Endpoints
Skip to sectionGET | /v1/identity-providers |
POST | /v1/identity-providers |
GET | /v1/identity-providers/.well-known/metadata.json |
GET | /v1/identity-providers/{id} |
PATCH | /v1/identity-providers/{id} |
DELETE | /v1/identity-providers/{id} |
GET | /v1/identity-providers/me/meta |
GET | /v1/identity-providers/status |
Retrieves one or more IdPs for a specified tenantId.
This endpoint retrieves one or more identity providers from the service. The tenantID in the JWT will be used to fetch the identity provider.
Facts GET /v1/identity-providers
Rate limit | Tier 1 (1000 requests per minute) |
Query Parameters GET /v1/identity-providers
active optional boolean | If provided, filters the results by the active field. |
limit optional, default=20, minimum=1, maximum=100 number | The number of IdP entries to retrieve. |
next optional string | The next page cursor. |
prev optional string | The previous page cursor. |
Responses GET /v1/identity-providers
200 optional, application/json | Success |
404 optional, application/json | Not Found |
GET/v1/identity-providers
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers" \
-H "Authorization: Bearer <API-key>"
Response GET /v1/identity-providers
{
"data": [],
"links": {
"next": {
"href": "string"
},
"prev": {
"href": "string"
},
"self": {
"href": "string"
}
}
}
Creates a new IdP
This endpoint creates an identity provider resource. It returns a 201 Created when creation is successful with a header "QLIK-IDP-POPTS" (A unique string representing a hash of the current configuration being tested), returns a 403 Forbidden for a non TenantAdmin user JWT or if the tenantID in the JWT does not match with any of the tenantIDs in the payload. An IdP can be created with Pending Options or options depending whether the IdP is interactive or not.
Facts POST /v1/identity-providers
Rate limit | Tier 2 (100 requests per minute) |
Request Body POST /v1/identity-providers
optional, application/json | Attributes that the user wants to set for a new identity provider resource. |
Responses POST /v1/identity-providers
201 optional, application/json | Created |
400 optional, application/json | Bad Request |
403 optional, application/json | Forbidden |
POST/v1/identity-providers
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers" \
-X POST \
-H "Authorization: Bearer <API-key>" \
-H "Content-type: application/json"
Returns identity providers' metadata
This endpoint retrieves identity providers' metadata.
Facts GET /v1/identity-providers/.well-known/metadata.json
Rate limit | Tier 1 (1000 requests per minute) |
Responses GET /v1/identity-providers/.well-known/metadata.json
200 optional, application/json object | Success |
GET/v1/identity-providers/.well-known/metadata.json
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/.well-known/metadata.json" \
-H "Authorization: Bearer <API-key>"
Response GET /v1/identity-providers/.well-known/metadata.json
{
"undefined": {}
}
Returns the IdP with the specified ID
This endpoint is used to retrieve an identity provider from the service. It returns a valid 200 OK response when the IdP exists and the user (TenantAdmin) or service (edge-auth) is authorized to view the contents. Additionally, returns a header "QLIK-IDP-POPTS" (A unique string representing a hash of the current configuration being tested). It returns a 404 Not Found if the criteria is not met.
Facts GET /v1/identity-providers/{id}
Rate limit | Tier 1 (1000 requests per minute) |
Path Parameters GET /v1/identity-providers/{id}
id string | The identity provider ID. |
Responses GET /v1/identity-providers/{id}
200 optional, application/json | Success |
401 optional, application/json | Unauthorized |
404 optional, application/json | Not Found |
GET/v1/identity-providers/{id}
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
-H "Authorization: Bearer <API-key>"
Updates the IdP with the specified ID
This endpoint patches an identity provider from the service. It returns a valid 204 when the IdP is patched. Only an edge-auth service request or a user with the role of TenantAdmin can patch an associated IdP. Partial failure is treated as complete failure and returns an error.
Facts PATCH /v1/identity-providers/{id}
Rate limit | Tier 2 (100 requests per minute) |
Header Parameters PATCH /v1/identity-providers/{id}
QLIK-IDP-POPTS-MATCH optional | A unique string representing a hash that should map to an IdP's hash representation of the current configuration being tested. |
Path Parameters PATCH /v1/identity-providers/{id}
id string | The identity provider ID. |
Request Body PATCH /v1/identity-providers/{id}
optional, application/json | Attributes that the user wants to patially update for an identity provider resource. |
Responses PATCH /v1/identity-providers/{id}
204 optional object | Success |
400 optional, application/json | Bad request. Invalid request body, URL, or state transition. |
401 optional, application/json | Unauthorized |
403 optional, application/json | Access Denied. Only the edge-auth service or TenantAdmin user request can patch an IdP. |
404 optional, application/json | Not Found |
412 optional, application/json | Precondition Failed. Missing QLIK-IDP-OPTS-MATCH header, or value doesn't match against IdP test configuration value. |
500 optional, application/json | Internal server error, the operation failed unexpectedly |
PATCH/v1/identity-providers/{id}
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
-X PATCH \
-H "Authorization: Bearer <API-key>" \
-H "Content-type: application/json"
Deletes the IdP with the specified ID
This endpoint deletes an identity provider from the service. It returns a valid 204 when the IdP is deleted. Only a user with the role of TenantAdmin and tenant access can delete an associated IdP. Edge-auth service can also delete.
