Identity providers

• application/jsonobject
  Show application/json properties

  • dataarray of objects

    An array of IdPs.

    One of:

    • IDPOIDCobject

      An OIDC-compliant identity provider.

      Show IDPOIDC properties

      • idstring

        The unique identifier for the IdP.

      • metaobject
      • activeboolean

        Indicates whether the IdP is available for use.

      • createdstring

        The timestamp for when the IdP was created.

        format = "date-time"

      • protocolstring

        The protocol to be used for communicating with the identity provider. Valid values are OIDC, SAML, jwtAuth, and qsefw-local-bearer-token.

        Can be one of: "OIDC""SAML""jwtAuth""qsefw-local-bearer-token"

      • providerstring

        The identity provider to be used. If protocol is OIDC, the valid values are auth0, okta, generic, salesforce, keycloak, adfs, and azureAD. If protocol is jwtAuth, the valid value is external.

        Can be one of: "auth0""okta""qlik""generic""salesforce""keycloak""adfs""external""azureAD"

      • tenantIdsarray of strings

        The tenant identifiers associated with the given IdP.

      • descriptionstring
      • interactiveboolean

        Indicates the type of connection with the IdP, either interactive login or a machine to machine connection.

      • lastUpdatedstring

        The timestamp for when the IdP was last updated.

        format = "date-time"

      • clockToleranceSecinteger
      • createNewUsersOnLoginboolean

        When the flag is true, new users should be created when logging in for the first time.

      • postLogoutRedirectUristring

        Direct the user on logout to a specific URI.

      • optionsobject
        Show options properties

        • realmstring

          The realm identifier for the IdP.

        • scopestring

          Scope that will be sent along with token requests to the IdP.

        • issuerstring

          This field is only used in Qlik Sense Enterprise Client-Managed IdPs.

        • clientIdstring

          The client identifier used as part of authenticating an interactive identity provider.

        • clientSecretstring

          The client secret used as part of authenticating an interactive identity provider.

        • discoveryUrlstring

          The OpenID configuration endpoint. (Ex: https:///.well-known/openid-configuration).

        • claimsMappingobject

          Mappings from claim name to an array of JSON pointers that point to locations in the claims from the IdP to retrieve the value from.

          Show claimsMapping properties

          • subarray of strings

            A list of JSON pointers used to map the user's subject.

          • namearray of strings

            A list of JSON pointers used to map the user's name.

          • emailarray of strings

            A list of JSON pointers used to map the user's email.

          • groupsarray of strings

            A list of JSON pointers used to map the user's groups.

          • localearray of strings

            A list of JSON pointers used to map the user's locale.

          • picturearray of strings

            A list of JSON pointers used to map the user's picture.

          • zoneinfoarray of strings

            A list of JSON pointers used to map the user's zoneinfo.

          • client_idarray of strings

            A list of JSON pointers used to map the user's client ID.

          • email_verifiedarray of strings

            A list of JSON pointers used to map the user's email_verified claim.

        • decryptingKeyobject

          A decrypting key used to decrypt OIDC encrypted assertions

          Show decryptingKey properties

          • jwksstring

            The public key in jwk format

          • keyIdstring

            The id of the decrypting key

          • keySizeinteger

            Required

            The algorithm size of the decrypting key

          • keyTypestring

            Required

            The algorithm type of the decrypting key

          • createdAtstring

            The timestamp for when the decrypting key was created.

            format = "date-time"

          • createdBystring

            The user id of the user who created the decrypting key

          • publicKeystring

            The public key in pem format

          • certificatestring

            The key's certificate in pem format

        • openid_configurationobject

          OpenID configuration

          Show openid_configuration properties

          • issuerstring

            Required

            OpenID Provider issuer

          • jwks_uristring

            Required

            URL of the OP's JSON Web Key Set [JWK] document

          • token_endpointstring

            Required

            OAuth 2.0 Token Endpoint

          • userinfo_endpointstring

            URL of the OP's UserInfo Endpoint

          • end_session_endpointstring

            URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.

          • authorization_endpointstring

            Required

            OAuth 2.0 Authorization Endpoint

          • introspection_endpointstring

            The introspection endpoint is an OAuth 2.0 endpoint that takes a parameter representing an OAuth 2.0 token and returns a JSON [RFC7159] document representing the meta information.

        • blockOfflineAccessScopeboolean

          If true, the offline_access scope will not be requested from the IdP, where applicable.

        • emailVerifiedAlwaysTrueboolean

          Determines if email_verified should be always true. This field is only used in ADFS and AzureAD IdPs.

      • pendingStatestring

        The state of pendingOptions. This represents the latest IdP test result.

        Can be one of: "verified""pending""error"

      • pendingResultobject
        Show pendingResult properties

        • errorstring

          A unique readable error message based on the error that has occurred.

        • statusstring

          Required

          The status of the IdP configuration being tested.

          Can be one of: "success""pending""error""claimsError""callbackError""tokenError""protocolError""networkError""configChangedDuringTestError"

        • startedstring

          The timestamp for when the test was started for an IdP configuration. This field is only available during lifespan of the test.

          format = "date-time"

        • protocolstring

          The protocol used to communicate with the IdP during the test flow.

          Can be one of: "OIDC""SAML"

        • idpClaimsobject

          The claims retrieved from the external IdP.

        • oauth2Errorobject
          Show oauth2Error properties

          • errorstring

            Required

            An error code to identity the authentication error.

          • errorURIstring

            An optional URI that includes additional information about the given error.

          • errorDescriptionstring

            An optional human-readable description for the given error code.

        • resultantClaimsobject

          The resultant claims based on the claims received from the external IdP.

      • pendingOptionsobject
        Show pendingOptions properties

        • realmstring

          The realm identifier for the IdP.

        • scopestring

          Scope that will be sent along with token requests to the IdP.

        • issuerstring

          This field is only used in Qlik Sense Enterprise Client-Managed IdPs.

        • clientIdstring

          The client identifier used as part of authenticating an interactive identity provider.

