This endpoint is used to retrieve an identity providers from the service. It returns a valid 200 OK response in case the idp exists and the user (TenantAdmin) or service (edge-auth) is authorized to view the contents. It returns a 404 Not Found if the criteria is not met.

Path Parameters

id
string

The identity-provider ID

Responses

200
application/json

Success

401
application/json

Unauthorized

404
application/json

Not Found

GET

/identity-providers/{id}

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
 -H "Authorization: Bearer <API-key>"

Response

{
  "id": "string",
  "tenantIds": [],
  "provider": "auth0",
  "protocol": "OIDC",
  "interactive": true,
  "active": true,
  "createNewUsersOnLogin": true,
  "postLogoutRedirectUri": "string",
  "options": {
    "realm": "string",
    "discoveryUrl": "string",
    "clientId": "string",
    "clientSecret": "string",
    "claimsMapping": {
      "sub": [],
      "name": [],
      "groups": [],
      "client_id": [],
      "email": [],
      "picture": [],
      "locale": [],
      "zoneinfo": []
    },
    "scope": "string",
    "issuer": "string",
    "emailVerifiedAlwaysTrue": true,
    "openid_configuration": {
      "issuer": "string",
      "authorization_endpoint": "string",
      "token_endpoint": "string",
      "userinfo_endpoint": "string",
      "jwks_uri": "string",
      "introspection_endpoint": "string",
      "end_session_endpoint": "string"
    }
  },
  "pendingOptions": {
    "realm": "string",
    "discoveryUrl": "string",
    "clientId": "string",
    "clientSecret": "string",
    "claimsMapping": {
      "sub": [],
      "name": [],
      "groups": [],
      "client_id": [],
      "email": [],
      "picture": [],
      "locale": [],
      "zoneinfo": []
    },
    "scope": "string",
    "issuer": "string",
    "emailVerifiedAlwaysTrue": true,
    "openid_configuration": {
      "issuer": "string",
      "authorization_endpoint": "string",
      "token_endpoint": "string",
      "userinfo_endpoint": "string",
      "jwks_uri": "string",
      "introspection_endpoint": "string",
      "end_session_endpoint": "string"
    }
  },
  "created": "string",
  "lastUpdated": "string",
  "pendingResult": {
    "status": "success",
    "started": "2021-02-22T12:34:41.077Z",
    "idpClaims": {},
    "resultantClaims": {},
    "oauth2Error": {
      "error": "string",
      "errorDescription": "string",
      "errorURI": "string"
    },
    "error": "string"
  },
  "pendingState": "verified",
  "description": "string",
  "meta": {},
  "clockToleranceSec": 0
}

This endpoint is used to patch an identity provider from the service. It returns a valid 204 when the idp is patched. Only a tenanted edge-auth request or a user with the role of TenantAdmin and tenant access can patch an associated IDP. Partial failure is treated as complete failure and returns an error.

Header Parameters

QLIK-IDP-POPTS-MATCH

A unique string representing a hash that should map to an IDP's hash representation of the current configuration being tested.

Path Parameters

id
string

The identity-provider ID

Request Body

application/json

No description

Responses

204
object

Success

400
application/json

Bad request. The issue can range from invalid requestbody or url, to an invalid state transition.

401
application/json

Unauthorized

403
application/json

Access Denied. Only a tenanted edge-auth or tenantadmin user request can patch an idp.

404
application/json

Not Found

412
application/json

Precondition Failed. Missing QLIK-IDP-OPTS-MATCH header, or value doesn't match againsts IDP test configuration value.

500
application/json

Internal server error, the operation failed unexpectedly

PATCH

/identity-providers/{id}

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
 -X PATCH \
 -H "Authorization: Bearer <API-key>" \
 -H "Content-type: application/json" \
 -d '{"op":"replace","path":"/active"}'

Request

{
  "op": "replace",
  "path": "/active"
}

This endpoint is used to delete an identity providers from the service. It returns a valid 204 when the idp is deleted. Only a user with the role of TenantAdmin and tenant access can delete an associated IDP. Edge-auth can also delete.

Path Parameters

id
string

The identity-provider ID

Responses

204
object

Success

400
application/json

Bad request. The interactive IDP for the tenant can't be deleted.

404
application/json

Not Found

DELETE

/identity-providers/{id}

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
 -X DELETE \
 -H "Authorization: Bearer <API-key>"

This endpoint is used to create a pending result. It returns a valid 204 No Content response in case the pending result was succesfully created, only edge-auth is authorized to create a pendingResult.

