Skip to content

Identity providers

A service for managing identity providers.

Endpoints

Skip to section
GET/v1/identity-providers
POST/v1/identity-providers
GET/v1/identity-providers/.well-known/metadata.json
GET/v1/identity-providers/{id}
PATCH/v1/identity-providers/{id}
DELETE/v1/identity-providers/{id}
GET/v1/identity-providers/me/meta
GET/v1/identity-providers/status

Retrieves one or more IdPs for a specified tenantId.

manage

This endpoint retrieves one or more identity providers from the service. The tenantID in the JWT will be used to fetch the identity provider.

Facts GET /v1/identity-providers

Rate limit
Tier 1 (1000 requests per minute)

Query Parameters GET /v1/identity-providers

active
optional
boolean

If provided, filters the results by the active field.

limit
optional, default=20, minimum=1, maximum=100
number

The number of IdP entries to retrieve.

next
optional
string

The next page cursor.

prev
optional
string

The previous page cursor.

Responses GET /v1/identity-providers

200
optional, application/json

Success

404
optional, application/json

Not Found

GET/v1/identity-providers

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers" \
 -H "Authorization: Bearer <API-key>"

Response GET /v1/identity-providers

{
  "data": [],
  "links": {
    "next": {
      "href": "string"
    },
    "prev": {
      "href": "string"
    },
    "self": {
      "href": "string"
    }
  }
}

Creates a new IdP

manage

This endpoint creates an identity provider resource. It returns a 201 Created when creation is successful with a header "QLIK-IDP-POPTS" (A unique string representing a hash of the current configuration being tested), returns a 403 Forbidden for a non TenantAdmin user JWT or if the tenantID in the JWT does not match with any of the tenantIDs in the payload. An IdP can be created with Pending Options or options depending whether the IdP is interactive or not.

Facts POST /v1/identity-providers

Rate limit
Tier 2 (100 requests per minute)

Request Body POST /v1/identity-providers

optional, application/json

Attributes that the user wants to set for a new identity provider resource.

Responses POST /v1/identity-providers

201
optional, application/json
IDP

Created

400
optional, application/json

Bad Request

403
optional, application/json

Forbidden

POST/v1/identity-providers

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers" \
 -X POST \
 -H "Authorization: Bearer <API-key>" \
 -H "Content-type: application/json"

Returns identity providers' metadata

manage

This endpoint retrieves identity providers' metadata.

Facts GET /v1/identity-providers/.well-known/metadata.json

Rate limit
Tier 1 (1000 requests per minute)

Responses GET /v1/identity-providers/.well-known/metadata.json

200
optional, application/json
object

Success

GET/v1/identity-providers/.well-known/metadata.json

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/.well-known/metadata.json" \
 -H "Authorization: Bearer <API-key>"

Response GET /v1/identity-providers/.well-known/metadata.json

{
  "undefined": {}
}

Returns the IdP with the specified ID

manage

This endpoint is used to retrieve an identity provider from the service. It returns a valid 200 OK response when the IdP exists and the user (TenantAdmin) or service (edge-auth) is authorized to view the contents. Additionally, returns a header "QLIK-IDP-POPTS" (A unique string representing a hash of the current configuration being tested). It returns a 404 Not Found if the criteria is not met.

Facts GET /v1/identity-providers/{id}

Rate limit
Tier 1 (1000 requests per minute)

Path Parameters GET /v1/identity-providers/{id}

id
string

The identity provider ID.

Responses GET /v1/identity-providers/{id}

200
optional, application/json
IDP

Success

401
optional, application/json

Unauthorized

404
optional, application/json

Not Found

GET/v1/identity-providers/{id}

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
 -H "Authorization: Bearer <API-key>"

Updates the IdP with the specified ID

manage

This endpoint patches an identity provider from the service. It returns a valid 204 when the IdP is patched. Only an edge-auth service request or a user with the role of TenantAdmin can patch an associated IdP. Partial failure is treated as complete failure and returns an error.