        • clientSecretstring

          The client secret used as part of authenticating an interactive identity provider.

        • discoveryUrlstring

          The OpenID configuration endpoint. (Ex: https:///.well-known/openid-configuration).

        • claimsMappingobject

          Mappings from claim name to an array of JSON pointers that point to locations in the claims from the IdP to retrieve the value from.

          Show claimsMapping properties

          • subarray of strings

            A list of JSON pointers used to map the user's subject.

          • namearray of strings

            A list of JSON pointers used to map the user's name.

          • emailarray of strings

            A list of JSON pointers used to map the user's email.

          • groupsarray of strings

            A list of JSON pointers used to map the user's groups.

          • localearray of strings

            A list of JSON pointers used to map the user's locale.

          • picturearray of strings

            A list of JSON pointers used to map the user's picture.

          • zoneinfoarray of strings

            A list of JSON pointers used to map the user's zoneinfo.

          • client_idarray of strings

            A list of JSON pointers used to map the user's client ID.

          • email_verifiedarray of strings

            A list of JSON pointers used to map the user's email_verified claim.

        • decryptingKeyobject

          A decrypting key used to decrypt OIDC encrypted assertions

          Show decryptingKey properties

          • jwksstring

            The public key in jwk format

          • keyIdstring

            The id of the decrypting key

          • keySizeinteger

            Required

            The algorithm size of the decrypting key

          • keyTypestring

            Required

            The algorithm type of the decrypting key

          • createdAtstring

            The timestamp for when the decrypting key was created.

            format = "date-time"

          • createdBystring

            The user id of the user who created the decrypting key

          • publicKeystring

            The public key in pem format

          • certificatestring

            The key's certificate in pem format

        • openid_configurationobject

          OpenID configuration

          Show openid_configuration properties

          • issuerstring

            Required

            OpenID Provider issuer

          • jwks_uristring

            Required

            URL of the OP's JSON Web Key Set [JWK] document

          • token_endpointstring

            Required

            OAuth 2.0 Token Endpoint

          • userinfo_endpointstring

            URL of the OP's UserInfo Endpoint

          • end_session_endpointstring

            URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.

          • authorization_endpointstring

            Required

            OAuth 2.0 Authorization Endpoint

          • introspection_endpointstring

            The introspection endpoint is an OAuth 2.0 endpoint that takes a parameter representing an OAuth 2.0 token and returns a JSON [RFC7159] document representing the meta information.

        • blockOfflineAccessScopeboolean

          If true, the offline_access scope will not be requested from the IdP, where applicable.

        • emailVerifiedAlwaysTrueboolean

          Determines if email_verified should be always true. This field is only used in ADFS and AzureAD IdPs.

    • IDPSAMLobject

      A SAML-compliant identity provider.

      Show IDPSAML properties

      • idstring

        The unique identifier for the IdP.

      • metaobject
      • activeboolean

        Indicates whether the IdP is available for use.

      • createdstring

        The timestamp for when the IdP was created.

        format = "date-time"

      • protocolstring

        The protocol to be used for communicating with the identity provider. Valid values are OIDC, SAML, jwtAuth, and qsefw-local-bearer-token.

        Can be one of: "OIDC""SAML""jwtAuth""qsefw-local-bearer-token"

      • providerstring

        The identity provider to be used. If protocol is OIDC, the valid values are auth0, okta, generic, salesforce, keycloak, adfs, and azureAD. If protocol is jwtAuth, the valid value is external.

        Can be one of: "auth0""okta""qlik""generic""salesforce""keycloak""adfs""external""azureAD"

      • tenantIdsarray of strings

        The tenant identifiers associated with the given IdP.

      • descriptionstring
      • interactiveboolean

        Indicates the type of connection with the IdP, either interactive login or a machine to machine connection.

      • lastUpdatedstring

        The timestamp for when the IdP was last updated.

        format = "date-time"

      • clockToleranceSecinteger
      • createNewUsersOnLoginboolean

        When the flag is true, new users should be created when logging in for the first time.

      • postLogoutRedirectUristring

        Direct the user on logout to a specific URI.

      • optionsobject
        Show options properties

        • entityIdstring

          The entity URL for the SAML IdP.

        • signOnUrlstring

          The sign on URL for the SAML IdP.

        • signingKeysarray of objects

          Set of certificates used to sign SAMLRequest payloads. Not present in pendingOptions.

          Show signingKeys properties

          • refIdstring

            The reference ID for choosing this key pair.

          • certificatestring

            The certificate to be uploaded to the identity provider for verifying SAML requests.

        • certificatesarray of objects

          The certificates used for validating signed responses.

          Show certificates properties

          • namestring

            Given name for this certificate.

          • signatureboolean

            Indicates whether the certificate is used for the signature.

            default = true

          • encryptionboolean

            Indicates whether the certificate is used for encryption.

            default = false

          • certificatestring

            Required

            The X.509 certificate for validating signed SAML responses.

        • nameIdFormatstring

          The name identifier format that will be requested from the identity provider.

          Can be one of: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress""urn:oasis:names:tc:SAML:2.0:nameid-format:persistent""urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"

        • claimsMappingobject

          Mappings from claim name to an array of SAML attribute names that point to locations in the claims from the IdP to retrieve the value from.

          Show claimsMapping properties

          • subarray of strings

            Required

            A list of SAML attributes used to map the user's subject.

          • namearray of strings

            Required

            A list of SAML attributes used to map the user's name.

          • emailarray of strings

            Required

            A list of SAML attributes used to map the user's email.

          • groupsarray of strings

            Required

            A list of SAML attributes used to map the user's groups.

          • picturearray of strings

            Required

            A list of SAML attributes used to map the user's picture.

        • allowIdpInitiatedLoginboolean

          Toggle to allow IdP initated login by the SAML IdP.

        • signingKeySelectedRefIdstring

          The reference ID of the chosen signing key pair.

      • pendingStatestring

        The state of pendingOptions. This represents the latest IdP test result.

