Identity Provider
By default, Qalyptus Cloud authenticates users with the Qalyptus authentication system. You can configure Qalyptus Cloud to authenticate your users with your Identity Providers. Qalyptus Cloud uses the OpenID Connect (OIDC) protocol and supports all the Identity provider that supports OpenID Connect, like Okta, Auth0, Azure AD, Ping Identity, etc.
Qalyptus Cloud also supports Qlik Sense OAuth. Qalyptus will use the authentication system configured for your Qlik Sense tenant to authenticate the users.
You can configure multiple Identity Providers, but you can use only one per Qalyptus Cloud organization.
Configure an Identity Provider (IdP)
Identity providers are configured by admin users in the Qalyptus administration console.
Configure a Generic Identity Provider
To configure an Identity Provider with a generic Identity provider (Okta, Auth0, Azure AD, Ping Identity, etc.), do the following:
- Connect to Qalyptus Cloud as an administrator
- Go to Qalyptus Administration > System > Identity Provider
- Click Create Identity Provider
- Enter a Name
- Enter a Description (optional)
- Select a type; choose Generic
- Copy the Redirect URL
Before continuing, go to your Identity provider and create an application (it can be named otherwise in your IdP). Use the Qalyptus 'Redirect URL' to create the application. After creating the app, you will have a Client Id and Client secret.
You also need to have the openId configuration information of your Identity provider.
In general the openid configuration information is available at: https://{IDP-DOMAIN}/.well-known/openid-configuration
Examples:
- Auth0: https://{DOMAIN}.eu.auth0.com/.well-known/openid-configuration
- Keycloak: http://{FULL-DOMAIN}/auth/realms/{REALM}/.well-known/openid-configuration
- Enter the Client Id provided by your IdP
- Enter the Client secret provided by your IdP
- Enter the Authorization endpoint
- Enter the Access token endpoint
- ENter the User info endpoint
- Enter the Logout endpoint (optional) to log out of all other applications after logging out in Qalyptus
- Enter the Post logout redirect URL (optional) to redirect the user to a specific page after logging out in Qalyptus
- Click Save
Configure an Identity Provider with Qlik Sense OAuth
To configure an Identity Provider with the Qlik Sense OAuth, do the following:
- Connect to Qalyptus Cloud as an administrator
- Go to Qalyptus Administration > System > Identity Provider
- Click Create Identity Provider
- Enter a Name
- Enter a Description (optional)
- Select a type; choose Qlik Sense OAuth
- Copy the Redirect URL
Before continuing, go to your Qlik Sense Cloud tenant > Console management > OAuth, then Create a new OAuth client configuration. Enter a name and the Qalyptus Cloud 'Redirect URL', then click Save.
A Client Id and Client secret will be generated. Copy the information to a safe place.
- Enter the Client Id provided by your IdP
- Enter the Client secret provided by your IdP
- Click Save
Change the Consent method to 'Trusted'
By default, Qlik Sense will ask for consent the first time the user logs in. You can avoid the prompt by changing the consent method as below.
In Qalyptus Cloud, you can only configure one identity provider with Qlik Sense OAuth.
Use the configured Identity Provider
After configuring your Identity Provider, you should use it in an Organization to effectively utilize Qalyptus Cloud to authenticate users. Go to the Organization list, edit the organization, and in the Authentications tab, select the Identity Provider to authenticate the organization's users.
If your Qalyptus Cloud tenant contains multiple organizations and all the organizations use the same Identity provider, the users will be automatically authenticated with the Identity provider.
Suppose your Qalyptus Cloud tenant contains multiple organizations and uses different authentication methods. In that case, Qalyptus Cloud will ask the user to provide his email address before redirecting him to the right authentication system, depending on which organization he is a member.
The Qalyptus Cloud extension for Qlik Sense Cloud uses the abovementioned process to authenticate users.
Nevertheless, if a Qlik Sens OAuth Identity provider is configured, the Qalyptus Cloud extension will use it to authenticate the user, even if it is not assigned to an organization.
We recommend configuring an Identity provider with Qlik Sens OAuth to offer a good authentication experience when using the Qalyptus Cloud extension. Because the user is already authenticated in Qlik Sense, he will be automatically recognized by Qalyptus.
If you have an issue connecting to Qalyptus Cloud with the configured Identity Provider, you can use the Qalyptus Cloud authentication system with the following address: https://{SUB-DOMAIN}.qalyptus.net/login/normal.
Using Identity Provider is available with a Qalyptus Cloud Enterprise subscription.