Facts PATCH /v1/identity-providers/{id}

Rate limit
Tier 2 (100 requests per minute)

Header Parameters PATCH /v1/identity-providers/{id}

QLIK-IDP-POPTS-MATCH

A unique string representing a hash that should map to an IdP's hash representation of the current configuration being tested.

Path Parameters PATCH /v1/identity-providers/{id}

id
string

The identity provider ID.

Request Body PATCH /v1/identity-providers/{id}

optional, application/json

Attributes that the user wants to patially update for an identity provider resource.

Responses PATCH /v1/identity-providers/{id}

204
optional
object

Success

400
optional, application/json

Bad request. Invalid request body, URL, or state transition.

401
optional, application/json

Unauthorized

403
optional, application/json

Access Denied. Only the edge-auth service or TenantAdmin user request can patch an IdP.

404
optional, application/json

Not Found

412
optional, application/json

Precondition Failed. Missing QLIK-IDP-OPTS-MATCH header, or value doesn't match against IdP test configuration value.

500
optional, application/json

Internal server error, the operation failed unexpectedly

PATCH/v1/identity-providers/{id}

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
 -X PATCH \
 -H "Authorization: Bearer <API-key>" \
 -H "Content-type: application/json"

Deletes the IdP with the specified ID

manage

This endpoint deletes an identity provider from the service. It returns a valid 204 when the IdP is deleted. Only a user with the role of TenantAdmin and tenant access can delete an associated IdP. Edge-auth service can also delete.

Facts DELETE /v1/identity-providers/{id}

Rate limit
Tier 2 (100 requests per minute)

Path Parameters DELETE /v1/identity-providers/{id}

id
string

The identity provider ID.

Responses DELETE /v1/identity-providers/{id}

204
optional
object

Success

400
optional, application/json

Bad request. The interactive IdP for the tenant can't be deleted.

404
optional, application/json

Not Found

DELETE/v1/identity-providers/{id}

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/{id}" \
 -X DELETE \
 -H "Authorization: Bearer <API-key>"

Returns the active interactive IdP metadata

manage

This endpoint retrieves IdP metadata.

Facts GET /v1/identity-providers/me/meta

Rate limit
Tier 1 (1000 requests per minute)

Responses GET /v1/identity-providers/me/meta

200
optional, application/json

Success

403
optional, application/json

Forbidden

404
optional, application/json

Not Found

500
optional, application/json

Internal server error

GET/v1/identity-providers/me/meta

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/me/meta" \
 -H "Authorization: Bearer <API-key>"

Response GET /v1/identity-providers/me/meta

{
  "userPortalLink": "string",
  "upgradeSubscriptionLink": "string"
}

Returns the current status of IdP configurations

manage

This endpoint retrieves the status of IdP configurations. Requires TenantAdmin role.

Facts GET /v1/identity-providers/status

Rate limit
Tier 1 (1000 requests per minute)

Responses GET /v1/identity-providers/status

200
optional, application/json

Success

403
optional, application/json

Forbidden

404
optional, application/json

Not Found

500
optional, application/json

Internal Server Error

GET/v1/identity-providers/status

curl "https://your-tenant.us.qlikcloud.com/api/v1/identity-providers/status" \
 -H "Authorization: Bearer <API-key>"

Response GET /v1/identity-providers/status

{
  "idps_metadata": [
    {
      "active": true,
      "provider": "auth0",
      "interactive": true
    }
  ],
  "active_interactive_idps_count": 0
}

qlikIdpPopts

string

A unique string representing a hash of the current configuration being tested.

qlikIdpPoptsMatch

string

A unique string representing a hash that should map to an IdP's hash representation of the current configuration being tested.

BaseIDP

object

Properties

id
optional
string

The unique identifier for the IdP.

meta
optional
object

No description

active
optional
boolean

Indicates whether the IdP is available for use.

created
optional
string<date-time>

The timestamp for when the IdP was created.

protocol
optional

The protocol to be used for communicating with the identity provider. Valid values are OIDC, jwtAuth, and qsefw-local-bearer-token.