        Can be one of: "verified""pending""error"

      • pendingResultobject
        Show pendingResult properties

        • errorstring

          A unique readable error message based on the error that has occurred.

        • statusstring

          Required

          The status of the IdP configuration being tested.

          Can be one of: "success""pending""error""claimsError""callbackError""tokenError""protocolError""networkError""configChangedDuringTestError"

        • startedstring

          The timestamp for when the test was started for an IdP configuration. This field is only available during lifespan of the test.

          format = "date-time"

        • protocolstring

          The protocol used to communicate with the IdP during the test flow.

          Can be one of: "OIDC""SAML"

        • idpClaimsobject

          The claims retrieved from the external IdP.

        • oauth2Errorobject
          Show oauth2Error properties

          • errorstring

            Required

            An error code to identity the authentication error.

          • errorURIstring

            An optional URI that includes additional information about the given error.

          • errorDescriptionstring

            An optional human-readable description for the given error code.

        • resultantClaimsobject

          The resultant claims based on the claims received from the external IdP.

      • pendingOptionsobject
        Show pendingOptions properties

        • entityIdstring

          The entity URL for the SAML IdP.

        • signOnUrlstring

          The sign on URL for the SAML IdP.

        • signingKeysarray of objects

          Set of certificates used to sign SAMLRequest payloads. Not present in pendingOptions.

          Show signingKeys properties

          • refIdstring

            The reference ID for choosing this key pair.

          • certificatestring

            The certificate to be uploaded to the identity provider for verifying SAML requests.

        • certificatesarray of objects

          The certificates used for validating signed responses.

          Show certificates properties

          • namestring

            Given name for this certificate.

          • signatureboolean

            Indicates whether the certificate is used for the signature.

            default = true

          • encryptionboolean

            Indicates whether the certificate is used for encryption.

            default = false

          • certificatestring

            Required

            The X.509 certificate for validating signed SAML responses.

        • nameIdFormatstring

          The name identifier format that will be requested from the identity provider.

          Can be one of: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress""urn:oasis:names:tc:SAML:2.0:nameid-format:persistent""urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"

        • claimsMappingobject

          Mappings from claim name to an array of SAML attribute names that point to locations in the claims from the IdP to retrieve the value from.

          Show claimsMapping properties

          • subarray of strings

            Required

            A list of SAML attributes used to map the user's subject.

          • namearray of strings

            Required

            A list of SAML attributes used to map the user's name.

          • emailarray of strings

            Required

            A list of SAML attributes used to map the user's email.

          • groupsarray of strings

            Required

            A list of SAML attributes used to map the user's groups.

          • picturearray of strings

            Required

            A list of SAML attributes used to map the user's picture.

        • allowIdpInitiatedLoginboolean

          Toggle to allow IdP initated login by the SAML IdP.

        • signingKeySelectedRefIdstring

          The reference ID of the chosen signing key pair.

    • IDPJWTAuthobject

      An identity provider for JWT authentication.

      Show IDPJWTAuth properties

      • idstring

        The unique identifier for the IdP.

      • metaobject
      • activeboolean

        Indicates whether the IdP is available for use.

      • createdstring

        The timestamp for when the IdP was created.

        format = "date-time"

      • protocolstring

        The protocol to be used for communicating with the identity provider. Valid values are OIDC, SAML, jwtAuth, and qsefw-local-bearer-token.

        Can be one of: "OIDC""SAML""jwtAuth""qsefw-local-bearer-token"

      • providerstring

        The identity provider to be used. If protocol is OIDC, the valid values are auth0, okta, generic, salesforce, keycloak, adfs, and azureAD. If protocol is jwtAuth, the valid value is external.

        Can be one of: "auth0""okta""qlik""generic""salesforce""keycloak""adfs""external""azureAD"

      • tenantIdsarray of strings

        The tenant identifiers associated with the given IdP.

      • descriptionstring
      • interactiveboolean

        Indicates the type of connection with the IdP, either interactive login or a machine to machine connection.

      • lastUpdatedstring

        The timestamp for when the IdP was last updated.

        format = "date-time"

      • clockToleranceSecinteger
      • createNewUsersOnLoginboolean

        When the flag is true, new users should be created when logging in for the first time.

      • postLogoutRedirectUristring

        Direct the user on logout to a specific URI.

      • optionsobject
        Show options properties

        • issuerstring

          The expected JWT issuer

        • staticKeysarray of objects
          Show staticKeys properties

          • kidstring

            Key ID used to sign the JWTs.

          • pemstring

            Pem-encoded public key for verifying the JWTs.

  • linksobject

    Contains pagination links.

    Show links properties

    • nextobject
      Show next properties

      • hrefstring

        Link to the next page of items.

    • prevobject
      Show prev properties

      • hrefstring

        Link to the previous page of items.

    • selfobject
      Show self properties

      • hrefstring

        Link to the current page of items.

A representation of the errors encountered from the HTTP request.

• application/jsonobject

  A representation of the errors encountered from the HTTP request.

  Show application/json properties

  • errorsarray of objects

    An error object.

    Show errors properties

    • codestring

      Required

      The error code.

    • metaobject

      Additional properties relating to the error.

    • titlestring

      Required

      Summary of the problem.

    • detailstring

      A human-readable explanation specific to this occurrence of the problem.

    • sourceobject

      References to the source of the error.

      Show source properties

      • pointerstring

        A JSON pointer to the property that caused the error.

      • parameterstring

        The URI query parameter that caused the error.

    • statusnumber

      The HTTP status code.

• application/jsonobject
  One of:

  • CreateOIDCPayloadobject

    Payload for creating an OIDC-compatible identity provider.

    Show CreateOIDCPayload properties

    • optionsobject

      Required OIDC configurations for non-interactive IdPs and interactive IdPs with skipVerify flag enabled.

