identity-provider create oidc
qlik identity-provider create oidc
Create a new IdP
Synopsis
Creates a new IdP on a tenant. Requesting user must be assigned the TenantAdmin role. For non-interactive IdPs (e.g. JWT), IdP must be created by sending options payload. For interactive IdPs (e.g. SAML or OIDC), send pendingOptions payload to require the interactive verification step; or send options payload with skipVerify set to true to skip validation step and make IdP immediately available.
qlik identity-provider create oidc [flags]
Options
--clockToleranceSec int There can be clock skew between the IdP and Qlik's login server. In these cases, a tolerance can be set.
--createNewUsersOnLogin Tells the consumer of the IdP that new users should be created on login if they don't exist.
--description string Payload for creating an OIDC-compatible identity provider.
-f, --file string Reads request from a file
-h, --help help for oidc
--interactive Indicates whether the IdP is meant for interactive login.
--interval int Duration in seconds to wait between retries, at least 1 (default 1)
--options-allowedClientIds strings Only clients with IDs in this list will be allowed API access. A blank list or empty value means any client IDs authenticated against the IdP will be allowed access.
--options-audience string Allows for setting audience in access tokens.
--options-claimsMapping-client_id strings A list of JSON pointers used to map the user's client ID.
--options-claimsMapping-sub strings A list of JSON pointers used to map the user's subject.
--options-discoveryUrl string The OpenID configuration endpoint. (Ex: https://<domain>/.well-known/openid-configuration). Required if openid_configuration is not given.
--options-openid_configuration-authorization_endpoint string OAuth 2.0 Authorization Endpoint
--options-openid_configuration-end_session_endpoint string URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.
--options-openid_configuration-introspection_endpoint string The introspection endpoint is an OAuth 2.0 endpoint that takes a parameter representing an OAuth 2.0 token and returns a JSON [RFC7159] document representing the meta information.
--options-openid_configuration-issuer string OpenID Provider issuer
--options-openid_configuration-jwks_uri string URL of the OP's JSON Web Key Set [JWK] document
--options-openid_configuration-token_endpoint string OAuth 2.0 Token Endpoint
--options-openid_configuration-userinfo_endpoint string URL of the OP's UserInfo Endpoint
--options-realm string The realm identifier for the IdP.
--pendingOptions-blockOfflineAccessScope When true, the ˋoffline_accessˋ scope will not be requested from the IdP where applicable.
--pendingOptions-claimsMapping-client_id strings A list of JSON pointers used to map the user's client ID.
--pendingOptions-claimsMapping-email strings A list of JSON pointers used to map the user's email.
--pendingOptions-claimsMapping-email_verified strings A list of JSON pointers used to map the user's email_verified claim.
--pendingOptions-claimsMapping-groups strings A list of JSON pointers used to map the user's groups.
--pendingOptions-claimsMapping-locale strings A list of JSON pointers used to map the user's locale.
--pendingOptions-claimsMapping-name strings A list of JSON pointers used to map the user's name.
--pendingOptions-claimsMapping-picture strings A list of JSON pointers used to map the user's picture.
--pendingOptions-claimsMapping-sub strings A list of JSON pointers used to map the user's subject.
--pendingOptions-claimsMapping-zoneinfo strings A list of JSON pointers used to map the user's zoneinfo.
--pendingOptions-clientId string The client identifier used as part of authenticating an interactive identity provider.
--pendingOptions-clientSecret string The client secret used as part of authenticating an interactive identity provider.
--pendingOptions-discoveryUrl string The OpenID configuration endpoint. (Ex: https://<domain>/.well-known/openid-configuration). Required if openid_configuration is not given.
--pendingOptions-emailVerifiedAlwaysTrue Only ADFS and AzureAD IdPs can set this property. For ADFS and AzureAD, it defaults to false. For other IdPs, it defaults to undefined.
--pendingOptions-idTokenSignatureAlg string The algorithm used to sign the ID token. The default algorithm is RS256.
--pendingOptions-openid_configuration-authorization_endpoint string OAuth 2.0 Authorization Endpoint
--pendingOptions-openid_configuration-end_session_endpoint string URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.
--pendingOptions-openid_configuration-introspection_endpoint string The introspection endpoint is an OAuth 2.0 endpoint that takes a parameter representing an OAuth 2.0 token and returns a JSON [RFC7159] document representing the meta information.
--pendingOptions-openid_configuration-issuer string OpenID Provider issuer
--pendingOptions-openid_configuration-jwks_uri string URL of the OP's JSON Web Key Set [JWK] document
--pendingOptions-openid_configuration-token_endpoint string OAuth 2.0 Token Endpoint
--pendingOptions-openid_configuration-userinfo_endpoint string URL of the OP's UserInfo Endpoint
--pendingOptions-realm string The realm identifier for the IdP.
--pendingOptions-scope string Scope which will be sent along with token requests to the IdP. Scopes should be space delimited. Will default to certain values depending on the IdP provider.
--pendingOptions-useClaimsFromIdToken If true, will use the claims from the ID token. By default it is set to true for ADFS and AzureAD.
--postLogoutRedirectUri string Direct the user on logout to a specific URI.
--protocol string The protocol to be used for communicating with the identity provider.
--provider string The identity provider to be used.
-q, --quiet Return only IDs from the command
--raw Return original response from server without any processing
--retry int Number of retries to do before failing, max 10
--skipVerify If set to ˋtrueˋ, skips IdP verification process and assumes the IdP is verified.
--tenantIds strings The tenant identifiers that map to the given IdP.
Options inherited from parent commands
-c, --config string path/to/config.yml where parameters can be set instead of on the command line
--context string Name of the context used when connecting to Qlik Associative Engine
--headers stringToString HTTP headers to use when connecting to Qlik Associative Engine (default [])
--insecure Enabling insecure will make it possible to connect using self-signed certificates
--json Returns output in JSON format, if possible. Disables verbose and traffic output
-s, --server string URL to Qlik Cloud or directly to a Qlik Associative Engine
--server-type string The type of server you are using: cloud, Windows (Enterprise on Windows) or engine
-v, --verbose Log extra information