2024-02-29 05:34 AM

Changing IdP Autentication - Qlik Sense SaaS

My client wishes to change their current IdP Authentication in Qlik Sense SaaS.   Current they login using their Network login but this is going to be changed to use an email address. 

EMail Address is a an existing Claim attribute so I am trying to understand what the process will be to change the iDP Authentication  and a whether existing users will somehow get automatically mapped when the new IdP is configured.  Having a single tenancy means we do not have a Qlik Sense SaaS Environment to try out the change so that we can fully identify the potential impacts.

I understand it will be a 2 step process-

Step 1 . Revert to Qlik Account Authentication and ensure we have the recovery account to be able to re-login.

Step 2. Configure the new IdP Authentication

So after configuring and  establishing the new iDP Authentication we need to understand the impact to understand if we will need to re-establish all Spaces permissions to the new users or whether the new users will inherit the existing permissions by automated mapping via email?

HAs anyone done something similar?

 

Labels (2)
Labels
200 Views
1 Solution

Accepted Solutions
Levi_Turner
Employee
Employee
‎2024-02-29 09:51 AM

Let's start out with how a user is identified in Qlik Cloud. Let's take this user's record:

Levi_Turner_0-1709216784120.png

In tabular format, the user is:

User ID (created by Qlik) User Subject (from your IDP) User Email (from your IDP) User Name (from your IDP)
65e093f29fac8999db04512e 856bcab5-64db-4aa1-bce8-d90e98d322c2 levi.turner@demo.dev Levi Turner

 

User records in Qlik Cloud have dual primary keys: subject and email. This means, if your IDP changes the user's subject or the user's email, the user's Qlik Cloud identity will remain the same. If you change both the user's subject and email, Qlik Cloud will treat this as a new user. In my example user, I can change the email like so:

Levi_Turner_1-1709217099300.png

 

User ID (created by Qlik) User Subject (from your IDP) User Email (from your IDP) User Name (from your IDP)
65e093f29fac8999db04512e 856bcab5-64db-4aa1-bce8-d90e98d322c2 levi.turner2@demo.dev Levi Turner

 

Or I can change the subject like so:

Levi_Turner_2-1709217177001.png

 

User ID (created by Qlik) User Subject (from your IDP) User Email (from your IDP) User Name (from your IDP)
65e093f29fac8999db04512e BrandNewSubject levi.turner2@demo.dev Levi Turner

 

If I change both, then I will have a new user:

Levi_Turner_3-1709217921933.png

User ID (created by Qlik) User Subject (from your IDP) User Email (from your IDP) User Name (from your IDP)
65e093f29fac8999db04512e BrandNewSubject levi.turner2@demo.dev Levi Turner
65e0984ad099feece9adaead 856bcab5-64db-4aa1-bce8-d90e98d322c1 levi.turner@demo.dev Levi Turner

 

 

So back to your questions:

> So after configuring and establishing the new iDP Authentication we need to understand the impact to understand if we will need to re-establish all Spaces permissions to the new users or whether the new users will inherit the existing permissions by automated mapping via email?

After configuring and establishing the new IDP, you should ensure either the user's subject or email is the same. This will ensure that the user is considered the same to Qlik Cloud. From there,

  • any permissions set by user name will automatically inherit. Ownership of apps, automations, sheets, data connections will all work seamlessly

But access by name isn't the only way to provide access, groups can be used.

  • any permissions set by groups will automatically inherit assuming that the new IDP also sends the same groups. If the old IDP sent 3 groups and the new IDP sends the same 3 groups, this will work. If the groups change names or aren't being sent, then this access will break

In this space:

Levi_Turner_4-1709218214910.png

 

If I continue to send the group "Domain Admins", then an IDP change on Qlik Cloud will not be problematic. If the new IDP doesn't send "Domain Admins", then I would need either grant access to the space via the new group or by user name.

View solution in original post

172 Views
2 Replies
Levi_Turner
Employee
Employee
‎2024-02-29 09:51 AM

Let's start out with how a user is identified in Qlik Cloud. Let's take this user's record:

Levi_Turner_0-1709216784120.png

In tabular format, the user is:

User ID (created by Qlik) User Subject (from your IDP) User Email (from your IDP) User Name (from your IDP)
65e093f29fac8999db04512e 856bcab5-64db-4aa1-bce8-d90e98d322c2 levi.turner@demo.dev Levi Turner

 

User records in Qlik Cloud have dual primary keys: subject and email. This means, if your IDP changes the user's subject or the user's email, the user's Qlik Cloud identity will remain the same. If you change both the user's subject and email, Qlik Cloud will treat this as a new user. In my example user, I can change the email like so:

Levi_Turner_1-1709217099300.png

 

User ID (created by Qlik) User Subject (from your IDP) User Email (from your IDP) User Name (from your IDP)
65e093f29fac8999db04512e 856bcab5-64db-4aa1-bce8-d90e98d322c2 levi.turner2@demo.dev Levi Turner

 

Or I can change the subject like so:

Levi_Turner_2-1709217177001.png

 

User ID (created by Qlik) User Subject (from your IDP) User Email (from your IDP) User Name (from your IDP)
65e093f29fac8999db04512e BrandNewSubject levi.turner2@demo.dev Levi Turner

 

If I change both, then I will have a new user:

Levi_Turner_3-1709217921933.png

User ID (created by Qlik) User Subject (from your IDP) User Email (from your IDP) User Name (from your IDP)
65e093f29fac8999db04512e BrandNewSubject levi.turner2@demo.dev Levi Turner
65e0984ad099feece9adaead 856bcab5-64db-4aa1-bce8-d90e98d322c1 levi.turner@demo.dev Levi Turner

 

 

So back to your questions:

> So after configuring and establishing the new iDP Authentication we need to understand the impact to understand if we will need to re-establish all Spaces permissions to the new users or whether the new users will inherit the existing permissions by automated mapping via email?

After configuring and establishing the new IDP, you should ensure either the user's subject or email is the same. This will ensure that the user is considered the same to Qlik Cloud. From there,

  • any permissions set by user name will automatically inherit. Ownership of apps, automations, sheets, data connections will all work seamlessly

But access by name isn't the only way to provide access, groups can be used.

  • any permissions set by groups will automatically inherit assuming that the new IDP also sends the same groups. If the old IDP sent 3 groups and the new IDP sends the same 3 groups, this will work. If the groups change names or aren't being sent, then this access will break

In this space:

Levi_Turner_4-1709218214910.png

 

If I continue to send the group "Domain Admins", then an IDP change on Qlik Cloud will not be problematic. If the new IDP doesn't send "Domain Admins", then I would need either grant access to the space via the new group or by user name.

173 Views
rob_insley
Partner - Contributor III
Partner - Contributor III
‎2024-03-01 05:28 AM
Author

Thanks Levi for the detailed breakdown and explanation.  This has been really useful.  Thanks, Rob

151 Views
0 Likes