identity-providers

Use to return the idp with the specified id

This endpoint is used to retrieve an identity providers from the service. It returns a valid 200 OK response in case the idp exists and the user (TenantAdmin) or service (edge-auth) is authorized to view the contents. It returns a 404 Not Found if the criteria is not met.

Path Parameters

string

The identity-provider ID

Responses

200 application/json IDP	Success
401 application/json Errors	Unauthorized
404 application/json Errors	Not Found

GET

/identity-providers/{id}

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
 -H "Authorization: Bearer <API-key>"

Response

{
  "id": "string",
  "tenantIds": [],
  "provider": "auth0",
  "protocol": "OIDC",
  "interactive": true,
  "active": true,
  "createNewUsersOnLogin": true,
  "postLogoutRedirectUri": "string",
  "options": {
    "realm": "string",
    "discoveryUrl": "string",
    "clientId": "string",
    "clientSecret": "string",
    "claimsMapping": {
      "sub": [],
      "name": [],
      "groups": [],
      "client_id": [],
      "email": [],
      "picture": [],
      "locale": [],
      "zoneinfo": []
    },
    "scope": "string",
    "issuer": "string",
    "emailVerifiedAlwaysTrue": true,
    "openid_configuration": {
      "issuer": "string",
      "authorization_endpoint": "string",
      "token_endpoint": "string",
      "userinfo_endpoint": "string",
      "jwks_uri": "string",
      "introspection_endpoint": "string",
      "end_session_endpoint": "string"
    }
  },
  "pendingOptions": {
    "realm": "string",
    "discoveryUrl": "string",
    "clientId": "string",
    "clientSecret": "string",
    "claimsMapping": {
      "sub": [],
      "name": [],
      "groups": [],
      "client_id": [],
      "email": [],
      "picture": [],
      "locale": [],
      "zoneinfo": []
    },
    "scope": "string",
    "issuer": "string",
    "emailVerifiedAlwaysTrue": true,
    "openid_configuration": {
      "issuer": "string",
      "authorization_endpoint": "string",
      "token_endpoint": "string",
      "userinfo_endpoint": "string",
      "jwks_uri": "string",
      "introspection_endpoint": "string",
      "end_session_endpoint": "string"
    }
  },
  "created": "string",
  "lastUpdated": "string",
  "pendingResult": {
    "status": "success",
    "started": "2021-02-22T12:34:41.077Z",
    "idpClaims": {},
    "resultantClaims": {},
    "oauth2Error": {
      "error": "string",
      "errorDescription": "string",
      "errorURI": "string"
    },
    "error": "string"
  },
  "pendingState": "verified",
  "description": "string",
  "meta": {},
  "clockToleranceSec": 0
}

Updated the idp with the specified id

This endpoint is used to patch an identity provider from the service. It returns a valid 204 when the idp is patched. Only a tenanted edge-auth request or a user with the role of TenantAdmin and tenant access can patch an associated IDP. Partial failure is treated as complete failure and returns an error.

Header Parameters

QLIK-IDP-POPTS-MATCH

qlikIdpPoptsMatch

A unique string representing a hash that should map to an IDP's hash representation of the current configuration being tested.

Path Parameters

string

The identity-provider ID

Request Body

application/json

Patch

No description

Responses

204 object	Success
400 application/json Errors	Bad request. The issue can range from invalid requestbody or url, to an invalid state transition.
401 application/json Errors	Unauthorized
403 application/json Errors	Access Denied. Only a tenanted edge-auth or tenantadmin user request can patch an idp.
404 application/json Errors	Not Found
412 application/json Errors	Precondition Failed. Missing QLIK-IDP-OPTS-MATCH header, or value doesn't match againsts IDP test configuration value.
500 application/json Errors	Internal server error, the operation failed unexpectedly

PATCH

/identity-providers/{id}

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
 -X PATCH \
 -H "Authorization: Bearer <API-key>" \
 -H "Content-type: application/json" \
 -d '{"op":"replace","path":"/active"}'

Request

{
  "op": "replace",
  "path": "/active"
}

Deletes the idp with the specified id

This endpoint is used to delete an identity providers from the service. It returns a valid 204 when the idp is deleted. Only a user with the role of TenantAdmin and tenant access can delete an associated IDP. Edge-auth can also delete.

