Endpoints
Skip to section| GET | /v1/identity-providers |
| POST | /v1/identity-providers |
| GET | /v1/identity-providers/.well-known/metadata.json |
| GET | /v1/identity-providers/{id} |
| PATCH | /v1/identity-providers/{id} |
| DELETE | /v1/identity-providers/{id} |
| GET | /v1/identity-providers/me/meta |
| GET | /v1/identity-providers/status |
Retrieves one or more IdPs for a specified tenantId.
This endpoint retrieves one or more identity providers from the service. The tenantID in the JWT will be used to fetch the identity provider.
Facts GET /v1/identity-providers
Rate limit required | Tier 1 (1000 requests per minute) |
Query Parameters GET /v1/identity-providers
active boolean | If provided, filters the results by the active field. |
limit default=20, minimum=1, maximum=100 number | The number of IdP entries to retrieve. |
next string | The next page cursor. |
prev string | The previous page cursor. |
Responses GET /v1/identity-providers
200 application/json | Success |
404 application/json | Not Found |
GET/v1/identity-providers
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers" \
-H "Authorization: Bearer <API-key>"Response GET /v1/identity-providers
{
"data": [],
"links": {
"next": {
"href": "string"
},
"prev": {
"href": "string"
},
"self": {
"href": "string"
}
}
}Creates a new IdP
This endpoint creates an identity provider resource. It returns a 201 Created when creation is successful with a header "QLIK-IDP-POPTS" (A unique string representing a hash of the current configuration being tested), returns a 403 Forbidden for a non TenantAdmin user JWT or if the tenantID in the JWT does not match with any of the tenantIDs in the payload. An IdP can be created with Pending Options or options depending whether the IdP is interactive or not.
Facts POST /v1/identity-providers
Rate limit required | Tier 2 (100 requests per minute) |
Request Body POST /v1/identity-providers
application/json | Attributes that the user wants to set for a new identity provider resource. |
Responses POST /v1/identity-providers
201 application/json | Created |
400 application/json | Bad Request |
403 application/json | Forbidden |
POST/v1/identity-providers
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers" \
-X POST \
-H "Authorization: Bearer <API-key>" \
-H "Content-type: application/json"Returns identity providers' metadata
This endpoint retrieves identity providers' metadata.
Facts GET /v1/identity-providers/.well-known/metadata.json
Rate limit required | Tier 1 (1000 requests per minute) |
Responses GET /v1/identity-providers/.well-known/metadata.json
200 application/json object | Success |
GET/v1/identity-providers/.well-known/metadata.json
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/.well-known/metadata.json" \
-H "Authorization: Bearer <API-key>"Response GET /v1/identity-providers/.well-known/metadata.json
{
"undefined": {}
}Returns the IdP with the specified ID
This endpoint is used to retrieve an identity provider from the service. It returns a valid 200 OK response when the IdP exists and the user (TenantAdmin) or service (edge-auth) is authorized to view the contents. Additionally, returns a header "QLIK-IDP-POPTS" (A unique string representing a hash of the current configuration being tested). It returns a 404 Not Found if the criteria is not met.
Facts GET /v1/identity-providers/{id}
Rate limit required | Tier 1 (1000 requests per minute) |
Path Parameters GET /v1/identity-providers/{id}
id required string | The identity provider ID. |
Responses GET /v1/identity-providers/{id}
200 application/json | Success |
401 application/json | Unauthorized |
404 application/json | Not Found |
GET/v1/identity-providers/{id}
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
-H "Authorization: Bearer <API-key>"Updates the IdP with the specified ID
This endpoint patches an identity provider from the service. It returns a valid 204 when the IdP is patched. Only an edge-auth service request or a user with the role of TenantAdmin can patch an associated IdP. Partial failure is treated as complete failure and returns an error.
Facts PATCH /v1/identity-providers/{id}
Rate limit required | Tier 2 (100 requests per minute) |
Header Parameters PATCH /v1/identity-providers/{id}
QLIK-IDP-POPTS-MATCH | A unique string representing a hash that should map to an IdP's hash representation of the current configuration being tested. |
Path Parameters PATCH /v1/identity-providers/{id}
id required string | The identity provider ID. |
Request Body PATCH /v1/identity-providers/{id}
application/json | Attributes that the user wants to patially update for an identity provider resource. |
Responses PATCH /v1/identity-providers/{id}
204 object | Success |
400 application/json | Bad request. Invalid request body, URL, or state transition. |
401 application/json | Unauthorized |
403 application/json | Access Denied. Only the edge-auth service or TenantAdmin user request can patch an IdP. |
404 application/json | Not Found |
412 application/json | Precondition Failed. Missing QLIK-IDP-OPTS-MATCH header, or value doesn't match against IdP test configuration value. |
500 application/json | Internal server error, the operation failed unexpectedly |
PATCH/v1/identity-providers/{id}
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
-X PATCH \
-H "Authorization: Bearer <API-key>" \
-H "Content-type: application/json"Deletes the IdP with the specified ID
This endpoint deletes an identity provider from the service. It returns a valid 204 when the IdP is deleted. Only a user with the role of TenantAdmin and tenant access can delete an associated IdP. Edge-auth service can also delete.
