Endpoints
This endpoint is used to retrieve an identity providers from the service. It returns a valid 200 OK response in case the idp exists and the user (TenantAdmin) or service (edge-auth) is authorized to view the contents. It returns a 404 Not Found if the criteria is not met.
Path Parameters
id string | The identity-provider ID |
Responses
200 application/json | Success |
401 application/json | Unauthorized |
404 application/json | Not Found |
GET
/identity-providers/{id}
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
-H "Authorization: Bearer <API-key>"
Response
{
"id": "string",
"tenantIds": [],
"provider": "auth0",
"protocol": "OIDC",
"interactive": true,
"active": true,
"createNewUsersOnLogin": true,
"postLogoutRedirectUri": "string",
"options": {
"realm": "string",
"discoveryUrl": "string",
"clientId": "string",
"clientSecret": "string",
"claimsMapping": {
"sub": [],
"name": [],
"groups": [],
"client_id": [],
"email": [],
"picture": [],
"locale": [],
"zoneinfo": []
},
"scope": "string",
"issuer": "string",
"emailVerifiedAlwaysTrue": true,
"openid_configuration": {
"issuer": "string",
"authorization_endpoint": "string",
"token_endpoint": "string",
"userinfo_endpoint": "string",
"jwks_uri": "string",
"introspection_endpoint": "string",
"end_session_endpoint": "string"
}
},
"pendingOptions": {
"realm": "string",
"discoveryUrl": "string",
"clientId": "string",
"clientSecret": "string",
"claimsMapping": {
"sub": [],
"name": [],
"groups": [],
"client_id": [],
"email": [],
"picture": [],
"locale": [],
"zoneinfo": []
},
"scope": "string",
"issuer": "string",
"emailVerifiedAlwaysTrue": true,
"openid_configuration": {
"issuer": "string",
"authorization_endpoint": "string",
"token_endpoint": "string",
"userinfo_endpoint": "string",
"jwks_uri": "string",
"introspection_endpoint": "string",
"end_session_endpoint": "string"
}
},
"created": "string",
"lastUpdated": "string",
"pendingResult": {
"status": "success",
"started": "2021-02-22T12:34:41.077Z",
"idpClaims": {},
"resultantClaims": {},
"oauth2Error": {
"error": "string",
"errorDescription": "string",
"errorURI": "string"
},
"error": "string"
},
"pendingState": "verified",
"description": "string",
"meta": {},
"clockToleranceSec": 0
}
This endpoint is used to patch an identity provider from the service. It returns a valid 204 when the idp is patched. Only a tenanted edge-auth request or a user with the role of TenantAdmin and tenant access can patch an associated IDP. Partial failure is treated as complete failure and returns an error.
Header Parameters
QLIK-IDP-POPTS-MATCH | A unique string representing a hash that should map to an IDP's hash representation of the current configuration being tested. |
Path Parameters
id string | The identity-provider ID |
Request Body
application/json | No description |
Responses
204 object | Success |
400 application/json | Bad request. The issue can range from invalid requestbody or url, to an invalid state transition. |
401 application/json | Unauthorized |
403 application/json | Access Denied. Only a tenanted edge-auth or tenantadmin user request can patch an idp. |
404 application/json | Not Found |
412 application/json | Precondition Failed. Missing QLIK-IDP-OPTS-MATCH header, or value doesn't match againsts IDP test configuration value. |
500 application/json | Internal server error, the operation failed unexpectedly |
PATCH
/identity-providers/{id}
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
-X PATCH \
-H "Authorization: Bearer <API-key>" \
-H "Content-type: application/json" \
-d '{"op":"replace","path":"/active"}'
Request
{
"op": "replace",
"path": "/active"
}
This endpoint is used to delete an identity providers from the service. It returns a valid 204 when the idp is deleted. Only a user with the role of TenantAdmin and tenant access can delete an associated IDP. Edge-auth can also delete.
Path Parameters
id string | The identity-provider ID |
Responses
204 object | Success |
400 application/json | Bad request. The interactive IDP for the tenant can't be deleted. |
404 application/json | Not Found |
DELETE
/identity-providers/{id}
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
-X DELETE \
-H "Authorization: Bearer <API-key>"
This endpoint is used to create a pending result. It returns a valid 204 No Content response in case the pending result was succesfully created, only edge-auth is authorized to create a pendingResult.