Path Parameters

string

The identity-provider ID

Responses

204 object	Success
400 application/json Errors	Bad request. The interactive IDP for the tenant can't be deleted.
404 application/json Errors	Not Found

DELETE

/identity-providers/{id}

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
 -X DELETE \
 -H "Authorization: Bearer <API-key>"

Use to create a pendingResult for the specified idp ID

This endpoint is used to create a pending result. It returns a valid 204 No Content response in case the pending result was succesfully created, only edge-auth is authorized to create a pendingResult.

Header Parameters

QLIK-IDP-POPTS-MATCH

qlikIdpPoptsMatch

A unique string representing a hash that should map to an IDP's hash representation of the current configuration being tested.

Path Parameters

string

The identity-provider ID

Responses

200 application/json PendingResult	Success
204 object	No Content
400 application/json Errors	Bad Request
404 application/json Errors	Not Found
412 application/json Errors	Precondition Failed. Missing QLIK-IDP-OPTS-MATCH header, or value doesn't match againsts IDP test configuration value.

PUT

/identity-providers/{id}/test-result

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}/test-result" \
 -X PUT \
 -H "Authorization: Bearer <API-key>"

Response

{
  "status": "success",
  "started": "2021-02-22T12:34:41.077Z",
  "idpClaims": {},
  "resultantClaims": {},
  "oauth2Error": {
    "error": "string",
    "errorDescription": "string",
    "errorURI": "string"
  },
  "error": "string"
}

Use to return the pending result with the specified id

This endpoint is used to retrieve an pending result from the service. It returns a valid 200 OK response in case the pending result exists and the user (TenantAdmin) or service (edge-auth) is authorized to view the contents. It returns a 204 No content if there is no pending result.

Path Parameters

string

The identity-provider ID

Responses

200 application/json PendingResult	Success
204 object	No Content
404 application/json Errors	Not Found

GET

/identity-providers/{id}/test-result

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}/test-result" \
 -H "Authorization: Bearer <API-key>"

Response

{
  "status": "success",
  "started": "2021-02-22T12:34:41.077Z",
  "idpClaims": {},
  "resultantClaims": {},
  "oauth2Error": {
    "error": "string",
    "errorDescription": "string",
    "errorURI": "string"
  },
  "error": "string"
}

Use to retrieve an idp or idps for a specified tenantId

This endpoint is used to retrieve one or multiple identity-providers relating to a tenantID. The tenantID in the JWT will be used to fetch the identity-provider.

Query Parameters

limit optional, default=20, minimum=1, maximum=100 number	The number of IDP entries to retrieve.
next optional string	The next page cursor.
prev optional string	The previous page cursor.

Responses

200 application/json IDPArray	Success
404 application/json Errors	Not Found

GET

/identity-providers

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers" \
 -H "Authorization: Bearer <API-key>"