Facts DELETE /v1/identity-providers/{id}
Rate limit required | Tier 2 (100 requests per minute) |
Path Parameters DELETE /v1/identity-providers/{id}
id required string | The identity provider ID. |
Responses DELETE /v1/identity-providers/{id}
204 object | Success |
400 application/json | Bad request. The interactive IdP for the tenant can't be deleted. |
404 application/json | Not Found |
DELETE/v1/identity-providers/{id}
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
-X DELETE \
-H "Authorization: Bearer <API-key>"Returns the active interactive IdP metadata
This endpoint retrieves IdP metadata.
Facts GET /v1/identity-providers/me/meta
Rate limit required | Tier 1 (1000 requests per minute) |
Responses GET /v1/identity-providers/me/meta
200 application/json | Success |
403 application/json | Forbidden |
404 application/json | Not Found |
500 application/json | Internal server error |
GET/v1/identity-providers/me/meta
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/me/meta" \
-H "Authorization: Bearer <API-key>"Response GET /v1/identity-providers/me/meta
{
"userPortalLink": "string",
"upgradeSubscriptionLink": "string"
}Returns the current status of IdP configurations
This endpoint retrieves the status of IdP configurations. Requires TenantAdmin role.
Facts GET /v1/identity-providers/status
Rate limit required | Tier 1 (1000 requests per minute) |
Responses GET /v1/identity-providers/status
200 application/json | Success |
403 application/json | Forbidden |
404 application/json | Not Found |
500 application/json | Internal Server Error |
GET/v1/identity-providers/status
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/status" \
-H "Authorization: Bearer <API-key>"Response GET /v1/identity-providers/status
{
"idps_metadata": [
{
"active": true,
"provider": "auth0",
"interactive": true
}
],
"active_interactive_idps_count": 0
}qlikIdpPopts
stringA unique string representing a hash of the current configuration being tested.
qlikIdpPoptsMatch
stringA unique string representing a hash that should map to an IdP's hash representation of the current configuration being tested.
BaseIDP
objectProperties
id string | The unique identifier for the IdP. |
meta object | No description |
active boolean | Indicates whether the IdP is available for use. |
created string<date-time> | The timestamp for when the IdP was created. |
protocol | The protocol to be used for communicating with the identity provider. Valid values are Enum: OIDC jwtAuth qsefw-local-bearer-token |
provider | The identity provider to be used. If protocol is Enum: auth0 okta qlik generic salesforce keycloak adfs external azureAD |
tenantIds Array<string> | The tenant identifiers associated with the given IdP. |
description string | No description |
interactive boolean | Indicates the type of connection with the IdP, either interactive login or a machine to machine connection. |
lastUpdated string<date-time> | The timestamp for when the IdP was last updated. |
clockToleranceSec number | No description |
createNewUsersOnLogin boolean | When the flag is true, new users should be created when logging in for the first time. |
postLogoutRedirectUri string | Direct the user on logout to a specific URI. |
claimsMappingInteractive
objectMappings from claim name to an array of JSON pointers that point to locations in the claims from the IdP to retrieve the value from.
Properties
sub Array<string> | A list of JSON pointers used to map the user's subject. |
name Array<string> | A list of JSON pointers used to map the user's name. |
email Array<string> | A list of JSON pointers used to map the user's email. |
groups Array<string> | A list of JSON pointers used to map the user's groups. |
locale Array<string> | A list of JSON pointers used to map the user's locale. |
picture Array<string> | A list of JSON pointers used to map the user's picture. |
zoneinfo Array<string> | A list of JSON pointers used to map the user's zoneinfo. |
client_id Array<string> | A list of JSON pointers used to map the user's client ID. |
email_verified Array<string> | A list of JSON pointers used to map the user's email_verified claim. |
claimsMappingNonInteractive
objectMappings from claim name to an array of JSON pointers that point to locations in the claims from the IdP to retrieve the value from.