      Show options properties

      • realmstring

        The realm identifier for the IdP.

        maxLength = 254, pattern = "^[A-Za-z0-9][A-Za-z0-9.\-_]+$"

      • audiencestring

        Allows for setting audience in access tokens.

        maxLength = 256

      • discoveryUrlstring

        The OpenID configuration endpoint. (Ex: https:///.well-known/openid-configuration). Required if openid_configuration is not given.

      • claimsMappingobject

        Required

        Mappings from claim name to an array of JSON pointers that point to locations in the claims from the IdP to retrieve the value from.

        Show claimsMapping properties

        • subarray of strings

          A list of JSON pointers used to map the user's subject.

        • client_idarray of strings

          A list of JSON pointers used to map the user's client ID.

      • allowedClientIdsarray of strings

        Only clients with IDs in this list will be allowed API access. A blank list or empty value means any client IDs authenticated against the IdP will be allowed access.

      • openid_configurationobject

        OpenID configuration

        Show openid_configuration properties

        • issuerstring

          Required

          OpenID Provider issuer

        • jwks_uristring

          Required

          URL of the OP's JSON Web Key Set [JWK] document

        • token_endpointstring

          Required

          OAuth 2.0 Token Endpoint

        • userinfo_endpointstring

          URL of the OP's UserInfo Endpoint

        • end_session_endpointstring

          URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.

        • authorization_endpointstring

          Required

          OAuth 2.0 Authorization Endpoint

        • introspection_endpointstring

          The introspection endpoint is an OAuth 2.0 endpoint that takes a parameter representing an OAuth 2.0 token and returns a JSON [RFC7159] document representing the meta information.

    • protocolstring

      Required

      The protocol to be used for communicating with the identity provider.

      Can be one of: "OIDC"

    • providerstring

      Required

      The identity provider to be used.

      Can be one of: "auth0""okta""generic""salesforce""keycloak""adfs""azureAD"

    • tenantIdsarray of strings

      The tenant identifiers that map to the given IdP.

    • skipVerifyboolean

      If set to true, skips IdP verification process and assumes the IdP is verified.

      default = false

    • descriptionstring

      maxLength = 128

    • interactiveboolean

      Required

      Indicates whether the IdP is meant for interactive login.

      default = false

    • pendingOptionsobject

      Required OIDC configurations for interactive IdPs that require verification.

      Show pendingOptions properties

      • realmstring

        The realm identifier for the IdP.

        maxLength = 254, pattern = "^[A-Za-z0-9][A-Za-z0-9.\-_]+$"

      • scopestring

        Scope which will be sent along with token requests to the IdP. Scopes should be space delimited. Will default to certain values depending on the IdP provider.

        maxLength = 254

      • clientIdstring

        Required

        The client identifier used as part of authenticating an interactive identity provider.

      • clientSecretstring

        Required

        The client secret used as part of authenticating an interactive identity provider.

      • discoveryUrlstring

        The OpenID configuration endpoint. (Ex: https:///.well-known/openid-configuration). Required if openid_configuration is not given.

      • claimsMappingobject

        Required

        Mappings from claim name to an array of JSON pointers that point to locations in the claims from the IdP to retrieve the value from.

        Show claimsMapping properties

        • subarray of strings

          A list of JSON pointers used to map the user's subject.

        • namearray of strings

          A list of JSON pointers used to map the user's name.

        • emailarray of strings

          A list of JSON pointers used to map the user's email.

        • groupsarray of strings

          A list of JSON pointers used to map the user's groups.

        • localearray of strings

          A list of JSON pointers used to map the user's locale.

        • picturearray of strings

          A list of JSON pointers used to map the user's picture.

        • zoneinfoarray of strings

          A list of JSON pointers used to map the user's zoneinfo.

        • client_idarray of strings

          A list of JSON pointers used to map the user's client ID.

        • email_verifiedarray of strings

          A list of JSON pointers used to map the user's email_verified claim.

      • decryptingKeyobject

        A decrypting key used to decrypt OIDC encrypted assertions

        Show decryptingKey properties

        • jwksstring

          The public key in jwk format

        • keyIdstring

          The id of the decrypting key

        • keySizeinteger

          Required

          The algorithm size of the decrypting key

        • keyTypestring

          Required

          The algorithm type of the decrypting key

        • createdAtstring

          The timestamp for when the decrypting key was created.

          format = "date-time"

        • createdBystring

          The user id of the user who created the decrypting key

        • publicKeystring

          The public key in pem format

        • certificatestring

          The key's certificate in pem format

      • idTokenSignatureAlgstring

        The algorithm used to sign the ID token. The default algorithm is RS256.

        Can be one of: "RS256""RS512"

        default = "RS256"

      • openid_configurationobject

        OpenID configuration

        Show openid_configuration properties

        • issuerstring

          Required

          OpenID Provider issuer

        • jwks_uristring

          Required

          URL of the OP's JSON Web Key Set [JWK] document

        • token_endpointstring

          Required

          OAuth 2.0 Token Endpoint

        • userinfo_endpointstring

          URL of the OP's UserInfo Endpoint

        • end_session_endpointstring

          URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.

        • authorization_endpointstring

          Required

          OAuth 2.0 Authorization Endpoint

        • introspection_endpointstring

          The introspection endpoint is an OAuth 2.0 endpoint that takes a parameter representing an OAuth 2.0 token and returns a JSON [RFC7159] document representing the meta information.

      • useClaimsFromIdTokenboolean

        If true, will use the claims from the ID token. By default it is set to true for ADFS and AzureAD.

      • blockOfflineAccessScopeboolean

        When true, the offline_access scope will not be requested from the IdP where applicable.

      • emailVerifiedAlwaysTrueboolean

        Only ADFS and AzureAD IdPs can set this property. For ADFS and AzureAD, it defaults to false. For other IdPs, it defaults to undefined.

