Endpoints
Skip to sectionGET | /identity-providers/{id} |
PATCH | /identity-providers/{id} |
DELETE | /identity-providers/{id} |
PUT | /identity-providers/{id}/test-result |
GET | /identity-providers/{id}/test-result |
GET | /identity-providers |
POST | /identity-providers |
GET | /identity-providers/.well-known/metadata.json |
GET | /identity-providers/me/meta |
GET | /identity-providers/status |
Use to return the idp with the specified id
This endpoint is used to retrieve an identity providers from the service. It returns a valid 200 OK response in case the idp exists and the user (TenantAdmin) or service (edge-auth) is authorized to view the contents. It returns a 404 Not Found if the criteria is not met.
Path Parameters GET /identity-providers/{id}
id string | The identity-provider ID |
Responses GET /identity-providers/{id}
200 application/json | Success |
401 application/json | Unauthorized |
404 application/json | Not Found |
GET/identity-providers/{id}
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
-H "Authorization: Bearer <API-key>"
Updated the idp with the specified id
This endpoint is used to patch an identity provider from the service. It returns a valid 204 when the idp is patched. Only a tenanted edge-auth request or a user with the role of TenantAdmin and tenant access can patch an associated IDP. Partial failure is treated as complete failure and returns an error.
Header Parameters PATCH /identity-providers/{id}
QLIK-IDP-POPTS-MATCH | A unique string representing a hash that should map to an IDP's hash representation of the current configuration being tested. |
Path Parameters PATCH /identity-providers/{id}
id string | The identity-provider ID |
Request Body PATCH /identity-providers/{id}
application/json | No description |
Responses PATCH /identity-providers/{id}
204 object | Success |
400 application/json | Bad request. The issue can range from invalid requestbody or url, to an invalid state transition. |
401 application/json | Unauthorized |
403 application/json | Access Denied. Only a tenanted edge-auth or tenantadmin user request can patch an idp. |
404 application/json | Not Found |
412 application/json | Precondition Failed. Missing QLIK-IDP-OPTS-MATCH header, or value doesn't match againsts IDP test configuration value. |
500 application/json | Internal server error, the operation failed unexpectedly |
PATCH/identity-providers/{id}
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
-X PATCH \
-H "Authorization: Bearer <API-key>" \
-H "Content-type: application/json" \
-d 'undefined'
Deletes the idp with the specified id
This endpoint is used to delete an identity providers from the service. It returns a valid 204 when the idp is deleted. Only a user with the role of TenantAdmin and tenant access can delete an associated IDP. Edge-auth can also delete.
Path Parameters DELETE /identity-providers/{id}
id string | The identity-provider ID |
Responses DELETE /identity-providers/{id}
204 object | Success |
400 application/json | Bad request. The interactive IDP for the tenant can't be deleted. |
404 application/json | Not Found |
DELETE/identity-providers/{id}
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
-X DELETE \
-H "Authorization: Bearer <API-key>"
Use to create a pendingResult for the specified idp ID
This endpoint is used to create a pending result. It returns a valid 204 No Content response in case the pending result was succesfully created, only edge-auth is authorized to create a pendingResult.
Header Parameters PUT /identity-providers/{id}/test-result
QLIK-IDP-POPTS-MATCH | A unique string representing a hash that should map to an IDP's hash representation of the current configuration being tested. |
Path Parameters PUT /identity-providers/{id}/test-result
id string | The identity-provider ID |
Responses PUT /identity-providers/{id}/test-result
200 application/json | Success |
204 object | No Content |
400 application/json | Bad Request |
404 application/json | Not Found |
412 application/json | Precondition Failed. Missing QLIK-IDP-OPTS-MATCH header, or value doesn't match againsts IDP test configuration value. |
PUT/identity-providers/{id}/test-result
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}/test-result" \
-X PUT \
-H "Authorization: Bearer <API-key>"
Response PUT /identity-providers/{id}/test-result
{
"status": "success",
"started": "2022-05-18T10:58:18.618Z",
"idpClaims": {},
"resultantClaims": {},
"oauth2Error": {
"error": "string",
"errorDescription": "string",
"errorURI": "string"
},
"error": "string"
}
Use to return the pending result with the specified id
This endpoint is used to retrieve an pending result from the service. It returns a valid 200 OK response in case the pending result exists and the user (TenantAdmin) or service (edge-auth) is authorized to view the contents. It returns a 204 No content if there is no pending result.