Response

{
  "data": [
    {
      "id": "string",
      "tenantIds": [],
      "provider": "auth0",
      "protocol": "OIDC",
      "interactive": true,
      "active": true,
      "createNewUsersOnLogin": true,
      "postLogoutRedirectUri": "string",
      "options": {
        "realm": "string",
        "discoveryUrl": "string",
        "clientId": "string",
        "clientSecret": "string",
        "claimsMapping": {
          "sub": [],
          "name": [],
          "groups": [],
          "client_id": [],
          "email": [],
          "picture": [],
          "locale": [],
          "zoneinfo": []
        },
        "scope": "string",
        "issuer": "string",
        "emailVerifiedAlwaysTrue": true,
        "openid_configuration": {
          "issuer": "string",
          "authorization_endpoint": "string",
          "token_endpoint": "string",
          "userinfo_endpoint": "string",
          "jwks_uri": "string",
          "introspection_endpoint": "string",
          "end_session_endpoint": "string"
        }
      },
      "pendingOptions": {
        "realm": "string",
        "discoveryUrl": "string",
        "clientId": "string",
        "clientSecret": "string",
        "claimsMapping": {
          "sub": [],
          "name": [],
          "groups": [],
          "client_id": [],
          "email": [],
          "picture": [],
          "locale": [],
          "zoneinfo": []
        },
        "scope": "string",
        "issuer": "string",
        "emailVerifiedAlwaysTrue": true,
        "openid_configuration": {
          "issuer": "string",
          "authorization_endpoint": "string",
          "token_endpoint": "string",
          "userinfo_endpoint": "string",
          "jwks_uri": "string",
          "introspection_endpoint": "string",
          "end_session_endpoint": "string"
        }
      },
      "created": "string",
      "lastUpdated": "string",
      "pendingResult": {
        "status": "success",
        "started": "2021-02-22T12:34:41.077Z",
        "idpClaims": {},
        "resultantClaims": {},
        "oauth2Error": {
          "error": "string",
          "errorDescription": "string",
          "errorURI": "string"
        },
        "error": "string"
      },
      "pendingState": "verified",
      "description": "string",
      "meta": {},
      "clockToleranceSec": 0
    }
  ],
  "links": {
    "self": {
      "href": "string"
    },
    "next": {
      "href": "string"
    },
    "prev": {
      "href": "string"
    }
  }
}

Use to create a new identity provider resource

This endpoint is used to create an identity-provider resource. It returns a 201 Created when creation is successful, returns a 403 Forbidden for a non TenantAdmin user JWT or if the tenantID in the JWT does not match with any of the tenantIDs in the payload. An IDP can be created with pendingOptions or options depending whether the IDP is interactive or not.

Request Body

application/json

IDPPostSchema

No description

Responses

201 application/json IDP	Created
400 application/json Errors	Bad Request
403 application/json Errors	Forbidden

POST

/identity-providers

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers" \
 -X POST \
 -H "Authorization: Bearer <API-key>" \
 -H "Content-type: application/json" \
 -d '{"tenantIds":[],"provider":"auth0","protocol":"OIDC","interactive":true,"createNewUsersOnLogin":true,"postLogoutRedirectUri":"string","options":{"realm":"string","discoveryUrl":"string","audience":"string","claimsMapping":{"sub":[],"client_id":[]},"openid_configuration":{"issuer":"string","authorization_endpoint":"string","token_endpoint":"string","userinfo_endpoint":"string","jwks_uri":"string","introspection_endpoint":"string","end_session_endpoint":"string"},"allowedClientIds":[]},"pendingOptions":{"realm":"string","scope":"string","discoveryUrl":"string","clientId":"string","clientSecret":"string","emailVerifiedAlwaysTrue":true,"claimsMapping":{"sub":[],"name":[],"groups":[],"client_id":[],"email":[],"picture":[],"locale":[],"zoneinfo":[]},"openid_configuration":{"issuer":"string","authorization_endpoint":"string","token_endpoint":"string","userinfo_endpoint":"string","jwks_uri":"string","introspection_endpoint":"string","end_session_endpoint":"string"}},"description":"string","clockToleranceSec":5,"meta":{},"useClaimsFromIdToken":true}'