    • clockToleranceSecinteger

      There can be clock skew between the IdP and Qlik's login server. In these cases, a tolerance can be set.

      minimum = 0, maximum = 7200, default = 5, default = 5

    • createNewUsersOnLoginboolean

      Tells the consumer of the IdP that new users should be created on login if they don't exist.

      default = true

    • postLogoutRedirectUristring

      Direct the user on logout to a specific URI.

      maxLength = 2083

  • CreateJWTAuthPayloadobject

    Payload for creating an identity provider using JWT authentication.

    Show CreateJWTAuthPayload properties

    • optionsobject

      Required

      Required IdP configurations.

      Show options properties

      • issuerstring

        Required

        The JWT issuer.

      • staticKeysarray of objects

        Required

        Keys for verifying JWTs. Limited to 1 key per identity provider.

        Show staticKeys properties

        • kidstring

          Required

          Key ID used to sign the JWTs.

        • pemstring

          Required

          Pem-encoded public key for verifying the JWTs.

    • protocolstring

      Required

      The protocol to be used for communicating with the identity provider.

      Can be one of: "jwtAuth"

    • providerstring

      Required

      The identity provider to be used.

      Can be one of: "external"

    • tenantIdsarray of strings

      The tenant identifiers that map to the given IdP.

    • descriptionstring

      maxLength = 128

    • clockToleranceSecinteger

      There can be clock skew between the IdP and Qlik's login server. In these cases, a tolerance can be set.

      minimum = 0, maximum = 7200, default = 5, default = 5

  • CreateSAMLPayloadobject

    Payload for creating a SAML compatible identity provider.

    Show CreateSAMLPayload properties

    • optionsobject

      Required SAML configurations for IdPs with skipVerify flag enabled.

      Show options properties

      • entityIdstring

        The entity ID for the SAML IdP. Required if metadata is not provided.

      • metadataobject

        Metadata for the SAML IdP. Required if individual SAML parameters are not provided.

        Show metadata properties

        • rawstring

          Required

          The IDP metadata XML in base64-encoded format.

          format = "byte"

      • signOnUrlstring

        The sign on URL for the SAML IdP. Required if metadata is not provided.

      • certificatesarray of objects

        The certificates used for validating signed responses. Required if metadata is not provided.

        minItems = 1, maxItems = 5

        Show certificates properties

        • namestring

          Given name for this certificate.

        • signatureboolean

          Indicates whether the certificate is used for the signature.

          default = true

        • encryptionboolean

          Indicates whether the certificate is used for encryption.

          default = false

        • certificatestring

          Required

          The X.509 certificate for validating signed SAML responses.

      • nameIdFormatstring

        The name identifier format that will be requested from the identity provider.

        Can be one of: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress""urn:oasis:names:tc:SAML:2.0:nameid-format:persistent""urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"

      • claimsMappingobject

        Required

        Mappings from claim name to an array of SAML attribute names that point to locations in the claims from the IdP to retrieve the value from.

        Show claimsMapping properties

        • subarray of strings

          Required

          A list of SAML attributes used to map the user's subject.

        • namearray of strings

          Required

          A list of SAML attributes used to map the user's name.

        • emailarray of strings

          Required

          A list of SAML attributes used to map the user's email.

        • groupsarray of strings

          Required

          A list of SAML attributes used to map the user's groups.

        • picturearray of strings

          Required

          A list of SAML attributes used to map the user's picture.

      • allowIdpInitiatedLoginboolean

        Toggle to allow IdP initated login by the SAML IdP.

        default = false

    • protocolstring

      Required

      The protocol to be used for communicating with the identity provider.

      Can be one of: "SAML"

    • providerstring

      Required

      The identity provider to be used.

      Can be one of: "okta""generic""adfs""azureAD"

    • tenantIdsarray of strings

      The tenant identifiers that map to the given IdP.

    • skipVerifyboolean

      If set to true, skips IdP verification process and assumes the IdP is verified.

      default = false

    • descriptionstring

      maxLength = 128

    • interactiveboolean

      Required

      Indicates whether the IdP is meant for interactive login. Must be true for SAML IdPs.

    • pendingOptionsobject

      Required configurations for SAML IdPs that require verification.

      Show pendingOptions properties

      • entityIdstring

        The entity ID for the SAML IdP. Required if metadata is not provided.

      • metadataobject

        Metadata for the SAML IdP. Required if individual SAML parameters are not provided.

        Show metadata properties

        • rawstring

          Required

          The IDP metadata XML in base64-encoded format.

          format = "byte"

      • signOnUrlstring

        The sign on URL for the SAML IdP. Required if metadata is not provided.

      • certificatesarray of objects

        The certificates used for validating signed responses. Required if metadata is not provided.

        Show certificates properties

        • namestring

          Given name for this certificate.

        • signatureboolean

          Indicates whether the certificate is used for the signature.

          default = true

        • encryptionboolean

          Indicates whether the certificate is used for encryption.

          default = false

        • certificatestring

          Required

          The X.509 certificate for validating signed SAML responses.

      • nameIdFormatstring

        The name identifier format that will be requested from the identity provider.

        Can be one of: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress""urn:oasis:names:tc:SAML:2.0:nameid-format:persistent""urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"

      • claimsMappingobject

        Required

        Mappings from claim name to an array of SAML attribute names that point to locations in the claims from the IdP to retrieve the value from.

        Show claimsMapping properties

        • subarray of strings

          Required

          A list of SAML attributes used to map the user's subject.

        • namearray of strings

          Required

          A list of SAML attributes used to map the user's name.

        • emailarray of strings

          Required

          A list of SAML attributes used to map the user's email.

        • groupsarray of strings

          Required

          A list of SAML attributes used to map the user's groups.

        • picturearray of strings

          Required

          A list of SAML attributes used to map the user's picture.

      • allowIdpInitiatedLoginboolean

        Toggle to allow IdP initated login by the SAML IdP.

        default = false

    • clockToleranceSecinteger

      There can be clock skew between the IdP and Qlik's login server. In these cases, a tolerance can be set.

      minimum = 0, maximum = 7200, default = 5, default = 5

    • createNewUsersOnLoginboolean

      Tells the consumer of the IdP that new users should be created on login if they don't exist.

      default = true

    • postLogoutRedirectUristring

      Direct the user on logout to a specific URI.

      maxLength = 2083

• application/jsonobject
  One of:

  • IDPOIDCobject

    An OIDC-compliant identity provider.

