identity-providers

A service for managing identity providers.

Endpoints

Skip to section
GET/identity-providers/{id}
PATCH/identity-providers/{id}
DELETE/identity-providers/{id}
PUT/identity-providers/{id}/test-result
GET/identity-providers/{id}/test-result
GET/identity-providers
POST/identity-providers
GET/identity-providers/.well-known/metadata.json
GET/identity-providers/me/meta
GET/identity-providers/status

Use to return the idp with the specified id

This endpoint is used to retrieve an identity providers from the service. It returns a valid 200 OK response in case the idp exists and the user (TenantAdmin) or service (edge-auth) is authorized to view the contents. It returns a 404 Not Found if the criteria is not met.

Path Parameters GET /identity-providers/{id}

id
string

The identity-provider ID

Responses GET /identity-providers/{id}

200
application/json

Success

401
application/json

Unauthorized

404
application/json

Not Found

GET/identity-providers/{id}

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
 -H "Authorization: Bearer <API-key>"

Updated the idp with the specified id

This endpoint is used to patch an identity provider from the service. It returns a valid 204 when the idp is patched. Only a tenanted edge-auth request or a user with the role of TenantAdmin and tenant access can patch an associated IDP. Partial failure is treated as complete failure and returns an error.

Header Parameters PATCH /identity-providers/{id}

QLIK-IDP-POPTS-MATCH

A unique string representing a hash that should map to an IDP's hash representation of the current configuration being tested.

Path Parameters PATCH /identity-providers/{id}

id
string

The identity-provider ID

Request Body PATCH /identity-providers/{id}

application/json

No description

Responses PATCH /identity-providers/{id}

204
object

Success

400
application/json

Bad request. The issue can range from invalid requestbody or url, to an invalid state transition.

401
application/json

Unauthorized

403
application/json

Access Denied. Only a tenanted edge-auth or tenantadmin user request can patch an idp.

404
application/json

Not Found

412
application/json

Precondition Failed. Missing QLIK-IDP-OPTS-MATCH header, or value doesn't match againsts IDP test configuration value.

500
application/json

Internal server error, the operation failed unexpectedly

PATCH/identity-providers/{id}

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
 -X PATCH \
 -H "Authorization: Bearer <API-key>" \
 -H "Content-type: application/json" \
 -d 'undefined'

Deletes the idp with the specified id

This endpoint is used to delete an identity providers from the service. It returns a valid 204 when the idp is deleted. Only a user with the role of TenantAdmin and tenant access can delete an associated IDP. Edge-auth can also delete.

Path Parameters DELETE /identity-providers/{id}

id
string

The identity-provider ID

Responses DELETE /identity-providers/{id}

204
object

Success

400
application/json

Bad request. The interactive IDP for the tenant can't be deleted.

404
application/json

Not Found

DELETE/identity-providers/{id}

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
 -X DELETE \
 -H "Authorization: Bearer <API-key>"

Use to create a pendingResult for the specified idp ID

This endpoint is used to create a pending result. It returns a valid 204 No Content response in case the pending result was succesfully created, only edge-auth is authorized to create a pendingResult.

Header Parameters PUT /identity-providers/{id}/test-result

QLIK-IDP-POPTS-MATCH

A unique string representing a hash that should map to an IDP's hash representation of the current configuration being tested.

Path Parameters PUT /identity-providers/{id}/test-result

id
string

The identity-provider ID

Responses PUT /identity-providers/{id}/test-result

200
application/json

Success

204
object

No Content

400
application/json

Bad Request

404
application/json

Not Found

412
application/json

Precondition Failed. Missing QLIK-IDP-OPTS-MATCH header, or value doesn't match againsts IDP test configuration value.

PUT/identity-providers/{id}/test-result

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}/test-result" \
 -X PUT \
 -H "Authorization: Bearer <API-key>"

Response PUT /identity-providers/{id}/test-result

{
  "status": "success",
  "started": "2021-09-20T08:40:04.090Z",
  "idpClaims": {},
  "resultantClaims": {},
  "oauth2Error": {
    "error": "string",
    "errorDescription": "string",
    "errorURI": "string"
  },
  "error": "string"
}

Use to return the pending result with the specified id

This endpoint is used to retrieve an pending result from the service. It returns a valid 200 OK response in case the pending result exists and the user (TenantAdmin) or service (edge-auth) is authorized to view the contents. It returns a 204 No content if there is no pending result.