Facts DELETE /v1/identity-providers/{id}
Rate limit | Tier 2 (100 requests per minute) |
Path Parameters DELETE /v1/identity-providers/{id}
id string | The identity provider ID. |
Responses DELETE /v1/identity-providers/{id}
204 optional object | Success |
400 optional, application/json | Bad request. The interactive IdP for the tenant can't be deleted. |
404 optional, application/json | Not Found |
DELETE/v1/identity-providers/{id}
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
-X DELETE \
-H "Authorization: Bearer <API-key>"
Returns the active interactive IdP metadata
This endpoint retrieves IdP metadata.
Facts GET /v1/identity-providers/me/meta
Rate limit | Tier 1 (1000 requests per minute) |
Responses GET /v1/identity-providers/me/meta
200 optional, application/json | Success |
403 optional, application/json | Forbidden |
404 optional, application/json | Not Found |
500 optional, application/json | Internal server error |
GET/v1/identity-providers/me/meta
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/me/meta" \
-H "Authorization: Bearer <API-key>"
Response GET /v1/identity-providers/me/meta
{
"userPortalLink": "string",
"upgradeSubscriptionLink": "string"
}
Returns the current status of IdP configurations
This endpoint retrieves the status of IdP configurations. Requires TenantAdmin role.
Facts GET /v1/identity-providers/status
Rate limit | Tier 1 (1000 requests per minute) |
Responses GET /v1/identity-providers/status
200 optional, application/json | Success |
403 optional, application/json | Forbidden |
404 optional, application/json | Not Found |
500 optional, application/json | Internal Server Error |
GET/v1/identity-providers/status
curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/status" \
-H "Authorization: Bearer <API-key>"
Response GET /v1/identity-providers/status
{
"idps_metadata": [
{
"active": true,
"provider": "auth0",
"interactive": true
}
],
"active_interactive_idps_count": 0
}
qlikIdpPopts
stringA unique string representing a hash of the current configuration being tested.
qlikIdpPoptsMatch
stringA unique string representing a hash that should map to an IdP's hash representation of the current configuration being tested.
BaseIDP
objectProperties
id optional string | The unique identifier for the IdP. |
meta optional object | No description |
active optional boolean | Indicates whether the IdP is available for use. |
created optional string<date-time> | The timestamp for when the IdP was created. |
protocol optional | The protocol to be used for communicating with the identity provider. Valid values are Enum: OIDC jwtAuth qsefw-local-bearer-token |
provider optional | The identity provider to be used. If protocol is Enum: auth0 okta qlik generic salesforce keycloak adfs external azureAD |
tenantIds optional Array<string> | The tenant identifiers associated with the given IdP. |
description optional string | No description |
interactive optional boolean | Indicates the type of connection with the IdP, either interactive login or a machine to machine connection. |
lastUpdated optional string<date-time> | The timestamp for when the IdP was last updated. |
clockToleranceSec optional number | No description |
createNewUsersOnLogin optional boolean | When the flag is true, new users should be created when logging in for the first time. |
postLogoutRedirectUri optional string | Direct the user on logout to a specific URI. |
claimsMappingInteractive
objectMappings from claim name to an array of JSON pointers that point to locations in the claims from the IdP to retrieve the value from.
Properties
sub optional Array<string> | A list of JSON pointers used to map the user's subject. |
name optional Array<string> | A list of JSON pointers used to map the user's name. |
email optional Array<string> | A list of JSON pointers used to map the user's email. |
groups optional Array<string> | A list of JSON pointers used to map the user's groups. |
locale optional Array<string> | A list of JSON pointers used to map the user's locale. |
picture optional Array<string> | A list of JSON pointers used to map the user's picture. |
zoneinfo optional Array<string> | A list of JSON pointers used to map the user's zoneinfo. |
client_id optional Array<string> | A list of JSON pointers used to map the user's client ID. |
email_verified optional Array<string> | A list of JSON pointers used to map the user's email_verified claim. |
claimsMappingNonInteractive
objectMappings from claim name to an array of JSON pointers that point to locations in the claims from the IdP to retrieve the value from.