    Show IDPOIDC properties

    • idstring

      The unique identifier for the IdP.

    • metaobject
    • activeboolean

      Indicates whether the IdP is available for use.

    • createdstring

      The timestamp for when the IdP was created.

      format = "date-time"

    • protocolstring

      The protocol to be used for communicating with the identity provider. Valid values are OIDC, SAML, jwtAuth, and qsefw-local-bearer-token.

      Can be one of: "OIDC""SAML""jwtAuth""qsefw-local-bearer-token"

    • providerstring

      The identity provider to be used. If protocol is OIDC, the valid values are auth0, okta, generic, salesforce, keycloak, adfs, and azureAD. If protocol is jwtAuth, the valid value is external.

      Can be one of: "auth0""okta""qlik""generic""salesforce""keycloak""adfs""external""azureAD"

    • tenantIdsarray of strings

      The tenant identifiers associated with the given IdP.

    • descriptionstring
    • interactiveboolean

      Indicates the type of connection with the IdP, either interactive login or a machine to machine connection.

    • lastUpdatedstring

      The timestamp for when the IdP was last updated.

      format = "date-time"

    • clockToleranceSecinteger
    • createNewUsersOnLoginboolean

      When the flag is true, new users should be created when logging in for the first time.

    • postLogoutRedirectUristring

      Direct the user on logout to a specific URI.

    • optionsobject
      Show options properties

      • realmstring

        The realm identifier for the IdP.

      • scopestring

        Scope that will be sent along with token requests to the IdP.

      • issuerstring

        This field is only used in Qlik Sense Enterprise Client-Managed IdPs.

      • clientIdstring

        The client identifier used as part of authenticating an interactive identity provider.

      • clientSecretstring

        The client secret used as part of authenticating an interactive identity provider.

      • discoveryUrlstring

        The OpenID configuration endpoint. (Ex: https:///.well-known/openid-configuration).

      • claimsMappingobject

        Mappings from claim name to an array of JSON pointers that point to locations in the claims from the IdP to retrieve the value from.

        Show claimsMapping properties

        • subarray of strings

          A list of JSON pointers used to map the user's subject.

        • namearray of strings

          A list of JSON pointers used to map the user's name.

        • emailarray of strings

          A list of JSON pointers used to map the user's email.

        • groupsarray of strings

          A list of JSON pointers used to map the user's groups.

        • localearray of strings

          A list of JSON pointers used to map the user's locale.

        • picturearray of strings

          A list of JSON pointers used to map the user's picture.

        • zoneinfoarray of strings

          A list of JSON pointers used to map the user's zoneinfo.

        • client_idarray of strings

          A list of JSON pointers used to map the user's client ID.

        • email_verifiedarray of strings

          A list of JSON pointers used to map the user's email_verified claim.

      • decryptingKeyobject

        A decrypting key used to decrypt OIDC encrypted assertions

        Show decryptingKey properties

        • jwksstring

          The public key in jwk format

        • keyIdstring

          The id of the decrypting key

        • keySizeinteger

          Required

          The algorithm size of the decrypting key

        • keyTypestring

          Required

          The algorithm type of the decrypting key

        • createdAtstring

          The timestamp for when the decrypting key was created.

          format = "date-time"

        • createdBystring

          The user id of the user who created the decrypting key

        • publicKeystring

          The public key in pem format

        • certificatestring

          The key's certificate in pem format

      • openid_configurationobject

        OpenID configuration

        Show openid_configuration properties

        • issuerstring

          Required

          OpenID Provider issuer

        • jwks_uristring

          Required

          URL of the OP's JSON Web Key Set [JWK] document

        • token_endpointstring

          Required

          OAuth 2.0 Token Endpoint

        • userinfo_endpointstring

          URL of the OP's UserInfo Endpoint

        • end_session_endpointstring

          URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.

        • authorization_endpointstring

          Required

          OAuth 2.0 Authorization Endpoint

        • introspection_endpointstring

          The introspection endpoint is an OAuth 2.0 endpoint that takes a parameter representing an OAuth 2.0 token and returns a JSON [RFC7159] document representing the meta information.

      • blockOfflineAccessScopeboolean

        If true, the offline_access scope will not be requested from the IdP, where applicable.

      • emailVerifiedAlwaysTrueboolean

        Determines if email_verified should be always true. This field is only used in ADFS and AzureAD IdPs.

    • pendingStatestring

      The state of pendingOptions. This represents the latest IdP test result.

      Can be one of: "verified""pending""error"

    • pendingResultobject
      Show pendingResult properties

      • errorstring

        A unique readable error message based on the error that has occurred.

      • statusstring

        Required

        The status of the IdP configuration being tested.

        Can be one of: "success""pending""error""claimsError""callbackError""tokenError""protocolError""networkError""configChangedDuringTestError"

      • startedstring

        The timestamp for when the test was started for an IdP configuration. This field is only available during lifespan of the test.

        format = "date-time"

      • protocolstring

        The protocol used to communicate with the IdP during the test flow.

        Can be one of: "OIDC""SAML"

      • idpClaimsobject

        The claims retrieved from the external IdP.

      • oauth2Errorobject
        Show oauth2Error properties

        • errorstring

          Required

          An error code to identity the authentication error.

        • errorURIstring

          An optional URI that includes additional information about the given error.

        • errorDescriptionstring

          An optional human-readable description for the given error code.

      • resultantClaimsobject

        The resultant claims based on the claims received from the external IdP.

    • pendingOptionsobject
      Show pendingOptions properties

      • realmstring

        The realm identifier for the IdP.

      • scopestring

        Scope that will be sent along with token requests to the IdP.

      • issuerstring

        This field is only used in Qlik Sense Enterprise Client-Managed IdPs.