Request

{
  "tenantIds": [],
  "provider": "auth0",
  "protocol": "OIDC",
  "interactive": true,
  "createNewUsersOnLogin": true,
  "postLogoutRedirectUri": "string",
  "options": {
    "realm": "string",
    "discoveryUrl": "string",
    "audience": "string",
    "claimsMapping": {
      "sub": [],
      "client_id": []
    },
    "openid_configuration": {
      "issuer": "string",
      "authorization_endpoint": "string",
      "token_endpoint": "string",
      "userinfo_endpoint": "string",
      "jwks_uri": "string",
      "introspection_endpoint": "string",
      "end_session_endpoint": "string"
    },
    "allowedClientIds": []
  },
  "pendingOptions": {
    "realm": "string",
    "scope": "string",
    "discoveryUrl": "string",
    "clientId": "string",
    "clientSecret": "string",
    "emailVerifiedAlwaysTrue": true,
    "claimsMapping": {
      "sub": [],
      "name": [],
      "groups": [],
      "client_id": [],
      "email": [],
      "picture": [],
      "locale": [],
      "zoneinfo": []
    },
    "openid_configuration": {
      "issuer": "string",
      "authorization_endpoint": "string",
      "token_endpoint": "string",
      "userinfo_endpoint": "string",
      "jwks_uri": "string",
      "introspection_endpoint": "string",
      "end_session_endpoint": "string"
    }
  },
  "description": "string",
  "clockToleranceSec": 5,
  "meta": {},
  "useClaimsFromIdToken": true
}

Response

{
  "id": "string",
  "tenantIds": [],
  "provider": "auth0",
  "protocol": "OIDC",
  "interactive": true,
  "active": true,
  "createNewUsersOnLogin": true,
  "postLogoutRedirectUri": "string",
  "options": {
    "realm": "string",
    "discoveryUrl": "string",
    "clientId": "string",
    "clientSecret": "string",
    "claimsMapping": {
      "sub": [],
      "name": [],
      "groups": [],
      "client_id": [],
      "email": [],
      "picture": [],
      "locale": [],
      "zoneinfo": []
    },
    "scope": "string",
    "issuer": "string",
    "emailVerifiedAlwaysTrue": true,
    "openid_configuration": {
      "issuer": "string",
      "authorization_endpoint": "string",
      "token_endpoint": "string",
      "userinfo_endpoint": "string",
      "jwks_uri": "string",
      "introspection_endpoint": "string",
      "end_session_endpoint": "string"
    }
  },
  "pendingOptions": {
    "realm": "string",
    "discoveryUrl": "string",
    "clientId": "string",
    "clientSecret": "string",
    "claimsMapping": {
      "sub": [],
      "name": [],
      "groups": [],
      "client_id": [],
      "email": [],
      "picture": [],
      "locale": [],
      "zoneinfo": []
    },
    "scope": "string",
    "issuer": "string",
    "emailVerifiedAlwaysTrue": true,
    "openid_configuration": {
      "issuer": "string",
      "authorization_endpoint": "string",
      "token_endpoint": "string",
      "userinfo_endpoint": "string",
      "jwks_uri": "string",
      "introspection_endpoint": "string",
      "end_session_endpoint": "string"
    }
  },
  "created": "string",
  "lastUpdated": "string",
  "pendingResult": {
    "status": "success",
    "started": "2021-02-22T12:34:41.077Z",
    "idpClaims": {},
    "resultantClaims": {},
    "oauth2Error": {
      "error": "string",
      "errorDescription": "string",
      "errorURI": "string"
    },
    "error": "string"
  },
  "pendingState": "verified",
  "description": "string",
  "meta": {},
  "clockToleranceSec": 0
}

Use to return identity providers' metadata

This endpoint is used to retrieve identity providers metadata.

Responses

200

application/json

object

Success

GET

/identity-providers/.well-known/metadata.json

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/.well-known/metadata.json" \
 -H "Authorization: Bearer <API-key>"

Response

{
  "undefined": {}
}

Use to return active interactive IDP metadata

This endpoint is used to retrieve IDP metadata.

Responses

200 application/json object	Success
403 application/json Errors	Forbidden
404 application/json Errors	Not Found
500 application/json Errors	Internal server error

GET

/identity-providers/me/meta

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/me/meta" \
 -H "Authorization: Bearer <API-key>"

Response

{
  "undefined": {}
}

Use to return current status of idp configurations.