Properties
sub optional Array<string> | A list of JSON pointers used to map the user's subject. |
client_id optional Array<string> | A list of JSON pointers used to map the user's client ID. |
CreateJWTAuthPayload
objectPayload for creating an identity provider using JWT authentication.
Properties
options optional | Required IdP configurations. |
protocol string | The protocol to be used for communicating with the identity provider. Enum: jwtAuth |
provider string | The identity provider to be used. Enum: external |
tenantIds optional Array<string> | The tenant identifiers that map to the given IdP. |
description optional string | No description |
clockToleranceSec optional, default=5, minimum=0, maximum=7200 number | There can be clock skew between the IdP and Qlik's login server, in these cases a tolerance can be set, decimals will be rounded off. |
CreateOIDCPayload
objectPayload for creating an OIDC-compatible identity provider.
Properties
options optional | Required OIDC configurations for non-interactive IdPs and interactive IdPs with |
protocol string | The protocol to be used for communicating with the identity provider. Enum: OIDC |
provider string | The identity provider to be used. Enum: auth0 okta generic salesforce keycloak adfs azureAD |
tenantIds optional Array<string> | The tenant identifiers that map to the given IdP. |
skipVerify optional, default=false boolean | If set to |
description optional string | No description |
interactive default=false boolean | Indicates whether the IdP is meant for interactive login. |
pendingOptions optional | Required OIDC configurations for interactive IdPs that require verification. |
clockToleranceSec optional, default=5, minimum=0, maximum=7200 number | There can be clock skew between the IdP and Qlik's login server. In these cases, a tolerance can be set, decimals will be rounded off. |
createNewUsersOnLogin optional, default=true boolean | Tells the consumer of the IdP that new users should be created on login if they don't exist. |
postLogoutRedirectUri optional string | Direct the user on logout to a specific URI. |
Error
objectAn error object.
Properties
code string | The error code. |
meta optional object | Additional properties relating to the error. |
title string | Summary of the problem. |
detail optional string | A human-readable explanation specific to this occurrence of the problem. |
source optional | References to the source of the error. |
status optional number | The HTTP status code. |
Errors
objectA representation of the errors encountered from the HTTP request.
Properties
errors optional | No description |
IDP
oneOf
optional | An OIDC-compliant identity provider. |
optional | An identity provider for JWT authentication. |
IDPArray
objectProperties
data optional Array<IDP> | An array of IdPs. |
links optional | Contains pagination links. |
IDPJWTAuth
An identity provider for JWT authentication.
Properties
id optional string | The unique identifier for the IdP. |
meta optional object | No description |
active optional boolean | Indicates whether the IdP is available for use. |
created optional string<date-time> | The timestamp for when the IdP was created. |
protocol optional | The protocol to be used for communicating with the identity provider. Valid values are Enum: OIDC jwtAuth qsefw-local-bearer-token |
provider optional | The identity provider to be used. If protocol is Enum: auth0 okta qlik generic salesforce keycloak adfs external azureAD |
tenantIds optional Array<string> | The tenant identifiers associated with the given IdP. |
description optional string | No description |
interactive optional boolean | Indicates the type of connection with the IdP, either interactive login or a machine to machine connection. |
lastUpdated optional string<date-time> | The timestamp for when the IdP was last updated. |
clockToleranceSec optional number | No description |
createNewUsersOnLogin optional boolean | When the flag is true, new users should be created when logging in for the first time. |
postLogoutRedirectUri optional string | Direct the user on logout to a specific URI. |
options optional | No description |
IDPMeta
objectProperties
userPortalLink optional string | A link to direct you to where you can manage your Qlik account. Only available if the default identity provider is used (no custom interactive identity providers are active). |
upgradeSubscriptionLink optional string | A link to direct you to where you can upgrade your trial or manage your subscriptions. Only available if the default identity provider is used (no custom interactive identity providers are active). |
IDPOIDC
An OIDC-compliant identity provider.