Header Parameters

QLIK-IDP-POPTS-MATCH

A unique string representing a hash that should map to an IDP's hash representation of the current configuration being tested.

Path Parameters

id
string

The identity-provider ID

Responses

200
application/json

Success

204
object

No Content

400
application/json

Bad Request

404
application/json

Not Found

412
application/json

Precondition Failed. Missing QLIK-IDP-OPTS-MATCH header, or value doesn't match againsts IDP test configuration value.

PUT

/identity-providers/{id}/test-result

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}/test-result" \
 -X PUT \
 -H "Authorization: Bearer <API-key>"

Response

{
  "status": "success",
  "started": "2021-02-22T12:34:41.077Z",
  "idpClaims": {},
  "resultantClaims": {},
  "oauth2Error": {
    "error": "string",
    "errorDescription": "string",
    "errorURI": "string"
  },
  "error": "string"
}

This endpoint is used to retrieve an pending result from the service. It returns a valid 200 OK response in case the pending result exists and the user (TenantAdmin) or service (edge-auth) is authorized to view the contents. It returns a 204 No content if there is no pending result.

Path Parameters

id
string

The identity-provider ID

Responses

200
application/json

Success

204
object

No Content

404
application/json

Not Found

GET

/identity-providers/{id}/test-result

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}/test-result" \
 -H "Authorization: Bearer <API-key>"

Response

{
  "status": "success",
  "started": "2021-02-22T12:34:41.077Z",
  "idpClaims": {},
  "resultantClaims": {},
  "oauth2Error": {
    "error": "string",
    "errorDescription": "string",
    "errorURI": "string"
  },
  "error": "string"
}

This endpoint is used to retrieve one or multiple identity-providers relating to a tenantID. The tenantID in the JWT will be used to fetch the identity-provider.

Query Parameters

limit
optional, default=20, minimum=1, maximum=100
number

The number of IDP entries to retrieve.

next
optional
string

The next page cursor.

prev
optional
string

The previous page cursor.

Responses

200
application/json

Success

404
application/json

Not Found

GET

/identity-providers

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers" \
 -H "Authorization: Bearer <API-key>"

Response

{
  "data": [
    {
      "id": "string",
      "tenantIds": [],
      "provider": "auth0",
      "protocol": "OIDC",
      "interactive": true,
      "active": true,
      "createNewUsersOnLogin": true,
      "postLogoutRedirectUri": "string",
      "options": {
        "realm": "string",
        "discoveryUrl": "string",
        "clientId": "string",
        "clientSecret": "string",
        "claimsMapping": {
          "sub": [],
          "name": [],
          "groups": [],
          "client_id": [],
          "email": [],
          "picture": [],
          "locale": [],
          "zoneinfo": []
        },
        "scope": "string",
        "issuer": "string",
        "emailVerifiedAlwaysTrue": true,
        "openid_configuration": {
          "issuer": "string",
          "authorization_endpoint": "string",
          "token_endpoint": "string",
          "userinfo_endpoint": "string",
          "jwks_uri": "string",
          "introspection_endpoint": "string",
          "end_session_endpoint": "string"
        }
      },
      "pendingOptions": {
        "realm": "string",
        "discoveryUrl": "string",
        "clientId": "string",
        "clientSecret": "string",
        "claimsMapping": {
          "sub": [],
          "name": [],
          "groups": [],
          "client_id": [],
          "email": [],
          "picture": [],
          "locale": [],
          "zoneinfo": []
        },
        "scope": "string",
        "issuer": "string",
        "emailVerifiedAlwaysTrue": true,
        "openid_configuration": {
          "issuer": "string",
          "authorization_endpoint": "string",
          "token_endpoint": "string",
          "userinfo_endpoint": "string",
          "jwks_uri": "string",
          "introspection_endpoint": "string",
          "end_session_endpoint": "string"
        }
      },
      "created": "string",
      "lastUpdated": "string",
      "pendingResult": {
        "status": "success",
        "started": "2021-02-22T12:34:41.077Z",
        "idpClaims": {},
        "resultantClaims": {},
        "oauth2Error": {
          "error": "string",
          "errorDescription": "string",
          "errorURI": "string"
        },
        "error": "string"
      },
      "pendingState": "verified",
      "description": "string",
      "meta": {},
      "clockToleranceSec": 0
    }
  ],
  "links": {
    "self": {
      "href": "string"
    },
    "next": {
      "href": "string"
    },
    "prev": {
      "href": "string"
    }
  }
}

This endpoint is used to create an identity-provider resource. It returns a 201 Created when creation is successful, returns a 403 Forbidden for a non TenantAdmin user JWT or if the tenantID in the JWT does not match with any of the tenantIDs in the payload. An IDP can be created with pendingOptions or options depending whether the IDP is interactive or not.