Header Parameters
QLIK-IDP-POPTS-MATCH | A unique string representing a hash that should map to an IDP's hash representation of the current configuration being tested. |
Path Parameters
id string | The identity-provider ID |
Responses
200 application/json | Success |
204 object | No Content |
400 application/json | Bad Request |
404 application/json | Not Found |
412 application/json | Precondition Failed. Missing QLIK-IDP-OPTS-MATCH header, or value doesn't match againsts IDP test configuration value. |
PUT
/identity-providers/{id}/test-result
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}/test-result" \
-X PUT \
-H "Authorization: Bearer <API-key>"
Response
{
"status": "success",
"started": "2021-02-22T12:34:41.077Z",
"idpClaims": {},
"resultantClaims": {},
"oauth2Error": {
"error": "string",
"errorDescription": "string",
"errorURI": "string"
},
"error": "string"
}
This endpoint is used to retrieve an pending result from the service. It returns a valid 200 OK response in case the pending result exists and the user (TenantAdmin) or service (edge-auth) is authorized to view the contents. It returns a 204 No content if there is no pending result.
Path Parameters
id string | The identity-provider ID |
Responses
200 application/json | Success |
204 object | No Content |
404 application/json | Not Found |
GET
/identity-providers/{id}/test-result
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}/test-result" \
-H "Authorization: Bearer <API-key>"
Response
{
"status": "success",
"started": "2021-02-22T12:34:41.077Z",
"idpClaims": {},
"resultantClaims": {},
"oauth2Error": {
"error": "string",
"errorDescription": "string",
"errorURI": "string"
},
"error": "string"
}
This endpoint is used to retrieve one or multiple identity-providers relating to a tenantID. The tenantID in the JWT will be used to fetch the identity-provider.
Query Parameters
limit optional, default=20, minimum=1, maximum=100 number | The number of IDP entries to retrieve. |
next optional string | The next page cursor. |
prev optional string | The previous page cursor. |
Responses
200 application/json | Success |
404 application/json | Not Found |
GET
/identity-providers
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers" \
-H "Authorization: Bearer <API-key>"
Response
{
"data": [
{
"id": "string",
"tenantIds": [],
"provider": "auth0",
"protocol": "OIDC",
"interactive": true,
"active": true,
"createNewUsersOnLogin": true,
"postLogoutRedirectUri": "string",
"options": {
"realm": "string",
"discoveryUrl": "string",
"clientId": "string",
"clientSecret": "string",
"claimsMapping": {
"sub": [],
"name": [],
"groups": [],
"client_id": [],
"email": [],
"picture": [],
"locale": [],
"zoneinfo": []
},
"scope": "string",
"issuer": "string",
"emailVerifiedAlwaysTrue": true,
"openid_configuration": {
"issuer": "string",
"authorization_endpoint": "string",
"token_endpoint": "string",
"userinfo_endpoint": "string",
"jwks_uri": "string",
"introspection_endpoint": "string",
"end_session_endpoint": "string"
}
},
"pendingOptions": {
"realm": "string",
"discoveryUrl": "string",
"clientId": "string",
"clientSecret": "string",
"claimsMapping": {
"sub": [],
"name": [],
"groups": [],
"client_id": [],
"email": [],
"picture": [],
"locale": [],
"zoneinfo": []
},
"scope": "string",
"issuer": "string",
"emailVerifiedAlwaysTrue": true,
"openid_configuration": {
"issuer": "string",
"authorization_endpoint": "string",
"token_endpoint": "string",
"userinfo_endpoint": "string",
"jwks_uri": "string",
"introspection_endpoint": "string",
"end_session_endpoint": "string"
}
},
"created": "string",
"lastUpdated": "string",
"pendingResult": {
"status": "success",
"started": "2021-02-22T12:34:41.077Z",
"idpClaims": {},
"resultantClaims": {},
"oauth2Error": {
"error": "string",
"errorDescription": "string",
"errorURI": "string"
},
"error": "string"
},
"pendingState": "verified",
"description": "string",
"meta": {},
"clockToleranceSec": 0
}
],
"links": {
"self": {
"href": "string"
},
"next": {
"href": "string"
},
"prev": {
"href": "string"
}
}
}
This endpoint is used to create an identity-provider resource. It returns a 201 Created when creation is successful, returns a 403 Forbidden for a non TenantAdmin user JWT or if the tenantID in the JWT does not match with any of the tenantIDs in the payload. An IDP can be created with pendingOptions or options depending whether the IDP is interactive or not.