Enum:

OIDC

jwtAuth

qsefw-local-bearer-token

provider
optional

The identity provider to be used. If protocol is OIDC, the valid values are auth0, okta, generic, salesforce, keycloak, adfs, and azureAD. If protocol is jwtAuth, the valid value is external.

Enum:

auth0

okta

qlik

generic

salesforce

keycloak

adfs

external

azureAD

tenantIds
optional
Array<string>

The tenant identifiers associated with the given IdP.

description
optional
string

No description

interactive
optional
boolean

Indicates the type of connection with the IdP, either interactive login or a machine to machine connection.

lastUpdated
optional
string<date-time>

The timestamp for when the IdP was last updated.

clockToleranceSec
optional
number

No description

createNewUsersOnLogin
optional
boolean

When the flag is true, new users should be created when logging in for the first time.

postLogoutRedirectUri
optional
string

Direct the user on logout to a specific URI.

claimsMappingInteractive

object

Mappings from claim name to an array of JSON pointers that point to locations in the claims from the IdP to retrieve the value from.

Properties

sub
optional
Array<string>

A list of JSON pointers used to map the user's subject.

name
optional
Array<string>

A list of JSON pointers used to map the user's name.

email
optional
Array<string>

A list of JSON pointers used to map the user's email.

groups
optional
Array<string>

A list of JSON pointers used to map the user's groups.

locale
optional
Array<string>

A list of JSON pointers used to map the user's locale.

picture
optional
Array<string>

A list of JSON pointers used to map the user's picture.

zoneinfo
optional
Array<string>

A list of JSON pointers used to map the user's zoneinfo.

client_id
optional
Array<string>

A list of JSON pointers used to map the user's client ID.

email_verified
optional
Array<string>

A list of JSON pointers used to map the user's email_verified claim.

claimsMappingNonInteractive

object

Mappings from claim name to an array of JSON pointers that point to locations in the claims from the IdP to retrieve the value from.

Properties

sub
optional
Array<string>

A list of JSON pointers used to map the user's subject.

client_id
optional
Array<string>

A list of JSON pointers used to map the user's client ID.

CreateJWTAuthPayload

object

Payload for creating an identity provider using JWT authentication.

Properties

options
optional

Required IdP configurations.

protocol
string

The protocol to be used for communicating with the identity provider.

Enum:

jwtAuth

provider
string

The identity provider to be used.

Enum:

external

tenantIds
optional
Array<string>

The tenant identifiers that map to the given IdP.

description
optional
string

No description

clockToleranceSec
optional, default=5, minimum=0, maximum=7200
number

There can be clock skew between the IdP and Qlik's login server, in these cases a tolerance can be set, decimals will be rounded off.

CreateOIDCPayload

object

Payload for creating an OIDC-compatible identity provider.

Properties

options
optional

Required OIDC configurations for non-interactive IdPs and interactive IdPs with skipVerify flag enabled.

protocol
string

The protocol to be used for communicating with the identity provider.

Enum:

OIDC

provider
string

The identity provider to be used.

Enum:

auth0

okta

generic

salesforce

keycloak

adfs

azureAD

tenantIds
optional
Array<string>

The tenant identifiers that map to the given IdP.

skipVerify
optional, default=false
boolean

If set to true, skips IdP verification process and assumes the IdP is verified.

description
optional
string

No description

interactive
default=false
boolean

Indicates whether the IdP is meant for interactive login.

pendingOptions
optional

Required OIDC configurations for interactive IdPs that require verification.

clockToleranceSec
optional, default=5, minimum=0, maximum=7200
number

There can be clock skew between the IdP and Qlik's login server. In these cases, a tolerance can be set, decimals will be rounded off.

createNewUsersOnLogin
optional, default=true
boolean

Tells the consumer of the IdP that new users should be created on login if they don't exist.

postLogoutRedirectUri
optional
string

Direct the user on logout to a specific URI.

Error

object

An error object.

Properties

code
string

The error code.

meta
optional
object

Additional properties relating to the error.

title
string

Summary of the problem.

detail
optional
string

A human-readable explanation specific to this occurrence of the problem.

source
optional

References to the source of the error.

status
optional
number

The HTTP status code.