Request Body

application/json

No description

Responses

201
application/json

Created

400
application/json

Bad Request

403
application/json

Forbidden

POST

/identity-providers

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers" \
 -X POST \
 -H "Authorization: Bearer <API-key>" \
 -H "Content-type: application/json" \
 -d '{"tenantIds":[],"provider":"auth0","protocol":"OIDC","interactive":true,"createNewUsersOnLogin":true,"postLogoutRedirectUri":"string","options":{"realm":"string","discoveryUrl":"string","audience":"string","claimsMapping":{"sub":[],"client_id":[]},"openid_configuration":{"issuer":"string","authorization_endpoint":"string","token_endpoint":"string","userinfo_endpoint":"string","jwks_uri":"string","introspection_endpoint":"string","end_session_endpoint":"string"},"allowedClientIds":[]},"pendingOptions":{"realm":"string","scope":"string","discoveryUrl":"string","clientId":"string","clientSecret":"string","emailVerifiedAlwaysTrue":true,"claimsMapping":{"sub":[],"name":[],"groups":[],"client_id":[],"email":[],"picture":[],"locale":[],"zoneinfo":[]},"openid_configuration":{"issuer":"string","authorization_endpoint":"string","token_endpoint":"string","userinfo_endpoint":"string","jwks_uri":"string","introspection_endpoint":"string","end_session_endpoint":"string"}},"description":"string","clockToleranceSec":5,"meta":{},"useClaimsFromIdToken":true}'

Request

{
  "tenantIds": [],
  "provider": "auth0",
  "protocol": "OIDC",
  "interactive": true,
  "createNewUsersOnLogin": true,
  "postLogoutRedirectUri": "string",
  "options": {
    "realm": "string",
    "discoveryUrl": "string",
    "audience": "string",
    "claimsMapping": {
      "sub": [],
      "client_id": []
    },
    "openid_configuration": {
      "issuer": "string",
      "authorization_endpoint": "string",
      "token_endpoint": "string",
      "userinfo_endpoint": "string",
      "jwks_uri": "string",
      "introspection_endpoint": "string",
      "end_session_endpoint": "string"
    },
    "allowedClientIds": []
  },
  "pendingOptions": {
    "realm": "string",
    "scope": "string",
    "discoveryUrl": "string",
    "clientId": "string",
    "clientSecret": "string",
    "emailVerifiedAlwaysTrue": true,
    "claimsMapping": {
      "sub": [],
      "name": [],
      "groups": [],
      "client_id": [],
      "email": [],
      "picture": [],
      "locale": [],
      "zoneinfo": []
    },
    "openid_configuration": {
      "issuer": "string",
      "authorization_endpoint": "string",
      "token_endpoint": "string",
      "userinfo_endpoint": "string",
      "jwks_uri": "string",
      "introspection_endpoint": "string",
      "end_session_endpoint": "string"
    }
  },
  "description": "string",
  "clockToleranceSec": 5,
  "meta": {},
  "useClaimsFromIdToken": true
}

Response

{
  "id": "string",
  "tenantIds": [],
  "provider": "auth0",
  "protocol": "OIDC",
  "interactive": true,
  "active": true,
  "createNewUsersOnLogin": true,
  "postLogoutRedirectUri": "string",
  "options": {
    "realm": "string",
    "discoveryUrl": "string",
    "clientId": "string",
    "clientSecret": "string",
    "claimsMapping": {
      "sub": [],
      "name": [],
      "groups": [],
      "client_id": [],
      "email": [],
      "picture": [],
      "locale": [],
      "zoneinfo": []
    },
    "scope": "string",
    "issuer": "string",
    "emailVerifiedAlwaysTrue": true,
    "openid_configuration": {
      "issuer": "string",
      "authorization_endpoint": "string",
      "token_endpoint": "string",
      "userinfo_endpoint": "string",
      "jwks_uri": "string",
      "introspection_endpoint": "string",
      "end_session_endpoint": "string"
    }
  },
  "pendingOptions": {
    "realm": "string",
    "discoveryUrl": "string",
    "clientId": "string",
    "clientSecret": "string",
    "claimsMapping": {
      "sub": [],
      "name": [],
      "groups": [],
      "client_id": [],
      "email": [],
      "picture": [],
      "locale": [],
      "zoneinfo": []
    },
    "scope": "string",
    "issuer": "string",
    "emailVerifiedAlwaysTrue": true,
    "openid_configuration": {
      "issuer": "string",
      "authorization_endpoint": "string",
      "token_endpoint": "string",
      "userinfo_endpoint": "string",
      "jwks_uri": "string",
      "introspection_endpoint": "string",
      "end_session_endpoint": "string"
    }
  },
  "created": "string",
  "lastUpdated": "string",
  "pendingResult": {
    "status": "success",
    "started": "2021-02-22T12:34:41.077Z",
    "idpClaims": {},
    "resultantClaims": {},
    "oauth2Error": {
      "error": "string",
      "errorDescription": "string",
      "errorURI": "string"
    },
    "error": "string"
  },
  "pendingState": "verified",
  "description": "string",
  "meta": {},
  "clockToleranceSec": 0
}