Properties
id optional string | The unique identifier for the IdP. |
meta optional object | No description |
active optional boolean | Indicates whether the IdP is available for use. |
created optional string<date-time> | The timestamp for when the IdP was created. |
protocol optional | The protocol to be used for communicating with the identity provider. Valid values are Enum: OIDC jwtAuth qsefw-local-bearer-token |
provider optional | The identity provider to be used. If protocol is Enum: auth0 okta qlik generic salesforce keycloak adfs external azureAD |
tenantIds optional Array<string> | The tenant identifiers associated with the given IdP. |
description optional string | No description |
interactive optional boolean | Indicates the type of connection with the IdP, either interactive login or a machine to machine connection. |
lastUpdated optional string<date-time> | The timestamp for when the IdP was last updated. |
clockToleranceSec optional number | No description |
createNewUsersOnLogin optional boolean | When the flag is true, new users should be created when logging in for the first time. |
postLogoutRedirectUri optional string | Direct the user on logout to a specific URI. |
options optional | No description |
pendingState optional string | The state of pendingOptions. This represents the latest IdP test result. Enum: verified pending error |
pendingResult | No description |
pendingOptions optional | No description |
IDPOptions
objectProperties
realm optional string | The realm identifier for the IdP. |
scope optional string | Scope that will be sent along with token requests to the IdP. |
issuer optional string | This field is only used in Qlik Sense Enterprise Client-Managed IdPs. |
clientId optional string | The client identifier used as part of authenticating an interactive identity provider. |
clientSecret optional string | The client secret used as part of authenticating an interactive identity provider. |
discoveryUrl optional string | The OpenID configuration endpoint. (Ex: https://<domain>/.well-known/openid-configuration). |
claimsMapping optional | Mappings from claim name to an array of JSON pointers that point to locations in the claims from the IdP to retrieve the value from. |
openid_configuration optional | OpenID configuration |
blockOfflineAccessScope optional boolean | If true, the |
emailVerifiedAlwaysTrue optional boolean | Determines if email_verified should be always true. This field is only used in ADFS and AzureAD IdPs. |
IDPPatchSchema
oneOf
optional | No description |
optional | No description |
IDPPostSchema
oneOf
Payload for creating an OIDC-compatible identity provider. | |
Payload for creating an identity provider using JWT authentication. |
IDPProtocol
stringThe protocol to be used for communicating with the identity provider. Valid values are OIDC
, jwtAuth
, and qsefw-local-bearer-token
.
Enum:
OIDC
jwtAuth
qsefw-local-bearer-token
IDPProvider
stringThe identity provider to be used. If protocol is OIDC
, the valid values are auth0
, okta
, generic
, salesforce
, keycloak
, adfs
, and azureAD
. If protocol is jwtAuth
, the valid value is external
.
Enum:
auth0
okta
qlik
generic
salesforce
keycloak
adfs
external
azureAD
IDPsStatus
objectProperties
idps_metadata optional | A list of IdP metadata. |
active_interactive_idps_count optional number | The number of active interactive IdPs. |
Links
objectContains pagination links.
Properties
next optional object | No description |
prev optional object | No description |
self optional object | No description |
OpenIDConfiguration
objectOpenID configuration
Properties
issuer string | OpenID Provider issuer |
jwks_uri string | URL of the OP's JSON Web Key Set [JWK] document |
token_endpoint string | OAuth 2.0 Token Endpoint |
userinfo_endpoint optional string | URL of the OP's UserInfo Endpoint |
end_session_endpoint optional string | URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP. |
authorization_endpoint string | OAuth 2.0 Authorization Endpoint |
introspection_endpoint optional string | The introspection endpoint is an OAuth 2.0 endpoint that takes a parameter representing an OAuth 2.0 token and returns a JSON [RFC7159] document representing the meta information. |
PatchJWTAuthPayload
objectA patch request for an identity provider using the jwtAuth
protocol.
Properties
op string | The "operation" to be performed on a given IdP. Enum: replace |
path optional string | The "path" to the part of the IdP document. Enum: /description |
value optional | The "value" data type is dependent on the path value being used. |
PatchOIDCPayload
objectA patch request for an identity provider using the OIDC
protocol.
Properties
op string | The "operation" to be performed on a given IdP. Currently supports a custom operation value called "promote-options" that allows the test configuration to be promoted to the current configuration used for login. Enum: replace promote-options |
path optional string | The "path" to the part of the IdP document. Enum: /active /description /meta /options /options/realm /options/discoveryUrl /options/claimsMapping /pendingOptions /pendingOptions/realm /pendingOptions/discoveryUrl /pendingOptions/clientId /pendingOptions/clientSecret /pendingOptions/emailVerifiedAlwaysTrue /pendingOptions/claimsMapping /postLogoutRedirectUri /clockToleranceSec |
value optional | The "value" data type is dependent on the path value being used. |
PendingResult
objectProperties
error optional string | A unique readable error message based on the error that has occurred. |
status string | The status of the IdP configuration being tested. Enum: success pending error claimsError callbackError tokenError protocolError networkError configChangedDuringTestError |
started optional string<date-time> | The timestamp for when the test was started for an IdP configuration. This field is only available during lifespan of the test. |
idpClaims optional object | The claims retrieved from the external IdP. |
oauth2Error optional | No description |
resultantClaims optional object | The resultant claims based on the claims received from the external IdP. |