Errors

object

A representation of the errors encountered from the HTTP request.

Properties

errors
optional

No description

IDP

oneOf

optional

An OIDC-compliant identity provider.

optional

An identity provider for JWT authentication.

IDPArray

object

Properties

data
optional
Array<IDP>

An array of IdPs.

links
optional

Contains pagination links.

IDPJWTAuth

An identity provider for JWT authentication.

Properties

id
optional
string

The unique identifier for the IdP.

meta
optional
object

No description

active
optional
boolean

Indicates whether the IdP is available for use.

created
optional
string<date-time>

The timestamp for when the IdP was created.

protocol
optional

The protocol to be used for communicating with the identity provider. Valid values are OIDC, jwtAuth, and qsefw-local-bearer-token.

Enum:

OIDC

jwtAuth

qsefw-local-bearer-token

provider
optional

The identity provider to be used. If protocol is OIDC, the valid values are auth0, okta, generic, salesforce, keycloak, adfs, and azureAD. If protocol is jwtAuth, the valid value is external.

Enum:

auth0

okta

qlik

generic

salesforce

keycloak

adfs

external

azureAD

tenantIds
optional
Array<string>

The tenant identifiers associated with the given IdP.

description
optional
string

No description

interactive
optional
boolean

Indicates the type of connection with the IdP, either interactive login or a machine to machine connection.

lastUpdated
optional
string<date-time>

The timestamp for when the IdP was last updated.

clockToleranceSec
optional
number

No description

createNewUsersOnLogin
optional
boolean

When the flag is true, new users should be created when logging in for the first time.

postLogoutRedirectUri
optional
string

Direct the user on logout to a specific URI.

options
optional

No description

IDPMeta

object

Properties

userPortalLink
optional
string

A link to direct you to where you can manage your Qlik account. Only available if the default identity provider is used (no custom interactive identity providers are active).

upgradeSubscriptionLink
optional
string

A link to direct you to where you can upgrade your trial or manage your subscriptions. Only available if the default identity provider is used (no custom interactive identity providers are active).

IDPOIDC

An OIDC-compliant identity provider.

Properties

id
optional
string

The unique identifier for the IdP.

meta
optional
object

No description

active
optional
boolean

Indicates whether the IdP is available for use.

created
optional
string<date-time>

The timestamp for when the IdP was created.

protocol
optional

The protocol to be used for communicating with the identity provider. Valid values are OIDC, jwtAuth, and qsefw-local-bearer-token.

Enum:

OIDC

jwtAuth

qsefw-local-bearer-token

provider
optional

The identity provider to be used. If protocol is OIDC, the valid values are auth0, okta, generic, salesforce, keycloak, adfs, and azureAD. If protocol is jwtAuth, the valid value is external.

Enum:

auth0

okta

qlik

generic

salesforce

keycloak

adfs

external

azureAD

tenantIds
optional
Array<string>

The tenant identifiers associated with the given IdP.

description
optional
string

No description

interactive
optional
boolean

Indicates the type of connection with the IdP, either interactive login or a machine to machine connection.

lastUpdated
optional
string<date-time>

The timestamp for when the IdP was last updated.

clockToleranceSec
optional
number

No description

createNewUsersOnLogin
optional
boolean

When the flag is true, new users should be created when logging in for the first time.

postLogoutRedirectUri
optional
string

Direct the user on logout to a specific URI.

options
optional

No description

pendingState
optional
string

The state of pendingOptions. This represents the latest IdP test result.