This endpoint is used to retrieve the status of idp configurations

Responses

200 application/json IDPsStatus	Success
403 application/json Errors	Forbidden
404 application/json Errors	Not Found
500 application/json Errors	Internal Server Error

GET

/identity-providers/status

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/status" \
 -H "Authorization: Bearer <API-key>"

Response

{
  "active_interactive_idps_count": 0,
  "idps_metadata": []
}

Properties

sub Array<string>	A list of jsonpointers used to map the user's subject.
name Array<string>	A list of jsonpointers used to map the user's name.
groups Array<string>	A list of jsonpointers used to map the user's groups.
client_id Array<string>	A list of jsonpointers used to map the user's client id.
email Array<string>	A list of jsonpointers used to map the user's email.
picture Array<string>	A list of jsonpointers used to map the user's picture.
locale Array<string>	A list of jsonpointers used to map the user's locale.
zoneinfo Array<string>	A list of jsonpointers used to map the user's zoneinfo.

claimsMappingNonInteractive

object

Mappings from claim name to an array of jsonpointers which point to locations in the claims from the IDP to retrieve the value from.

Properties

sub Array<string>	A list of jsonpointers used to map the user's subject.
client_id Array<string>	A list of jsonpointers used to map the user's client id.

OpenIDConfiguration

object

OpenID configuration

Properties

issuer string	OpenID Provider issuer
authorization_endpoint string	OAuth 2.0 Authorization Endpoint
token_endpoint string	OAuth 2.0 Token Endpoint
userinfo_endpoint optional string	URL of the OP's UserInfo Endpoint
jwks_uri string	URL of the OP's JSON Web Key Set [JWK] document
introspection_endpoint optional string	The introspection endpoint is an OAuth 2.0 endpoint that takes a parameter representing an OAuth 2.0 token and returns a JSON [RFC7159] document representing the meta information.
end_session_endpoint optional string	URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.

IDPPostSchema

object

Properties

tenantIds Array<string>	The tenant identifiers that map to the given IDP
provider string	The identity provider to be used. Enum: auth0 okta qlik generic salesforce keycloak adfs
protocol string	The protocol to be used for communicating with the identity provider. Enum: OIDC qsefw-local-bearer-token
interactive default=false boolean	Indicates wether the IDP is used for login or M2M
createNewUsersOnLogin optional, default=true boolean	Tells the consumer of the IDP that new users should be created on login if they don't exist
postLogoutRedirectUri optional string	Direct the user on logout to a specific URI
options object	No description
pendingOptions object	No description
description optional string	No description
clockToleranceSec optional, default=5, minimum=0, maximum=7200 number	There can be clock skew between the IDP and edge-auth, in these cases a tolerance can be set, decimals will be rounded off.
meta optional object	The identity provider metadata
useClaimsFromIdToken optional boolean	This flag instructs edge-auth to use the ID token for claims, instead of the userinfo response.

IDPPatchSchema

Array<Patch>

Properties

op string	The "operation" to be performed on a given IDP. Currently supports a custom operation value called "promote-options" that allows the test configuration to be promoted to the current configuration used for login. Enum: replace promote-options
path optional string	The "path" to the part of the IDP document. Enum: /active /description /meta /options /options/realm /options/discoveryUrl /options/clientId /options/clientSecret /pendingOptions /pendingOptions/realm /pendingOptions/discoveryUrl /pendingOptions/clientId /pendingOptions/clientSecret /pendingOptions/emailVerifiedAlwaysTrue /postLogoutRedirectUri /clockToleranceSec
value optional	The "value" data type is dependent on the path value being used.

Patch

object

Properties

op string	The "operation" to be performed on a given IDP. Currently supports a custom operation value called "promote-options" that allows the test configuration to be promoted to the current configuration used for login. Enum: replace promote-options
path optional string	The "path" to the part of the IDP document. Enum: /active /description /meta /options /options/realm /options/discoveryUrl /options/clientId /options/clientSecret /pendingOptions /pendingOptions/realm /pendingOptions/discoveryUrl /pendingOptions/clientId /pendingOptions/clientSecret /pendingOptions/emailVerifiedAlwaysTrue /postLogoutRedirectUri /clockToleranceSec
value optional	The "value" data type is dependent on the path value being used.