Properties
sub Array<string> | A list of JSON pointers used to map the user's subject. |
client_id Array<string> | A list of JSON pointers used to map the user's client ID. |
CreateJWTAuthPayload
objectPayload for creating an identity provider using JWT authentication.
Properties
options required | Required IdP configurations. |
protocol required string | The protocol to be used for communicating with the identity provider. Enum: jwtAuth |
provider required string | The identity provider to be used. Enum: external |
tenantIds Array<string> | The tenant identifiers that map to the given IdP. |
description string | No description |
clockToleranceSec default=5, minimum=0, maximum=7200 number | There can be clock skew between the IdP and Qlik's login server, in these cases a tolerance can be set, decimals will be rounded off. |
CreateOIDCPayload
objectPayload for creating an OIDC-compatible identity provider.
Properties
options | Required OIDC configurations for non-interactive IdPs and interactive IdPs with |
protocol required string | The protocol to be used for communicating with the identity provider. Enum: OIDC |
provider required string | The identity provider to be used. Enum: auth0 okta generic salesforce keycloak adfs azureAD |
tenantIds Array<string> | The tenant identifiers that map to the given IdP. |
skipVerify default=false boolean | If set to |
description string | No description |
interactive required, default=false boolean | Indicates whether the IdP is meant for interactive login. |
pendingOptions | Required OIDC configurations for interactive IdPs that require verification. |
clockToleranceSec default=5, minimum=0, maximum=7200 number | There can be clock skew between the IdP and Qlik's login server. In these cases, a tolerance can be set, decimals will be rounded off. |
createNewUsersOnLogin default=true boolean | Tells the consumer of the IdP that new users should be created on login if they don't exist. |
postLogoutRedirectUri string | Direct the user on logout to a specific URI. |
Error
objectAn error object.
Properties
code required string | The error code. |
meta object | Additional properties relating to the error. |
title required string | Summary of the problem. |
detail string | A human-readable explanation specific to this occurrence of the problem. |
source | References to the source of the error. |
status number | The HTTP status code. |
Errors
objectA representation of the errors encountered from the HTTP request.
Properties
errors | No description |
IDP
oneOf
An OIDC-compliant identity provider. | |
An identity provider for JWT authentication. |
IDPArray
objectProperties
data Array<IDP> | An array of IdPs. |
links | Contains pagination links. |
IDPJWTAuth
An identity provider for JWT authentication.
Properties
id string | The unique identifier for the IdP. |
meta object | No description |
active boolean | Indicates whether the IdP is available for use. |
created string<date-time> | The timestamp for when the IdP was created. |
protocol | The protocol to be used for communicating with the identity provider. Valid values are Enum: OIDC jwtAuth qsefw-local-bearer-token |
provider | The identity provider to be used. If protocol is Enum: auth0 okta qlik generic salesforce keycloak adfs external azureAD |
tenantIds Array<string> | The tenant identifiers associated with the given IdP. |
description string | No description |
interactive boolean | Indicates the type of connection with the IdP, either interactive login or a machine to machine connection. |
lastUpdated string<date-time> | The timestamp for when the IdP was last updated. |
clockToleranceSec number | No description |
createNewUsersOnLogin boolean | When the flag is true, new users should be created when logging in for the first time. |
postLogoutRedirectUri string | Direct the user on logout to a specific URI. |
options | No description |
IDPMeta
objectProperties
userPortalLink string | A link to direct you to where you can manage your Qlik account. Only available if the default identity provider is used (no custom interactive identity providers are active). |
upgradeSubscriptionLink string | A link to direct you to where you can upgrade your trial or manage your subscriptions. Only available if the default identity provider is used (no custom interactive identity providers are active). |
IDPOIDC
An OIDC-compliant identity provider.