Path Parameters GET /identity-providers/{id}/test-result

id
string

The identity-provider ID

Responses GET /identity-providers/{id}/test-result

200
application/json

Success

204
object

No Content

404
application/json

Not Found

GET/identity-providers/{id}/test-result

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}/test-result" \
 -H "Authorization: Bearer <API-key>"

Response GET /identity-providers/{id}/test-result

{
  "status": "success",
  "started": "2021-09-20T08:40:04.090Z",
  "idpClaims": {},
  "resultantClaims": {},
  "oauth2Error": {
    "error": "string",
    "errorDescription": "string",
    "errorURI": "string"
  },
  "error": "string"
}

Use to retrieve an idp or idps for a specified tenantId

This endpoint is used to retrieve one or multiple identity-providers relating to a tenantID. The tenantID in the JWT will be used to fetch the identity-provider.

Query Parameters GET /identity-providers

limit
optional, default=20, minimum=1, maximum=100
number

The number of IDP entries to retrieve.

next
optional
string

The next page cursor.

prev
optional
string

The previous page cursor.

active
optional
boolean

If provided, filters the results by the active field

Responses GET /identity-providers

200
application/json

Success

404
application/json

Not Found

GET/identity-providers

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers" \
 -H "Authorization: Bearer <API-key>"

Response GET /identity-providers

{
  "data": [],
  "links": {
    "self": {
      "href": "string"
    },
    "next": {
      "href": "string"
    },
    "prev": {
      "href": "string"
    }
  }
}

Use to create a new identity provider resource

This endpoint is used to create an identity-provider resource. It returns a 201 Created when creation is successful, returns a 403 Forbidden for a non TenantAdmin user JWT or if the tenantID in the JWT does not match with any of the tenantIDs in the payload. An IDP can be created with pendingOptions or options depending whether the IDP is interactive or not.

Request Body POST /identity-providers

application/json

No description

Responses POST /identity-providers

201
application/json

Created

400
application/json

Bad Request

403
application/json

Forbidden

POST/identity-providers

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers" \
 -X POST \
 -H "Authorization: Bearer <API-key>" \
 -H "Content-type: application/json" \
 -d 'undefined'

Use to return identity providers' metadata

This endpoint is used to retrieve identity providers metadata.

Responses GET /identity-providers/.well-known/metadata.json

200
application/json
object

Success

GET/identity-providers/.well-known/metadata.json

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/.well-known/metadata.json" \
 -H "Authorization: Bearer <API-key>"

Response GET /identity-providers/.well-known/metadata.json

{
  "undefined": {}
}

Use to return active interactive IDP metadata

This endpoint is used to retrieve IDP metadata.

Responses GET /identity-providers/me/meta

200
application/json
object

Success

403
application/json

Forbidden

404
application/json

Not Found

500
application/json

Internal server error

GET/identity-providers/me/meta

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/me/meta" \
 -H "Authorization: Bearer <API-key>"

Response GET /identity-providers/me/meta

{
  "undefined": {}
}

Use to return current status of idp configurations.

This endpoint is used to retrieve the status of idp configurations. Requires TenantAdmin role.

Responses GET /identity-providers/status

200
application/json

Success

403
application/json

Forbidden

404
application/json

Not Found

500
application/json

Internal Server Error

GET/identity-providers/status

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/status" \
 -H "Authorization: Bearer <API-key>"

Response GET /identity-providers/status

{
  "active_interactive_idps_count": 0,
  "idps_metadata": []
}

qlikIdpPopts

string

A unique string representing a hash of the current configuration being tested.

qlikIdpPoptsMatch

string

A unique string representing a hash that should map to an IDP's hash representation of the current configuration being tested.

claimsMappingInteractive

object

Mappings from claim name to an array of jsonpointers which point to locations in the claims from the IDP to retrieve the value from.

Properties

sub
Array<string>

A list of jsonpointers used to map the user's subject.

name
Array<string>

A list of jsonpointers used to map the user's name.

groups
Array<string>

A list of jsonpointers used to map the user's groups.

client_id
Array<string>

A list of jsonpointers used to map the user's client id.

email
Array<string>

A list of jsonpointers used to map the user's email.

picture
Array<string>

A list of jsonpointers used to map the user's picture.

locale
Array<string>

A list of jsonpointers used to map the user's locale.

zoneinfo
Array<string>

A list of jsonpointers used to map the user's zoneinfo.

claimsMappingNonInteractive

object

Mappings from claim name to an array of jsonpointers which point to locations in the claims from the IDP to retrieve the value from.

Properties

sub
Array<string>

A list of jsonpointers used to map the user's subject.

client_id
Array<string>

A list of jsonpointers used to map the user's client id.

OpenIDConfiguration

object

OpenID configuration

Properties

issuer
string

OpenID Provider issuer

authorization_endpoint
string

OAuth 2.0 Authorization Endpoint

token_endpoint
string

OAuth 2.0 Token Endpoint

userinfo_endpoint
optional
string

URL of the OP's UserInfo Endpoint

jwks_uri
string

URL of the OP's JSON Web Key Set [JWK] document

introspection_endpoint
optional
string

The introspection endpoint is an OAuth 2.0 endpoint that takes a parameter representing an OAuth 2.0 token and returns a JSON [RFC7159] document representing the meta information.

end_session_endpoint
optional
string

URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.