IDPArray

object

Properties

data Array<IDP>	An array of IDPs.
links Links	Contains pagination links

Links

object

Contains pagination links

Properties

self object	No description
next object	No description
prev object	No description

IDP

object

Properties

id string	The unique identifier for the IDP
tenantIds Array<string>	The tenant identifiers associated with the given IDP
provider string	The identity provider name Enum: auth0 okta
protocol string	The protocol used for connecting to the identity provider Enum: OIDC qsefw-local-bearer-token
interactive boolean	Indicates the type of connection with the IDP, either interactive login or a machine to machine connection.
active boolean	Indicates wether the IDP is available for use.
createNewUsersOnLogin boolean	When the flag is true, new users should be created when logging in for the first time.
postLogoutRedirectUri string	Direct the user on logout to a specific URI
options IDPOptions	No description
pendingOptions IDPOptions	No description
created string	The timestamp for when the IDP was created.
lastUpdated string	The timestamp for when the IDP was last updated.
pendingResult PendingResult	No description
pendingState string	The state of pendingOptions. This represents the latest idp test result. Enum: verified pending error
description string	No description
meta object	No description
clockToleranceSec number	No description

IDPOptions

object

Properties

realm string	The realm identifier for the IDP.
discoveryUrl string	The OpenID configuration endpoint. (Ex: https://<domain>/.well-known/openid-configuration)
clientId string	The client identifier used as part of authenticating an interactive identity provider
clientSecret string	The client secret used as part of authenticating an interactive identity provider
claimsMapping claimsMappingInteractive	Mappings from claim name to an array of jsonpointers which point to locations in the claims from the IDP to retrieve the value from.
scope string	Scope which will be sent along with token requests to the IDP
issuer string	The issuer, this field is only used in QSEfW IDPs
emailVerifiedAlwaysTrue boolean	Determines if email_verified should be always true. This field is only used in ADFS and AzureAD IDPs
openid_configuration OpenIDConfiguration	OpenID configuration

IDPsStatus

object

Properties

active_interactive_idps_count number	The number of active interactive IDPs.
idps_metadata Array<object>	A list of IDP metadata

PendingResult

object

Properties

status string	The status of the IDP configuration being tested. Enum: success pending error claimsError callbackError tokenError protocolError networkError configChangedDuringTestError
started optional string<date-time>	The timestamp for when the test was started for an IDP configuration. This field is only available during lifespan of the test.
idpClaims optional object	The claims retrieved from the external IDP.
resultantClaims optional object	The resultant claims based on the claims received from the external IDP
oauth2Error object	No description
error optional string	A unique readable error message based on the error that has occurred.

Errors

object

A representation of the errors encountered from the HTTP request.

Properties

errors

Array<Error>

No description

Error

object

An error object.

Properties

code string	The error code.
title string	Summary of the problem.
status optional number	The HTTP status code.
detail optional string	A human-readable explanation specific to this occurrence of the problem.
meta optional object	Additional properties relating to the error.
source optional object	References to the source of the error.

v1.3.4

identity-providers

Endpoints

Path Parameters

Responses

GET

/identity-providers/{id}

Header Parameters

Path Parameters

Request Body

Responses

PATCH

/identity-providers/{id}

Path Parameters

Responses

DELETE

/identity-providers/{id}

Header Parameters

Path Parameters

Responses

PUT

/identity-providers/{id}/test-result

Path Parameters

Responses

GET

/identity-providers/{id}/test-result

Query Parameters

Responses

GET

/identity-providers

Request Body

Responses

POST

/identity-providers

Responses

GET

/identity-providers/.well-known/metadata.json

Responses

GET

/identity-providers/me/meta

Responses

GET

/identity-providers/status

Properties

Properties

Properties

Properties

Properties

Properties

Properties

Properties

Properties

Properties

Properties

Properties

Properties

Properties

Company

Legal

Forums