Enum:

verified

pending

error

pendingResult

No description

pendingOptions
optional

No description

IDPOptions

object

Properties

realm
optional
string

The realm identifier for the IdP.

scope
optional
string

Scope that will be sent along with token requests to the IdP.

issuer
optional
string

This field is only used in Qlik Sense Enterprise Client-Managed IdPs.

clientId
optional
string

The client identifier used as part of authenticating an interactive identity provider.

clientSecret
optional
string

The client secret used as part of authenticating an interactive identity provider.

discoveryUrl
optional
string

The OpenID configuration endpoint. (Ex: https://<domain>/.well-known/openid-configuration).

claimsMapping

Mappings from claim name to an array of JSON pointers that point to locations in the claims from the IdP to retrieve the value from.

openid_configuration

OpenID configuration

blockOfflineAccessScope
optional
boolean

If true, the offline_access scope will not be requested from the IdP, where applicable.

emailVerifiedAlwaysTrue
optional
boolean

Determines if email_verified should be always true. This field is only used in ADFS and AzureAD IdPs.

IDPPatchSchema

oneOf

optional

No description

optional

No description

IDPPostSchema

oneOf

Payload for creating an OIDC-compatible identity provider.

Payload for creating an identity provider using JWT authentication.

IDPProtocol

string

The protocol to be used for communicating with the identity provider. Valid values are OIDC, jwtAuth, and qsefw-local-bearer-token.

Enum:

OIDC

jwtAuth

qsefw-local-bearer-token

IDPProvider

string

The identity provider to be used. If protocol is OIDC, the valid values are auth0, okta, generic, salesforce, keycloak, adfs, and azureAD. If protocol is jwtAuth, the valid value is external.

Enum:

auth0

okta

qlik

generic

salesforce

keycloak

adfs

external

azureAD

IDPsStatus

object

Properties

idps_metadata
optional

A list of IdP metadata.

active_interactive_idps_count
optional
number

The number of active interactive IdPs.

object

Contains pagination links.

Properties

next
optional
object

No description

prev
optional
object

No description

self
optional
object

No description

OpenIDConfiguration

object

OpenID configuration

Properties

issuer
string

OpenID Provider issuer

jwks_uri
string

URL of the OP's JSON Web Key Set [JWK] document

token_endpoint
string

OAuth 2.0 Token Endpoint

userinfo_endpoint
optional
string

URL of the OP's UserInfo Endpoint

end_session_endpoint
optional
string

URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.

authorization_endpoint
string

OAuth 2.0 Authorization Endpoint

introspection_endpoint
optional
string

The introspection endpoint is an OAuth 2.0 endpoint that takes a parameter representing an OAuth 2.0 token and returns a JSON [RFC7159] document representing the meta information.

PatchJWTAuthPayload

object

A patch request for an identity provider using the jwtAuth protocol.

Properties

op
string

The "operation" to be performed on a given IdP.

Enum:

replace

path
optional
string

The "path" to the part of the IdP document.

Enum:

/description

value
optional

The "value" data type is dependent on the path value being used.

PatchOIDCPayload

object

A patch request for an identity provider using the OIDC protocol.

Properties

op
string

The "operation" to be performed on a given IdP. Currently supports a custom operation value called "promote-options" that allows the test configuration to be promoted to the current configuration used for login.

Enum:

replace

promote-options

path
optional
string

The "path" to the part of the IdP document.

Enum:

/active

/description

/meta

/options

/options/realm

/options/discoveryUrl

/options/claimsMapping

/pendingOptions

/pendingOptions/realm

/pendingOptions/discoveryUrl

/pendingOptions/clientId

/pendingOptions/clientSecret

/pendingOptions/emailVerifiedAlwaysTrue

/pendingOptions/claimsMapping

/postLogoutRedirectUri

/clockToleranceSec

value
optional

The "value" data type is dependent on the path value being used.

PendingResult

object

Properties

error
optional
string

A unique readable error message based on the error that has occurred.

status
string

The status of the IdP configuration being tested.

Enum:

success

pending

error

claimsError

callbackError

tokenError

protocolError

networkError

configChangedDuringTestError

started
optional
string<date-time>

The timestamp for when the test was started for an IdP configuration. This field is only available during lifespan of the test.

idpClaims
optional
object

The claims retrieved from the external IdP.

oauth2Error
optional

No description

resultantClaims
optional
object

The resultant claims based on the claims received from the external IdP.

v0.574.0
Was this page helpful?