CreateCommonPayload

object

Properties

tenantIds
Array<string>

The tenant identifiers that map to the given IDP

protocol

The protocol to be used for communicating with the identity provider.

Enum:

OIDC

jwtAuth

qsefw-local-bearer-token

provider

The identity provider to be used. external is reserved for JWT Auth identity providers.

Enum:

auth0

okta

qlik

generic

salesforce

keycloak

adfs

external

interactive
default=false
boolean

Indicates whether the IDP is meant for interactive login

description
optional
string

No description

createNewUsersOnLogin
optional, default=true
boolean

Tells the consumer of the IDP that new users should be created on login if they don't exist

postLogoutRedirectUri
optional
string

Direct the user on logout to a specific URI

clockToleranceSec
optional, default=5, minimum=0, maximum=7200
number

There can be clock skew between the IDP and Qlik's login server, in these cases a tolerance can be set, decimals will be rounded off.

CreateOIDCPayload

Payload for creating an OIDC-compatible identity provider.

Properties

tenantIds
array

The tenant identifiers that map to the given IDP

protocol
string

No description

provider

The identity provider to be used. external is reserved for JWT Auth identity providers.

Enum:

auth0

okta

qlik

generic

salesforce

keycloak

adfs

external

interactive
default=false
boolean

Indicates whether the IDP is meant for interactive login

description
string

No description

createNewUsersOnLogin
default=true
boolean

Tells the consumer of the IDP that new users should be created on login if they don't exist

postLogoutRedirectUri
string

Direct the user on logout to a specific URI

clockToleranceSec
default=5, minimum=0, maximum=7200
number

There can be clock skew between the IDP and Qlik's login server, in these cases a tolerance can be set, decimals will be rounded off.

options

No description

pendingOptions

No description

CreateJWTAuthPayload

Payload for creating an identity provider using JWT authentication.

Properties

tenantIds
array

The tenant identifiers that map to the given IDP

protocol
string

No description

provider

The identity provider to be used. external is reserved for JWT Auth identity providers.

Enum:

auth0

okta

qlik

generic

salesforce

keycloak

adfs

external

interactive
default=false
boolean

Indicates whether the IDP is meant for interactive login

description
string

No description

createNewUsersOnLogin
default=true
boolean

Tells the consumer of the IDP that new users should be created on login if they don't exist

postLogoutRedirectUri
string

Direct the user on logout to a specific URI

clockToleranceSec
default=5, minimum=0, maximum=7200
number

There can be clock skew between the IDP and Qlik's login server, in these cases a tolerance can be set, decimals will be rounded off.

issuer
string

The JWT issuer

staticKeys

Keys for verifying JWTs. Limited to 1 key per identity provider.

IDPPatchSchema

Enum

No description

No description

PatchOIDCPayload

object

A patch request for an identity provider using the OIDC protocol.

Properties

op
string

The "operation" to be performed on a given IDP. Currently supports a custom operation value called "promote-options" that allows the test configuration to be promoted to the current configuration used for login.

Enum:

replace

promote-options

path
optional
string

The "path" to the part of the IDP document.

Enum:

/active

/description

/meta

/options

/options/realm

/options/discoveryUrl

/options/clientId

/options/clientSecret

/pendingOptions

/pendingOptions/realm

/pendingOptions/discoveryUrl

/pendingOptions/clientId

/pendingOptions/clientSecret

/pendingOptions/emailVerifiedAlwaysTrue

/postLogoutRedirectUri

/clockToleranceSec

value
optional

The "value" data type is dependent on the path value being used.

PatchJWTAuthPayload

object

A patch request for an identity provider using the jwtAuth protocol.

Properties

op
string

The "operation" to be performed on a given IDP.

Enum:

replace

path
optional
string

The "path" to the part of the IDP document.

Enum:

/description

value
optional

The "value" data type is dependent on the path value being used.

IDPArray

object

Properties

data
Array<IDP>

An array of IDPs.

links

Contains pagination links

IDPProtocol

string

The protocol to be used for communicating with the identity provider.

IDPProvider

string

The identity provider to be used. external is reserved for JWT Auth identity providers.

BaseIDP

object

Properties

id
string

The unique identifier for the IDP

tenantIds
Array<string>

The tenant identifiers associated with the given IDP

protocol

The protocol to be used for communicating with the identity provider.

Enum:

OIDC

jwtAuth

qsefw-local-bearer-token

provider

The identity provider to be used. external is reserved for JWT Auth identity providers.