Path Parameters GET /identity-providers/{id}/test-result
id string | The identity-provider ID |
Responses GET /identity-providers/{id}/test-result
200 application/json | Success |
204 object | No Content |
404 application/json | Not Found |
GET/identity-providers/{id}/test-result
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}/test-result" \
-H "Authorization: Bearer <API-key>"
Response GET /identity-providers/{id}/test-result
{
"status": "success",
"started": "2022-05-18T10:58:18.618Z",
"idpClaims": {},
"resultantClaims": {},
"oauth2Error": {
"error": "string",
"errorDescription": "string",
"errorURI": "string"
},
"error": "string"
}
Use to retrieve an idp or idps for a specified tenantId
This endpoint is used to retrieve one or multiple identity-providers relating to a tenantID. The tenantID in the JWT will be used to fetch the identity-provider.
Query Parameters GET /identity-providers
limit optional, default=20, minimum=1, maximum=100 number | The number of IDP entries to retrieve. |
next optional string | The next page cursor. |
prev optional string | The previous page cursor. |
active optional boolean | If provided, filters the results by the active field |
Responses GET /identity-providers
200 application/json | Success |
404 application/json | Not Found |
GET/identity-providers
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers" \
-H "Authorization: Bearer <API-key>"
Response GET /identity-providers
{
"data": [],
"links": {
"self": {
"href": "string"
},
"next": {
"href": "string"
},
"prev": {
"href": "string"
}
}
}
Use to create a new identity provider resource
This endpoint is used to create an identity-provider resource. It returns a 201 Created when creation is successful, returns a 403 Forbidden for a non TenantAdmin user JWT or if the tenantID in the JWT does not match with any of the tenantIDs in the payload. An IDP can be created with pendingOptions or options depending whether the IDP is interactive or not.
Request Body POST /identity-providers
application/json | No description |
Responses POST /identity-providers
201 application/json | Created |
400 application/json | Bad Request |
403 application/json | Forbidden |
POST/identity-providers
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers" \
-X POST \
-H "Authorization: Bearer <API-key>" \
-H "Content-type: application/json" \
-d 'undefined'
Use to return identity providers' metadata
This endpoint is used to retrieve identity providers metadata.
Responses GET /identity-providers/.well-known/metadata.json
200 application/json object | Success |
GET/identity-providers/.well-known/metadata.json
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/.well-known/metadata.json" \
-H "Authorization: Bearer <API-key>"
Response GET /identity-providers/.well-known/metadata.json
{
"undefined": {}
}
Use to return active interactive IDP metadata
This endpoint is used to retrieve IDP metadata.
Responses GET /identity-providers/me/meta
200 application/json | Success |
403 application/json | Forbidden |
404 application/json | Not Found |
500 application/json | Internal server error |
GET/identity-providers/me/meta
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/me/meta" \
-H "Authorization: Bearer <API-key>"
Response GET /identity-providers/me/meta
{
"userPortalLink": "string",
"upgradeSubscriptionLink": "string"
}
Use to return current status of idp configurations.
This endpoint is used to retrieve the status of idp configurations. Requires TenantAdmin role.
Responses GET /identity-providers/status
200 application/json | Success |
403 application/json | Forbidden |
404 application/json | Not Found |
500 application/json | Internal Server Error |
GET/identity-providers/status
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/status" \
-H "Authorization: Bearer <API-key>"
Response GET /identity-providers/status
{
"active_interactive_idps_count": 0,
"idps_metadata": [
{
"active": true,
"interactive": true,
"provider": "auth0"
}
]
}
qlikIdpPopts
stringA unique string representing a hash of the current configuration being tested.
qlikIdpPoptsMatch
stringA unique string representing a hash that should map to an IDP's hash representation of the current configuration being tested.
claimsMappingInteractive
objectMappings from claim name to an array of jsonpointers which point to locations in the claims from the IDP to retrieve the value from.
Properties
sub Array<string> | A list of jsonpointers used to map the user's subject. |
name Array<string> | A list of jsonpointers used to map the user's name. |
groups Array<string> | A list of jsonpointers used to map the user's groups. |
client_id Array<string> | A list of jsonpointers used to map the user's client id. |
email Array<string> | A list of jsonpointers used to map the user's email. |
picture Array<string> | A list of jsonpointers used to map the user's picture. |
locale Array<string> | A list of jsonpointers used to map the user's locale. |
zoneinfo Array<string> | A list of jsonpointers used to map the user's zoneinfo. |
claimsMappingNonInteractive
objectMappings from claim name to an array of jsonpointers which point to locations in the claims from the IDP to retrieve the value from.