Request Body
application/json | No description |
Responses
201 application/json | Created |
400 application/json | Bad Request |
403 application/json | Forbidden |
POST
/identity-providers
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers" \
-X POST \
-H "Authorization: Bearer <API-key>" \
-H "Content-type: application/json" \
-d '{"tenantIds":[],"provider":"auth0","protocol":"OIDC","interactive":true,"createNewUsersOnLogin":true,"postLogoutRedirectUri":"string","options":{"realm":"string","discoveryUrl":"string","audience":"string","claimsMapping":{"sub":[],"client_id":[]},"openid_configuration":{"issuer":"string","authorization_endpoint":"string","token_endpoint":"string","userinfo_endpoint":"string","jwks_uri":"string","introspection_endpoint":"string","end_session_endpoint":"string"},"allowedClientIds":[]},"pendingOptions":{"realm":"string","scope":"string","discoveryUrl":"string","clientId":"string","clientSecret":"string","emailVerifiedAlwaysTrue":true,"claimsMapping":{"sub":[],"name":[],"groups":[],"client_id":[],"email":[],"picture":[],"locale":[],"zoneinfo":[]},"openid_configuration":{"issuer":"string","authorization_endpoint":"string","token_endpoint":"string","userinfo_endpoint":"string","jwks_uri":"string","introspection_endpoint":"string","end_session_endpoint":"string"}},"description":"string","clockToleranceSec":5,"meta":{},"useClaimsFromIdToken":true}'
Request
{
"tenantIds": [],
"provider": "auth0",
"protocol": "OIDC",
"interactive": true,
"createNewUsersOnLogin": true,
"postLogoutRedirectUri": "string",
"options": {
"realm": "string",
"discoveryUrl": "string",
"audience": "string",
"claimsMapping": {
"sub": [],
"client_id": []
},
"openid_configuration": {
"issuer": "string",
"authorization_endpoint": "string",
"token_endpoint": "string",
"userinfo_endpoint": "string",
"jwks_uri": "string",
"introspection_endpoint": "string",
"end_session_endpoint": "string"
},
"allowedClientIds": []
},
"pendingOptions": {
"realm": "string",
"scope": "string",
"discoveryUrl": "string",
"clientId": "string",
"clientSecret": "string",
"emailVerifiedAlwaysTrue": true,
"claimsMapping": {
"sub": [],
"name": [],
"groups": [],
"client_id": [],
"email": [],
"picture": [],
"locale": [],
"zoneinfo": []
},
"openid_configuration": {
"issuer": "string",
"authorization_endpoint": "string",
"token_endpoint": "string",
"userinfo_endpoint": "string",
"jwks_uri": "string",
"introspection_endpoint": "string",
"end_session_endpoint": "string"
}
},
"description": "string",
"clockToleranceSec": 5,
"meta": {},
"useClaimsFromIdToken": true
}
Response
{
"id": "string",
"tenantIds": [],
"provider": "auth0",
"protocol": "OIDC",
"interactive": true,
"active": true,
"createNewUsersOnLogin": true,
"postLogoutRedirectUri": "string",
"options": {
"realm": "string",
"discoveryUrl": "string",
"clientId": "string",
"clientSecret": "string",
"claimsMapping": {
"sub": [],
"name": [],
"groups": [],
"client_id": [],
"email": [],
"picture": [],
"locale": [],
"zoneinfo": []
},
"scope": "string",
"issuer": "string",
"emailVerifiedAlwaysTrue": true,
"openid_configuration": {
"issuer": "string",
"authorization_endpoint": "string",
"token_endpoint": "string",
"userinfo_endpoint": "string",
"jwks_uri": "string",
"introspection_endpoint": "string",
"end_session_endpoint": "string"
}
},
"pendingOptions": {
"realm": "string",
"discoveryUrl": "string",
"clientId": "string",
"clientSecret": "string",
"claimsMapping": {
"sub": [],
"name": [],
"groups": [],
"client_id": [],
"email": [],
"picture": [],
"locale": [],
"zoneinfo": []
},
"scope": "string",
"issuer": "string",
"emailVerifiedAlwaysTrue": true,
"openid_configuration": {
"issuer": "string",
"authorization_endpoint": "string",
"token_endpoint": "string",
"userinfo_endpoint": "string",
"jwks_uri": "string",
"introspection_endpoint": "string",
"end_session_endpoint": "string"
}
},
"created": "string",
"lastUpdated": "string",
"pendingResult": {
"status": "success",
"started": "2021-02-22T12:34:41.077Z",
"idpClaims": {},
"resultantClaims": {},
"oauth2Error": {
"error": "string",
"errorDescription": "string",
"errorURI": "string"
},
"error": "string"
},
"pendingState": "verified",
"description": "string",
"meta": {},
"clockToleranceSec": 0
}
This endpoint is used to retrieve identity providers metadata.