This endpoint is used to retrieve identity providers metadata.

Responses

200
application/json
object

Success

GET

/identity-providers/.well-known/metadata.json

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/.well-known/metadata.json" \
 -H "Authorization: Bearer <API-key>"

Response

{
  "undefined": {}
}

This endpoint is used to retrieve IDP metadata.

Responses

200
application/json
object

Success

403
application/json

Forbidden

404
application/json

Not Found

500
application/json

Internal server error

GET

/identity-providers/me/meta

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/me/meta" \
 -H "Authorization: Bearer <API-key>"

Response

{
  "undefined": {}
}

This endpoint is used to retrieve the status of idp configurations

Responses

200
application/json

Success

403
application/json

Forbidden

404
application/json

Not Found

500
application/json

Internal Server Error

GET

/identity-providers/status

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/status" \
 -H "Authorization: Bearer <API-key>"

Response

{
  "active_interactive_idps_count": 0,
  "idps_metadata": []
}

A unique string representing a hash of the current configuration being tested.

A unique string representing a hash that should map to an IDP's hash representation of the current configuration being tested.

Mappings from claim name to an array of jsonpointers which point to locations in the claims from the IDP to retrieve the value from.

Properties

sub
Array<string>

A list of jsonpointers used to map the user's subject.

name
Array<string>

A list of jsonpointers used to map the user's name.

groups
Array<string>

A list of jsonpointers used to map the user's groups.

client_id
Array<string>

A list of jsonpointers used to map the user's client id.

email
Array<string>

A list of jsonpointers used to map the user's email.

picture
Array<string>

A list of jsonpointers used to map the user's picture.

locale
Array<string>

A list of jsonpointers used to map the user's locale.

zoneinfo
Array<string>

A list of jsonpointers used to map the user's zoneinfo.

Mappings from claim name to an array of jsonpointers which point to locations in the claims from the IDP to retrieve the value from.

Properties

sub
Array<string>

A list of jsonpointers used to map the user's subject.

client_id
Array<string>

A list of jsonpointers used to map the user's client id.

OpenID configuration

Properties

issuer
string

OpenID Provider issuer

authorization_endpoint
string

OAuth 2.0 Authorization Endpoint

token_endpoint
string

OAuth 2.0 Token Endpoint

userinfo_endpoint
optional
string

URL of the OP's UserInfo Endpoint

jwks_uri
string

URL of the OP's JSON Web Key Set [JWK] document

introspection_endpoint
optional
string

The introspection endpoint is an OAuth 2.0 endpoint that takes a parameter representing an OAuth 2.0 token and returns a JSON [RFC7159] document representing the meta information.

end_session_endpoint
optional
string

URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.

Properties

tenantIds
Array<string>

The tenant identifiers that map to the given IDP

provider
string

The identity provider to be used.

Enum:

auth0

okta

qlik

generic

salesforce

keycloak

adfs

protocol
string

The protocol to be used for communicating with the identity provider.

Enum:

OIDC

qsefw-local-bearer-token

interactive
default=false
boolean

Indicates wether the IDP is used for login or M2M

createNewUsersOnLogin
optional, default=true
boolean

Tells the consumer of the IDP that new users should be created on login if they don't exist

postLogoutRedirectUri
optional
string

Direct the user on logout to a specific URI

options

No description

pendingOptions

No description

description
optional
string

No description

clockToleranceSec
optional, default=5, minimum=0, maximum=7200
number

There can be clock skew between the IDP and edge-auth, in these cases a tolerance can be set, decimals will be rounded off.

meta
optional
object

The identity provider metadata

useClaimsFromIdToken
optional
boolean

This flag instructs edge-auth to use the ID token for claims, instead of the userinfo response.