Properties
sub Array<string> | A list of jsonpointers used to map the user's subject. |
client_id Array<string> | A list of jsonpointers used to map the user's client id. |
OpenIDConfiguration
objectOpenID configuration
Properties
issuer string | OpenID Provider issuer |
authorization_endpoint string | OAuth 2.0 Authorization Endpoint |
token_endpoint string | OAuth 2.0 Token Endpoint |
userinfo_endpoint optional string | URL of the OP's UserInfo Endpoint |
jwks_uri string | URL of the OP's JSON Web Key Set [JWK] document |
introspection_endpoint optional string | The introspection endpoint is an OAuth 2.0 endpoint that takes a parameter representing an OAuth 2.0 token and returns a JSON [RFC7159] document representing the meta information. |
end_session_endpoint optional string | URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP. |
CreateCommonPayload
objectProperties
tenantIds Array<string> | The tenant identifiers that map to the given IDP |
protocol | The protocol to be used for communicating with the identity provider. Enum: OIDC jwtAuth qsefw-local-bearer-token |
provider | The identity provider to be used. Enum: auth0 okta qlik generic salesforce keycloak adfs external |
interactive default=false boolean | Indicates whether the IDP is meant for interactive login |
description optional string | No description |
createNewUsersOnLogin optional, default=true boolean | Tells the consumer of the IDP that new users should be created on login if they don't exist |
postLogoutRedirectUri optional string | Direct the user on logout to a specific URI |
clockToleranceSec optional, default=5, minimum=0, maximum=7200 number | There can be clock skew between the IDP and Qlik's login server, in these cases a tolerance can be set, decimals will be rounded off. |
CreateOIDCPayload
Payload for creating an OIDC-compatible identity provider.
Properties
tenantIds Array<string> | The tenant identifiers that map to the given IDP |
protocol string | No description |
provider | The identity provider to be used. Enum: auth0 okta qlik generic salesforce keycloak adfs external |
interactive default=false boolean | Indicates whether the IDP is meant for interactive login |
description string | No description |
createNewUsersOnLogin default=true boolean | Tells the consumer of the IDP that new users should be created on login if they don't exist |
postLogoutRedirectUri string | Direct the user on logout to a specific URI |
clockToleranceSec default=5, minimum=0, maximum=7200 number | There can be clock skew between the IDP and Qlik's login server, in these cases a tolerance can be set, decimals will be rounded off. |
options | No description |
pendingOptions | No description |
CreateJWTAuthPayload
Payload for creating an identity provider using JWT authentication.
Properties
tenantIds Array<string> | The tenant identifiers that map to the given IDP |
protocol string | No description |
provider | The identity provider to be used. Enum: auth0 okta qlik generic salesforce keycloak adfs external |
interactive default=false boolean | Indicates whether the IDP is meant for interactive login |
description string | No description |
createNewUsersOnLogin default=true boolean | Tells the consumer of the IDP that new users should be created on login if they don't exist |
postLogoutRedirectUri string | Direct the user on logout to a specific URI |
clockToleranceSec default=5, minimum=0, maximum=7200 number | There can be clock skew between the IDP and Qlik's login server, in these cases a tolerance can be set, decimals will be rounded off. |
issuer string | The JWT issuer |
staticKeys | Keys for verifying JWTs. Limited to 1 key per identity provider. |
IDPPatchSchema
oneOf
No description | |
No description |
PatchOIDCPayload
objectA patch request for an identity provider using the OIDC
protocol.
Properties
op string | The "operation" to be performed on a given IDP. Currently supports a custom operation value called "promote-options" that allows the test configuration to be promoted to the current configuration used for login. Enum: replace promote-options |
path optional string | The "path" to the part of the IDP document. Enum: /active /description /meta /options /options/realm /options/discoveryUrl /options/clientId /options/clientSecret /pendingOptions /pendingOptions/realm /pendingOptions/discoveryUrl /pendingOptions/clientId /pendingOptions/clientSecret /pendingOptions/emailVerifiedAlwaysTrue /postLogoutRedirectUri /clockToleranceSec |
value optional | The "value" data type is dependent on the path value being used. |
PatchJWTAuthPayload
objectA patch request for an identity provider using the jwtAuth
protocol.
Properties
op string | The "operation" to be performed on a given IDP. Enum: replace |
path optional string | The "path" to the part of the IDP document. Enum: /description |
value optional | The "value" data type is dependent on the path value being used. |
IDPArray
objectProperties
data Array<IDP> | An array of IDPs. |
links | Contains pagination links |
Links
objectContains pagination links
Properties
self object | No description |
next object | No description |
prev object | No description |
IDPProtocol
stringThe protocol to be used for communicating with the identity provider.
IDPProvider
stringThe identity provider to be used. external
is reserved for JWT Auth identity providers.