Responses
200 application/json object | Success |
GET
/identity-providers/.well-known/metadata.json
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/.well-known/metadata.json" \
-H "Authorization: Bearer <API-key>"
Response
{
"undefined": {}
}
This endpoint is used to retrieve IDP metadata.
Responses
200 application/json object | Success |
403 application/json | Forbidden |
404 application/json | Not Found |
500 application/json | Internal server error |
GET
/identity-providers/me/meta
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/me/meta" \
-H "Authorization: Bearer <API-key>"
Response
{
"undefined": {}
}
This endpoint is used to retrieve the status of idp configurations
Responses
200 application/json | Success |
403 application/json | Forbidden |
404 application/json | Not Found |
500 application/json | Internal Server Error |
GET
/identity-providers/status
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/status" \
-H "Authorization: Bearer <API-key>"
Response
{
"active_interactive_idps_count": 0,
"idps_metadata": []
}
qlikIdpPopts
stringA unique string representing a hash of the current configuration being tested.
qlikIdpPoptsMatch
stringA unique string representing a hash that should map to an IDP's hash representation of the current configuration being tested.
claimsMappingInteractive
objectMappings from claim name to an array of jsonpointers which point to locations in the claims from the IDP to retrieve the value from.
Properties
sub Array<string> | A list of jsonpointers used to map the user's subject. |
name Array<string> | A list of jsonpointers used to map the user's name. |
groups Array<string> | A list of jsonpointers used to map the user's groups. |
client_id Array<string> | A list of jsonpointers used to map the user's client id. |
email Array<string> | A list of jsonpointers used to map the user's email. |
picture Array<string> | A list of jsonpointers used to map the user's picture. |
locale Array<string> | A list of jsonpointers used to map the user's locale. |
zoneinfo Array<string> | A list of jsonpointers used to map the user's zoneinfo. |
Mappings from claim name to an array of jsonpointers which point to locations in the claims from the IDP to retrieve the value from.
Properties
sub Array<string> | A list of jsonpointers used to map the user's subject. |
client_id Array<string> | A list of jsonpointers used to map the user's client id. |
OpenIDConfiguration
objectOpenID configuration
Properties
issuer string | OpenID Provider issuer |
authorization_endpoint string | OAuth 2.0 Authorization Endpoint |
token_endpoint string | OAuth 2.0 Token Endpoint |
userinfo_endpoint optional string | URL of the OP's UserInfo Endpoint |
jwks_uri string | URL of the OP's JSON Web Key Set [JWK] document |
introspection_endpoint optional string | The introspection endpoint is an OAuth 2.0 endpoint that takes a parameter representing an OAuth 2.0 token and returns a JSON [RFC7159] document representing the meta information. |
end_session_endpoint optional string | URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP. |
IDPPostSchema
objectProperties
tenantIds Array<string> | The tenant identifiers that map to the given IDP |
provider string | The identity provider to be used. Enum: auth0 okta qlik generic salesforce keycloak adfs |
protocol string | The protocol to be used for communicating with the identity provider. Enum: OIDC qsefw-local-bearer-token |
interactive default=false boolean | Indicates wether the IDP is used for login or M2M |
createNewUsersOnLogin optional, default=true boolean | Tells the consumer of the IDP that new users should be created on login if they don't exist |
postLogoutRedirectUri optional string | Direct the user on logout to a specific URI |
options | No description |
pendingOptions | No description |
description optional string | No description |
clockToleranceSec optional, default=5, minimum=0, maximum=7200 number | There can be clock skew between the IDP and edge-auth, in these cases a tolerance can be set, decimals will be rounded off. |
meta optional object | The identity provider metadata |
useClaimsFromIdToken optional boolean | This flag instructs edge-auth to use the ID token for claims, instead of the userinfo response. |
IDPPatchSchema
Array<Patch>Properties
op string | The "operation" to be performed on a given IDP. Currently supports a custom operation value called "promote-options" that allows the test configuration to be promoted to the current configuration used for login. Enum: replace promote-options |