Properties

op
string

The "operation" to be performed on a given IDP. Currently supports a custom operation value called "promote-options" that allows the test configuration to be promoted to the current configuration used for login.

Enum:

replace

promote-options

path
optional
string

The "path" to the part of the IDP document.

Enum:

/active

/description

/meta

/options

/options/realm

/options/discoveryUrl

/options/clientId

/options/clientSecret

/pendingOptions

/pendingOptions/realm

/pendingOptions/discoveryUrl

/pendingOptions/clientId

/pendingOptions/clientSecret

/pendingOptions/emailVerifiedAlwaysTrue

/postLogoutRedirectUri

/clockToleranceSec

value
optional

The "value" data type is dependent on the path value being used.

Patch

object

Properties

op
string

The "operation" to be performed on a given IDP. Currently supports a custom operation value called "promote-options" that allows the test configuration to be promoted to the current configuration used for login.

Enum:

replace

promote-options

path
optional
string

The "path" to the part of the IDP document.

Enum:

/active

/description

/meta

/options

/options/realm

/options/discoveryUrl

/options/clientId

/options/clientSecret

/pendingOptions

/pendingOptions/realm

/pendingOptions/discoveryUrl

/pendingOptions/clientId

/pendingOptions/clientSecret

/pendingOptions/emailVerifiedAlwaysTrue

/postLogoutRedirectUri

/clockToleranceSec

value
optional

The "value" data type is dependent on the path value being used.

IDPArray

object

Properties

data

An array of IDPs.

links

Contains pagination links

IDP

object

Properties

id
string

The unique identifier for the IDP

tenantIds
Array<string>

The tenant identifiers associated with the given IDP

provider
string

The identity provider name

Enum:

auth0

okta

protocol
string

The protocol used for connecting to the identity provider

Enum:

OIDC

qsefw-local-bearer-token

interactive
boolean

Indicates the type of connection with the IDP, either interactive login or a machine to machine connection.

active
boolean

Indicates wether the IDP is available for use.

createNewUsersOnLogin
boolean

When the flag is true, new users should be created when logging in for the first time.

postLogoutRedirectUri
string

Direct the user on logout to a specific URI

options

No description

pendingOptions

No description

created
string

The timestamp for when the IDP was created.

lastUpdated
string

The timestamp for when the IDP was last updated.

pendingResult

No description

pendingState
string

The state of pendingOptions. This represents the latest idp test result.

Enum:

verified

pending

error

description
string

No description

meta
object

No description

clockToleranceSec
number

No description

Properties

realm
string

The realm identifier for the IDP.

discoveryUrl
string

The OpenID configuration endpoint. (Ex: https://<domain>/.well-known/openid-configuration)

clientId
string

The client identifier used as part of authenticating an interactive identity provider

clientSecret
string

The client secret used as part of authenticating an interactive identity provider

claimsMapping

Mappings from claim name to an array of jsonpointers which point to locations in the claims from the IDP to retrieve the value from.

scope
string

Scope which will be sent along with token requests to the IDP

issuer
string

The issuer, this field is only used in QSEfW IDPs

emailVerifiedAlwaysTrue
boolean

Determines if email_verified should be always true. This field is only used in ADFS and AzureAD IDPs

openid_configuration

OpenID configuration

Properties

active_interactive_idps_count
number

The number of active interactive IDPs.

idps_metadata
Array<object>

A list of IDP metadata

Properties

status
string

The status of the IDP configuration being tested.

Enum:

success

pending

error

claimsError

callbackError

tokenError

protocolError

networkError

configChangedDuringTestError

started
optional
string<date-time>

The timestamp for when the test was started for an IDP configuration. This field is only available during lifespan of the test.

idpClaims
optional
object

The claims retrieved from the external IDP.

resultantClaims
optional
object

The resultant claims based on the claims received from the external IDP

oauth2Error

No description

error
optional
string

A unique readable error message based on the error that has occurred.

Errors

object

A representation of the errors encountered from the HTTP request.

Properties

errors

No description

Error

object

An error object.

Properties

code
string

The error code.

title
string

Summary of the problem.

status
optional
number

The HTTP status code.

detail
optional
string

A human-readable explanation specific to this occurrence of the problem.

meta
optional
object

Additional properties relating to the error.

source
optional

References to the source of the error.

v1.3.4