      • clientIdstring

        The client identifier used as part of authenticating an interactive identity provider.

      • clientSecretstring

        The client secret used as part of authenticating an interactive identity provider.

      • discoveryUrlstring

        The OpenID configuration endpoint. (Ex: https:///.well-known/openid-configuration).

      • claimsMappingobject

        Mappings from claim name to an array of JSON pointers that point to locations in the claims from the IdP to retrieve the value from.

        Show claimsMapping properties

        • subarray of strings

          A list of JSON pointers used to map the user's subject.

        • namearray of strings

          A list of JSON pointers used to map the user's name.

        • emailarray of strings

          A list of JSON pointers used to map the user's email.

        • groupsarray of strings

          A list of JSON pointers used to map the user's groups.

        • localearray of strings

          A list of JSON pointers used to map the user's locale.

        • picturearray of strings

          A list of JSON pointers used to map the user's picture.

        • zoneinfoarray of strings

          A list of JSON pointers used to map the user's zoneinfo.

        • client_idarray of strings

          A list of JSON pointers used to map the user's client ID.

        • email_verifiedarray of strings

          A list of JSON pointers used to map the user's email_verified claim.

      • decryptingKeyobject

        A decrypting key used to decrypt OIDC encrypted assertions

        Show decryptingKey properties

        • jwksstring

          The public key in jwk format

        • keyIdstring

          The id of the decrypting key

        • keySizeinteger

          Required

          The algorithm size of the decrypting key

        • keyTypestring

          Required

          The algorithm type of the decrypting key

        • createdAtstring

          The timestamp for when the decrypting key was created.

          format = "date-time"

        • createdBystring

          The user id of the user who created the decrypting key

        • publicKeystring

          The public key in pem format

        • certificatestring

          The key's certificate in pem format

      • openid_configurationobject

        OpenID configuration

        Show openid_configuration properties

        • issuerstring

          Required

          OpenID Provider issuer

        • jwks_uristring

          Required

          URL of the OP's JSON Web Key Set [JWK] document

        • token_endpointstring

          Required

          OAuth 2.0 Token Endpoint

        • userinfo_endpointstring

          URL of the OP's UserInfo Endpoint

        • end_session_endpointstring

          URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.

        • authorization_endpointstring

          Required

          OAuth 2.0 Authorization Endpoint

        • introspection_endpointstring

          The introspection endpoint is an OAuth 2.0 endpoint that takes a parameter representing an OAuth 2.0 token and returns a JSON [RFC7159] document representing the meta information.

      • blockOfflineAccessScopeboolean

        If true, the offline_access scope will not be requested from the IdP, where applicable.

      • emailVerifiedAlwaysTrueboolean

        Determines if email_verified should be always true. This field is only used in ADFS and AzureAD IdPs.

  • IDPSAMLobject

    A SAML-compliant identity provider.

    Show IDPSAML properties

    • idstring

      The unique identifier for the IdP.

    • metaobject
    • activeboolean

      Indicates whether the IdP is available for use.

    • createdstring

      The timestamp for when the IdP was created.

      format = "date-time"

    • protocolstring

      The protocol to be used for communicating with the identity provider. Valid values are OIDC, SAML, jwtAuth, and qsefw-local-bearer-token.

      Can be one of: "OIDC""SAML""jwtAuth""qsefw-local-bearer-token"

    • providerstring

      The identity provider to be used. If protocol is OIDC, the valid values are auth0, okta, generic, salesforce, keycloak, adfs, and azureAD. If protocol is jwtAuth, the valid value is external.

      Can be one of: "auth0""okta""qlik""generic""salesforce""keycloak""adfs""external""azureAD"

    • tenantIdsarray of strings

      The tenant identifiers associated with the given IdP.

    • descriptionstring
    • interactiveboolean

      Indicates the type of connection with the IdP, either interactive login or a machine to machine connection.

    • lastUpdatedstring

      The timestamp for when the IdP was last updated.

      format = "date-time"

    • clockToleranceSecinteger
    • createNewUsersOnLoginboolean

      When the flag is true, new users should be created when logging in for the first time.

    • postLogoutRedirectUristring

      Direct the user on logout to a specific URI.

    • optionsobject
      Show options properties

      • entityIdstring

        The entity URL for the SAML IdP.

      • signOnUrlstring

        The sign on URL for the SAML IdP.

      • signingKeysarray of objects

        Set of certificates used to sign SAMLRequest payloads. Not present in pendingOptions.

        Show signingKeys properties

        • refIdstring

          The reference ID for choosing this key pair.

        • certificatestring

          The certificate to be uploaded to the identity provider for verifying SAML requests.

      • certificatesarray of objects

        The certificates used for validating signed responses.

        Show certificates properties

        • namestring

          Given name for this certificate.

        • signatureboolean

          Indicates whether the certificate is used for the signature.

          default = true

        • encryptionboolean

          Indicates whether the certificate is used for encryption.

          default = false

        • certificatestring

          Required

          The X.509 certificate for validating signed SAML responses.

      • nameIdFormatstring

        The name identifier format that will be requested from the identity provider.

        Can be one of: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress""urn:oasis:names:tc:SAML:2.0:nameid-format:persistent""urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"

      • claimsMappingobject

        Mappings from claim name to an array of SAML attribute names that point to locations in the claims from the IdP to retrieve the value from.

        Show claimsMapping properties

        • subarray of strings

          Required

          A list of SAML attributes used to map the user's subject.

        • namearray of strings

          Required

          A list of SAML attributes used to map the user's name.

        • emailarray of strings

          Required

          A list of SAML attributes used to map the user's email.

        • groupsarray of strings

          Required

          A list of SAML attributes used to map the user's groups.

        • picturearray of strings

          Required

          A list of SAML attributes used to map the user's picture.

      • allowIdpInitiatedLoginboolean

        Toggle to allow IdP initated login by the SAML IdP.

      • signingKeySelectedRefIdstring

        The reference ID of the chosen signing key pair.