Properties
id string | The unique identifier for the IdP. |
meta object | No description |
active boolean | Indicates whether the IdP is available for use. |
created string<date-time> | The timestamp for when the IdP was created. |
protocol | The protocol to be used for communicating with the identity provider. Valid values are Enum: OIDC jwtAuth qsefw-local-bearer-token |
provider | The identity provider to be used. If protocol is Enum: auth0 okta qlik generic salesforce keycloak adfs external azureAD |
tenantIds Array<string> | The tenant identifiers associated with the given IdP. |
description string | No description |
interactive boolean | Indicates the type of connection with the IdP, either interactive login or a machine to machine connection. |
lastUpdated string<date-time> | The timestamp for when the IdP was last updated. |
clockToleranceSec number | No description |
createNewUsersOnLogin boolean | When the flag is true, new users should be created when logging in for the first time. |
postLogoutRedirectUri string | Direct the user on logout to a specific URI. |
options | No description |
pendingState string | The state of pendingOptions. This represents the latest IdP test result. Enum: verified pending error |
pendingResult | No description |
pendingOptions | No description |
IDPOptions
objectProperties
realm string | The realm identifier for the IdP. |
scope string | Scope that will be sent along with token requests to the IdP. |
issuer string | This field is only used in Qlik Sense Enterprise Client-Managed IdPs. |
clientId string | The client identifier used as part of authenticating an interactive identity provider. |
clientSecret string | The client secret used as part of authenticating an interactive identity provider. |
discoveryUrl string | The OpenID configuration endpoint. (Ex: https://<domain>/.well-known/openid-configuration). |
claimsMapping | Mappings from claim name to an array of JSON pointers that point to locations in the claims from the IdP to retrieve the value from. |
openid_configuration | OpenID configuration |
blockOfflineAccessScope boolean | If true, the |
emailVerifiedAlwaysTrue boolean | Determines if email_verified should be always true. This field is only used in ADFS and AzureAD IdPs. |
IDPPatchSchema
oneOf
No description | |
No description |
IDPPostSchema
oneOf
Payload for creating an OIDC-compatible identity provider. | |
Payload for creating an identity provider using JWT authentication. |
IDPProtocol
stringThe protocol to be used for communicating with the identity provider. Valid values are OIDC, jwtAuth, and qsefw-local-bearer-token.
Enum:
OIDC
jwtAuth
qsefw-local-bearer-token
IDPProvider
stringThe identity provider to be used. If protocol is OIDC, the valid values are auth0, okta, generic, salesforce, keycloak, adfs, and azureAD. If protocol is jwtAuth, the valid value is external.
Enum:
auth0
okta
qlik
generic
salesforce
keycloak
adfs
external
azureAD
IDPsStatus
objectProperties
idps_metadata | A list of IdP metadata. |
active_interactive_idps_count number | The number of active interactive IdPs. |
Links
objectContains pagination links.
Properties
next object | No description |
prev object | No description |
self object | No description |
OpenIDConfiguration
objectOpenID configuration
Properties
issuer required string | OpenID Provider issuer |
jwks_uri required string | URL of the OP's JSON Web Key Set [JWK] document |
token_endpoint required string | OAuth 2.0 Token Endpoint |
userinfo_endpoint string | URL of the OP's UserInfo Endpoint |
end_session_endpoint string | URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP. |
authorization_endpoint required string | OAuth 2.0 Authorization Endpoint |
introspection_endpoint string | The introspection endpoint is an OAuth 2.0 endpoint that takes a parameter representing an OAuth 2.0 token and returns a JSON [RFC7159] document representing the meta information. |
PatchJWTAuthPayload
objectA patch request for an identity provider using the jwtAuth protocol.
Properties
op required string | The "operation" to be performed on a given IdP. Enum: replace |
path string | The "path" to the part of the IdP document. Enum: /description |
value | The "value" data type is dependent on the path value being used. |
PatchOIDCPayload
objectA patch request for an identity provider using the OIDC protocol.
Properties
op required string | The "operation" to be performed on a given IdP. Currently supports a custom operation value called "promote-options" that allows the test configuration to be promoted to the current configuration used for login. Enum: replace promote-options |
path string | The "path" to the part of the IdP document. Enum: /active /description /meta /options /options/realm /options/discoveryUrl /options/claimsMapping /pendingOptions /pendingOptions/realm /pendingOptions/discoveryUrl /pendingOptions/clientId /pendingOptions/clientSecret /pendingOptions/emailVerifiedAlwaysTrue /pendingOptions/claimsMapping /postLogoutRedirectUri /clockToleranceSec |
value | The "value" data type is dependent on the path value being used. |
PendingResult
objectProperties
error string | A unique readable error message based on the error that has occurred. |
status required string | The status of the IdP configuration being tested. Enum: success pending error claimsError callbackError tokenError protocolError networkError configChangedDuringTestError |
started string<date-time> | The timestamp for when the test was started for an IdP configuration. This field is only available during lifespan of the test. |
idpClaims PII data object | The claims retrieved from the external IdP. |
oauth2Error | No description |
resultantClaims PII data object | The resultant claims based on the claims received from the external IdP. |