Enum:

auth0

okta

qlik

generic

salesforce

keycloak

adfs

external

interactive
boolean

Indicates the type of connection with the IDP, either interactive login or a machine to machine connection.

active
boolean

Indicates whether the IDP is available for use.

createNewUsersOnLogin
boolean

When the flag is true, new users should be created when logging in for the first time.

postLogoutRedirectUri
string

Direct the user on logout to a specific URI

created
string

The timestamp for when the IDP was created.

lastUpdated
string

The timestamp for when the IDP was last updated.

description
string

No description

meta
object

No description

clockToleranceSec
number

No description

IDP

Enum

An OIDC-compliant identity provider.

An identity provider for JWT authentication.

IDPOIDC

An OIDC-compliant identity provider.

Properties

id
string

The unique identifier for the IDP

tenantIds
array

The tenant identifiers associated with the given IDP

protocol

The protocol to be used for communicating with the identity provider.

Enum:

OIDC

jwtAuth

qsefw-local-bearer-token

provider

The identity provider to be used. external is reserved for JWT Auth identity providers.

Enum:

auth0

okta

qlik

generic

salesforce

keycloak

adfs

external

interactive
boolean

Indicates the type of connection with the IDP, either interactive login or a machine to machine connection.

active
boolean

Indicates whether the IDP is available for use.

createNewUsersOnLogin
boolean

When the flag is true, new users should be created when logging in for the first time.

postLogoutRedirectUri
string

Direct the user on logout to a specific URI

created
string

The timestamp for when the IDP was created.

lastUpdated
string

The timestamp for when the IDP was last updated.

description
string

No description

meta
object

No description

clockToleranceSec
number

No description

options

No description

pendingOptions

No description

pendingResult

No description

pendingState
string

The state of pendingOptions. This represents the latest idp test result.

Enum:

verified

pending

error

IDPJWTAuth

An identity provider for JWT authentication.

Properties

id
string

The unique identifier for the IDP

tenantIds
array

The tenant identifiers associated with the given IDP

protocol

The protocol to be used for communicating with the identity provider.

Enum:

OIDC

jwtAuth

qsefw-local-bearer-token

provider

The identity provider to be used. external is reserved for JWT Auth identity providers.

Enum:

auth0

okta

qlik

generic

salesforce

keycloak

adfs

external

interactive
boolean

Indicates the type of connection with the IDP, either interactive login or a machine to machine connection.

active
boolean

Indicates whether the IDP is available for use.

createNewUsersOnLogin
boolean

When the flag is true, new users should be created when logging in for the first time.

postLogoutRedirectUri
string

Direct the user on logout to a specific URI

created
string

The timestamp for when the IDP was created.

lastUpdated
string

The timestamp for when the IDP was last updated.

description
string

No description

meta
object

No description

clockToleranceSec
number

No description

options

No description

IDPOptions

object

Properties

realm
string

The realm identifier for the IDP.

discoveryUrl
string

The OpenID configuration endpoint. (Ex: https://<domain>/.well-known/openid-configuration)

clientId
string

The client identifier used as part of authenticating an interactive identity provider

clientSecret
string

The client secret used as part of authenticating an interactive identity provider

claimsMapping

Mappings from claim name to an array of jsonpointers which point to locations in the claims from the IDP to retrieve the value from.

scope
string

Scope which will be sent along with token requests to the IDP

issuer
string

The issuer, this field is only used in QSEfW IDPs

emailVerifiedAlwaysTrue
boolean

Determines if email_verified should be always true. This field is only used in ADFS and AzureAD IDPs

openid_configuration

OpenID configuration

IDPsStatus

object

Properties

active_interactive_idps_count
number

The number of active interactive IDPs.

idps_metadata
Array<object>

A list of IDP metadata

PendingResult

object

Properties

status
string

The status of the IDP configuration being tested.

Enum:

success

pending

error

claimsError

callbackError

tokenError

protocolError

networkError

configChangedDuringTestError

started
optional
string<date-time>

The timestamp for when the test was started for an IDP configuration. This field is only available during lifespan of the test.

idpClaims
optional
object

The claims retrieved from the external IDP.

resultantClaims
optional
object

The resultant claims based on the claims received from the external IDP

oauth2Error

No description

error
optional
string

A unique readable error message based on the error that has occurred.

Errors

object

A representation of the errors encountered from the HTTP request.

Properties

errors

No description

Error

object

An error object.

Properties

code
string

The error code.

title
string

Summary of the problem.

status
optional
number

The HTTP status code.

detail
optional
string

A human-readable explanation specific to this occurrence of the problem.

meta
optional
object

Additional properties relating to the error.

source
optional

References to the source of the error.

v1.6.0
Was this page helpful?