path optional string | The "path" to the part of the IDP document. Enum: /active /description /meta /options /options/realm /options/discoveryUrl /options/clientId /options/clientSecret /pendingOptions /pendingOptions/realm /pendingOptions/discoveryUrl /pendingOptions/clientId /pendingOptions/clientSecret /pendingOptions/emailVerifiedAlwaysTrue /postLogoutRedirectUri /clockToleranceSec |
value optional | The "value" data type is dependent on the path value being used. |
Patch
objectProperties
op string | The "operation" to be performed on a given IDP. Currently supports a custom operation value called "promote-options" that allows the test configuration to be promoted to the current configuration used for login. Enum: replace promote-options |
path optional string | The "path" to the part of the IDP document. Enum: /active /description /meta /options /options/realm /options/discoveryUrl /options/clientId /options/clientSecret /pendingOptions /pendingOptions/realm /pendingOptions/discoveryUrl /pendingOptions/clientId /pendingOptions/clientSecret /pendingOptions/emailVerifiedAlwaysTrue /postLogoutRedirectUri /clockToleranceSec |
value optional | The "value" data type is dependent on the path value being used. |
IDPArray
objectProperties
data | An array of IDPs. |
links | Contains pagination links |
Links
objectContains pagination links
Properties
self object | No description |
next object | No description |
prev object | No description |
IDP
objectProperties
id string | The unique identifier for the IDP |
tenantIds Array<string> | The tenant identifiers associated with the given IDP |
provider string | The identity provider name Enum: auth0 okta |
protocol string | The protocol used for connecting to the identity provider Enum: OIDC qsefw-local-bearer-token |
interactive boolean | Indicates the type of connection with the IDP, either interactive login or a machine to machine connection. |
active boolean | Indicates wether the IDP is available for use. |
createNewUsersOnLogin boolean | When the flag is true, new users should be created when logging in for the first time. |
postLogoutRedirectUri string | Direct the user on logout to a specific URI |
options | No description |
pendingOptions | No description |
created string | The timestamp for when the IDP was created. |
lastUpdated string | The timestamp for when the IDP was last updated. |
pendingResult | No description |
pendingState string | The state of pendingOptions. This represents the latest idp test result. Enum: verified pending error |
description string | No description |
meta object | No description |
clockToleranceSec number | No description |
IDPOptions
objectProperties
realm string | The realm identifier for the IDP. |
discoveryUrl string | The OpenID configuration endpoint. (Ex: https://<domain>/.well-known/openid-configuration) |
clientId string | The client identifier used as part of authenticating an interactive identity provider |
clientSecret string | The client secret used as part of authenticating an interactive identity provider |
claimsMapping | Mappings from claim name to an array of jsonpointers which point to locations in the claims from the IDP to retrieve the value from. |
scope string | Scope which will be sent along with token requests to the IDP |
issuer string | The issuer, this field is only used in QSEfW IDPs |
emailVerifiedAlwaysTrue boolean | Determines if email_verified should be always true. This field is only used in ADFS and AzureAD IDPs |
openid_configuration | OpenID configuration |
IDPsStatus
objectProperties
active_interactive_idps_count number | The number of active interactive IDPs. |
idps_metadata Array<object> | A list of IDP metadata |
PendingResult
objectProperties
status string | The status of the IDP configuration being tested. Enum: success pending error claimsError callbackError tokenError protocolError networkError configChangedDuringTestError |
started optional string<date-time> | The timestamp for when the test was started for an IDP configuration. This field is only available during lifespan of the test. |
idpClaims optional object | The claims retrieved from the external IDP. |
resultantClaims optional object | The resultant claims based on the claims received from the external IDP |
oauth2Error | No description |
error optional string | A unique readable error message based on the error that has occurred. |
Errors
objectA representation of the errors encountered from the HTTP request.
Properties
errors | No description |
Error
objectAn error object.
Properties
code string | The error code. |
title string | Summary of the problem. |
status optional number | The HTTP status code. |
detail optional string | A human-readable explanation specific to this occurrence of the problem. |
meta optional object | Additional properties relating to the error. |
source optional | References to the source of the error. |