BaseIDP
objectProperties
id string | The unique identifier for the IDP |
tenantIds Array<string> | The tenant identifiers associated with the given IDP |
protocol | The protocol to be used for communicating with the identity provider. Enum: OIDC jwtAuth qsefw-local-bearer-token |
provider | The identity provider to be used. Enum: auth0 okta qlik generic salesforce keycloak adfs external |
interactive boolean | Indicates the type of connection with the IDP, either interactive login or a machine to machine connection. |
active boolean | Indicates whether the IDP is available for use. |
createNewUsersOnLogin boolean | When the flag is true, new users should be created when logging in for the first time. |
postLogoutRedirectUri string | Direct the user on logout to a specific URI |
created string | The timestamp for when the IDP was created. |
lastUpdated string | The timestamp for when the IDP was last updated. |
description string | No description |
meta object | No description |
clockToleranceSec number | No description |
IDP
oneOf
An OIDC-compliant identity provider. | |
An identity provider for JWT authentication. |
IDPOIDC
An OIDC-compliant identity provider.
Properties
id string | The unique identifier for the IDP |
tenantIds Array<string> | The tenant identifiers associated with the given IDP |
protocol | The protocol to be used for communicating with the identity provider. Enum: OIDC jwtAuth qsefw-local-bearer-token |
provider | The identity provider to be used. Enum: auth0 okta qlik generic salesforce keycloak adfs external |
interactive boolean | Indicates the type of connection with the IDP, either interactive login or a machine to machine connection. |
active boolean | Indicates whether the IDP is available for use. |
createNewUsersOnLogin boolean | When the flag is true, new users should be created when logging in for the first time. |
postLogoutRedirectUri string | Direct the user on logout to a specific URI |
created string | The timestamp for when the IDP was created. |
lastUpdated string | The timestamp for when the IDP was last updated. |
description string | No description |
meta object | No description |
clockToleranceSec number | No description |
options | No description |
pendingOptions | No description |
pendingResult | No description |
pendingState string | The state of pendingOptions. This represents the latest idp test result. Enum: verified pending error |
IDPJWTAuth
An identity provider for JWT authentication.
Properties
id string | The unique identifier for the IDP |
tenantIds Array<string> | The tenant identifiers associated with the given IDP |
protocol | The protocol to be used for communicating with the identity provider. Enum: OIDC jwtAuth qsefw-local-bearer-token |
provider | The identity provider to be used. Enum: auth0 okta qlik generic salesforce keycloak adfs external |
interactive boolean | Indicates the type of connection with the IDP, either interactive login or a machine to machine connection. |
active boolean | Indicates whether the IDP is available for use. |
createNewUsersOnLogin boolean | When the flag is true, new users should be created when logging in for the first time. |
postLogoutRedirectUri string | Direct the user on logout to a specific URI |
created string | The timestamp for when the IDP was created. |
lastUpdated string | The timestamp for when the IDP was last updated. |
description string | No description |
meta object | No description |
clockToleranceSec number | No description |
options | No description |
IDPOptions
objectProperties
realm string | The realm identifier for the IDP. |
discoveryUrl string | The OpenID configuration endpoint. (Ex: https://<domain>/.well-known/openid-configuration) |
clientId string | The client identifier used as part of authenticating an interactive identity provider |
clientSecret string | The client secret used as part of authenticating an interactive identity provider |
claimsMapping | Mappings from claim name to an array of jsonpointers which point to locations in the claims from the IDP to retrieve the value from. |
scope string | Scope which will be sent along with token requests to the IDP |
blockOfflineAccessScope boolean | If true, the |
issuer string | The issuer, this field is only used in QSEfW IDPs |
emailVerifiedAlwaysTrue boolean | Determines if email_verified should be always true. This field is only used in ADFS and AzureAD IDPs |
openid_configuration | OpenID configuration |
IDPsStatus
objectProperties
active_interactive_idps_count number | The number of active interactive IDPs. |
idps_metadata | A list of IDP metadata |
IDPMeta
objectProperties
userPortalLink string | A link to direct you to where you can manage your Qlik account. Only available if the default identity provider is used (no custom interactive identity providers are active). |
upgradeSubscriptionLink string | A link to direct you to where you can upgrade your trial or manage your subscriptions. Only available if the default identity provider is used (no custom interactive identity providers are active). |
PendingResult
objectProperties
status string | The status of the IDP configuration being tested. Enum: success pending error claimsError callbackError tokenError protocolError networkError configChangedDuringTestError |
started optional string<date-time> | The timestamp for when the test was started for an IDP configuration. This field is only available during lifespan of the test. |
idpClaims optional object | The claims retrieved from the external IDP. |
resultantClaims optional object | The resultant claims based on the claims received from the external IDP |
oauth2Error | No description |
error optional string | A unique readable error message based on the error that has occurred. |
Errors
objectA representation of the errors encountered from the HTTP request.
Properties
errors | No description |
Error
objectAn error object.
Properties
code string | The error code. |
title string | Summary of the problem. |
status optional number | The HTTP status code. |
detail optional string | A human-readable explanation specific to this occurrence of the problem. |
meta optional object | Additional properties relating to the error. |
source optional | References to the source of the error. |