    • pendingStatestring

      The state of pendingOptions. This represents the latest IdP test result.

      Can be one of: "verified""pending""error"

    • pendingResultobject
      Show pendingResult properties

      • errorstring

        A unique readable error message based on the error that has occurred.

      • statusstring

        Required

        The status of the IdP configuration being tested.

        Can be one of: "success""pending""error""claimsError""callbackError""tokenError""protocolError""networkError""configChangedDuringTestError"

      • startedstring

        The timestamp for when the test was started for an IdP configuration. This field is only available during lifespan of the test.

        format = "date-time"

      • protocolstring

        The protocol used to communicate with the IdP during the test flow.

        Can be one of: "OIDC""SAML"

      • idpClaimsobject

        The claims retrieved from the external IdP.

      • oauth2Errorobject
        Show oauth2Error properties

        • errorstring

          Required

          An error code to identity the authentication error.

        • errorURIstring

          An optional URI that includes additional information about the given error.

        • errorDescriptionstring

          An optional human-readable description for the given error code.

      • resultantClaimsobject

        The resultant claims based on the claims received from the external IdP.

    • pendingOptionsobject
      Show pendingOptions properties

      • entityIdstring

        The entity URL for the SAML IdP.

      • signOnUrlstring

        The sign on URL for the SAML IdP.

      • signingKeysarray of objects

        Set of certificates used to sign SAMLRequest payloads. Not present in pendingOptions.

        Show signingKeys properties

        • refIdstring

          The reference ID for choosing this key pair.

        • certificatestring

          The certificate to be uploaded to the identity provider for verifying SAML requests.

      • certificatesarray of objects

        The certificates used for validating signed responses.

        Show certificates properties

        • namestring

          Given name for this certificate.

        • signatureboolean

          Indicates whether the certificate is used for the signature.

          default = true

        • encryptionboolean

          Indicates whether the certificate is used for encryption.

          default = false

        • certificatestring

          Required

          The X.509 certificate for validating signed SAML responses.

      • nameIdFormatstring

        The name identifier format that will be requested from the identity provider.

        Can be one of: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress""urn:oasis:names:tc:SAML:2.0:nameid-format:persistent""urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"

      • claimsMappingobject

        Mappings from claim name to an array of SAML attribute names that point to locations in the claims from the IdP to retrieve the value from.

        Show claimsMapping properties

        • subarray of strings

          Required

          A list of SAML attributes used to map the user's subject.

        • namearray of strings

          Required

          A list of SAML attributes used to map the user's name.

        • emailarray of strings

          Required

          A list of SAML attributes used to map the user's email.

        • groupsarray of strings

          Required

          A list of SAML attributes used to map the user's groups.

        • picturearray of strings

          Required

          A list of SAML attributes used to map the user's picture.

      • allowIdpInitiatedLoginboolean

        Toggle to allow IdP initated login by the SAML IdP.

      • signingKeySelectedRefIdstring

        The reference ID of the chosen signing key pair.

  • IDPJWTAuthobject

    An identity provider for JWT authentication.

    Show IDPJWTAuth properties

    • idstring

      The unique identifier for the IdP.

    • metaobject
    • activeboolean

      Indicates whether the IdP is available for use.

    • createdstring

      The timestamp for when the IdP was created.

      format = "date-time"

    • protocolstring

      The protocol to be used for communicating with the identity provider. Valid values are OIDC, SAML, jwtAuth, and qsefw-local-bearer-token.

      Can be one of: "OIDC""SAML""jwtAuth""qsefw-local-bearer-token"

    • providerstring

      The identity provider to be used. If protocol is OIDC, the valid values are auth0, okta, generic, salesforce, keycloak, adfs, and azureAD. If protocol is jwtAuth, the valid value is external.

      Can be one of: "auth0""okta""qlik""generic""salesforce""keycloak""adfs""external""azureAD"

    • tenantIdsarray of strings

      The tenant identifiers associated with the given IdP.

    • descriptionstring
    • interactiveboolean

      Indicates the type of connection with the IdP, either interactive login or a machine to machine connection.

    • lastUpdatedstring

      The timestamp for when the IdP was last updated.

      format = "date-time"

    • clockToleranceSecinteger
    • createNewUsersOnLoginboolean

      When the flag is true, new users should be created when logging in for the first time.

    • postLogoutRedirectUristring

      Direct the user on logout to a specific URI.

    • optionsobject
      Show options properties

      • issuerstring

        The expected JWT issuer

      • staticKeysarray of objects
        Show staticKeys properties

        • kidstring

          Key ID used to sign the JWTs.

        • pemstring

          Pem-encoded public key for verifying the JWTs.

A representation of the errors encountered from the HTTP request.

• application/jsonobject

  A representation of the errors encountered from the HTTP request.

  Show application/json properties

  • errorsarray of objects

    An error object.

    Show errors properties

    • codestring

      Required

      The error code.

    • metaobject

      Additional properties relating to the error.

    • titlestring

      Required

      Summary of the problem.

    • detailstring

      A human-readable explanation specific to this occurrence of the problem.

    • sourceobject

      References to the source of the error.

      Show source properties

      • pointerstring

        A JSON pointer to the property that caused the error.

      • parameterstring

        The URI query parameter that caused the error.

    • statusnumber

      The HTTP status code.

A representation of the errors encountered from the HTTP request.

• application/jsonobject

  A representation of the errors encountered from the HTTP request.

  Show application/json properties

  • errorsarray of objects

    An error object.

    Show errors properties

    • codestring

      Required

      The error code.

    • metaobject

      Additional properties relating to the error.

    • titlestring

      Required

      Summary of the problem.

    • detailstring

      A human-readable explanation specific to this occurrence of the problem.

    • sourceobject

      References to the source of the error.

      Show source properties

      • pointerstring

        A JSON pointer to the property that caused the error.

      • parameterstring

        The URI query parameter that caused the error.

    • statusnumber

      The HTTP status code.