identity-provider create oidc
qlik identity-provider create oidc
Create a new IdP
Synopsis
Creates a new IdP on a tenant. Requesting user must be assigned the TenantAdmin
role. For non-interactive IdPs (e.g. JWT), IdP must be created by sending options
payload. For interactive IdPs (e.g. SAML or OIDC), send pendingOptions
payload to require the interactive verification step; or send options
payload with skipVerify
set to true
to skip validation step and make IdP immediately available.
qlik identity-provider create oidc [flags]
Options
--clockToleranceSec int There can be clock skew between the IdP and Qlik's login server. In these cases, a tolerance can be set. --createNewUsersOnLogin Tells the consumer of the IdP that new users should be created on login if they don't exist. --description string Payload for creating an OIDC-compatible identity provider. -f, --file string Reads request from a file -h, --help help for oidc --interactive Indicates whether the IdP is meant for interactive login. --interval int Duration in seconds to wait between retries, at least 1 (default 1) --options-allowedClientIds strings Only clients with IDs in this list will be allowed API access. A blank list or empty value means any client IDs authenticated against the IdP will be allowed access. --options-audience string Allows for setting audience in access tokens. --options-claimsMapping-client_id strings A list of JSON pointers used to map the user's client ID. --options-claimsMapping-sub strings A list of JSON pointers used to map the user's subject. --options-discoveryUrl string The OpenID configuration endpoint. (Ex: https://<domain>/.well-known/openid-configuration). Required if openid_configuration is not given. --options-openid_configuration-authorization_endpoint string OAuth 2.0 Authorization Endpoint --options-openid_configuration-end_session_endpoint string URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP. --options-openid_configuration-introspection_endpoint string The introspection endpoint is an OAuth 2.0 endpoint that takes a parameter representing an OAuth 2.0 token and returns a JSON [RFC7159] document representing the meta information. --options-openid_configuration-issuer string OpenID Provider issuer --options-openid_configuration-jwks_uri string URL of the OP's JSON Web Key Set [JWK] document --options-openid_configuration-token_endpoint string OAuth 2.0 Token Endpoint --options-openid_configuration-userinfo_endpoint string URL of the OP's UserInfo Endpoint --options-realm string The realm identifier for the IdP. --pendingOptions-blockOfflineAccessScope When true, the ˋoffline_accessˋ scope will not be requested from the IdP where applicable. --pendingOptions-claimsMapping-client_id strings A list of JSON pointers used to map the user's client ID. --pendingOptions-claimsMapping-email strings A list of JSON pointers used to map the user's email. --pendingOptions-claimsMapping-email_verified strings A list of JSON pointers used to map the user's email_verified claim. --pendingOptions-claimsMapping-groups strings A list of JSON pointers used to map the user's groups. --pendingOptions-claimsMapping-locale strings A list of JSON pointers used to map the user's locale. --pendingOptions-claimsMapping-name strings A list of JSON pointers used to map the user's name. --pendingOptions-claimsMapping-picture strings A list of JSON pointers used to map the user's picture. --pendingOptions-claimsMapping-sub strings A list of JSON pointers used to map the user's subject. --pendingOptions-claimsMapping-zoneinfo strings A list of JSON pointers used to map the user's zoneinfo. --pendingOptions-clientId string The client identifier used as part of authenticating an interactive identity provider. --pendingOptions-clientSecret string The client secret used as part of authenticating an interactive identity provider. --pendingOptions-discoveryUrl string The OpenID configuration endpoint. (Ex: https://<domain>/.well-known/openid-configuration). Required if openid_configuration is not given. --pendingOptions-emailVerifiedAlwaysTrue Only ADFS and AzureAD IdPs can set this property. For ADFS and AzureAD, it defaults to false. For other IdPs, it defaults to undefined. --pendingOptions-idTokenSignatureAlg string The algorithm used to sign the ID token. The default algorithm is RS256. --pendingOptions-openid_configuration-authorization_endpoint string OAuth 2.0 Authorization Endpoint --pendingOptions-openid_configuration-end_session_endpoint string URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP. --pendingOptions-openid_configuration-introspection_endpoint string The introspection endpoint is an OAuth 2.0 endpoint that takes a parameter representing an OAuth 2.0 token and returns a JSON [RFC7159] document representing the meta information. --pendingOptions-openid_configuration-issuer string OpenID Provider issuer --pendingOptions-openid_configuration-jwks_uri string URL of the OP's JSON Web Key Set [JWK] document --pendingOptions-openid_configuration-token_endpoint string OAuth 2.0 Token Endpoint --pendingOptions-openid_configuration-userinfo_endpoint string URL of the OP's UserInfo Endpoint --pendingOptions-realm string The realm identifier for the IdP. --pendingOptions-scope string Scope which will be sent along with token requests to the IdP. Scopes should be space delimited. Will default to certain values depending on the IdP provider. --pendingOptions-useClaimsFromIdToken If true, will use the claims from the ID token. By default it is set to true for ADFS and AzureAD. --postLogoutRedirectUri string Direct the user on logout to a specific URI. --protocol string The protocol to be used for communicating with the identity provider. --provider string The identity provider to be used. -q, --quiet Return only IDs from the command --raw Return original response from server without any processing --retry int Number of retries to do before failing, max 10 --skipVerify If set to ˋtrueˋ, skips IdP verification process and assumes the IdP is verified. --tenantIds strings The tenant identifiers that map to the given IdP.
Options inherited from parent commands
-c, --config string path/to/config.yml where parameters can be set instead of on the command line --context string Name of the context used when connecting to Qlik Associative Engine --headers stringToString HTTP headers to use when connecting to Qlik Associative Engine (default []) --insecure Enabling insecure will make it possible to connect using self-signed certificates --json Returns output in JSON format, if possible. Disables verbose and traffic output -s, --server string URL to Qlik Cloud or directly to a Qlik Associative Engine --server-type string The type of server you are using: cloud, Windows (Enterprise on Windows) or engine -v, --verbose Log extra information