Qlik Sense Hybrid Setup - Azure AD Authentication

For hybrid setups, there needs to be a way to get the user IDs aligned in both environments otherwise a single user could consume more than one assigned licence. Generally the best way to set this up is by adding the on-prem account name (a.k.a. SAMAccountName) to the Azure AD config for Qlik SaaS login to use as the Subject (sub). The advantage of this approach is it requires no changes in the on-prem environment which can be significant for organisations starting their SaaS or hybrid migration.

This requires use of PowerShell to create a new policy, assigning it to the Qlik Azure AD Application and then editing the manifest. This can then be used in the IdP Config.

Azure AD Steps

  • Install the AzureADPreview PowerShell Module. (Note that this conflicts with AzureAD module so you may need to remove this first)
    Install-Module AzureADPreview
  • Import the AzureADPreview PowerShell Module. 
    Import-Module AzureADPreview
  • Connect to Azure AD as an admin or user with sufficient privileges
  • Create a new AD policy
    New-AzureADPolicy -Definition @('{
    "ClaimsMappingPolicy": {
    "Version": 1,
    "IncludeBasicClaimSet": "true",
    "ClaimsSchema": [
    "Source": "user",
    "ID": "onpremisessamaccountname",
    "SamlClaimType": "samaccountname",
    "JwtClaimType": "samAccountName"
    }') -DisplayName 'Claim-SAM' -Type 'ClaimsMappingPolicy'
  • Note the output Policy Id
  • Find the Service Principal for the Enterprise Application
    Get-AzureADServicePrincipal -SearchString "Qlik Sense SaaS"
  • Add the policy created to the Qlik application:
    Add-AzureADServicePrincipalPolicy –ID "{Enterprise App Service Principal ID}" -RefObjectId "{New Policy ID}"
  • In the App Registration, change in the manifest the attribute “acceptMappedClaims”: true

Qlik Sense SaaS Steps:

  • When setting up the Identity Provider, specify samAccountName as the "sub":


When validating, if you see the error "AADSTS50146: This application is required to be configured with an application-specific signing key", then make sure you have set the Manifest's acceptMappedClaims to true as having this as null leads to this error.

When validating, if you see the error "Missing required claim: name" then make sure you copied or typed the new policy correctly as it won't error if you specify incorrect parameters - e.g. it will accept "IncludesBasicClaimSet" when it should be "IncludeBasicClaimSet" but won't include the basic claim set which can cause this error.


Useful References:

Have more questions? Submit a request