Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
NEW: Seamless Public Data Sharing with Qlik's New Anonymous Access Capability: TELL ME MORE!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
MatiasA
Partner - Contributor
Partner - Contributor
‎2020-08-20 12:01 PM

UDC for Cognito and Qlik Sense

Right now in my company we're trying  to obtain, manage and assign licences to users in Qlik Sense, using AWS Cognito as the user source. For this, we're trying to obtain the user list from a user pool in AWS Cognito through the UDC (User Directory Connector). Has anyone done this or have an idea on how it can be achieved?

Labels (2)
Labels
1,351 Views
0 Likes
1 Solution

Accepted Solutions
Levi_Turner
Employee
Employee
‎2020-08-20 05:57 PM

In searching through Amazon's documentation on Cognito (https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html), I am not seeing an available method which Qlik Sense Enterprise supports (i.e. LDAP* or ODBC). As such, I don't see a direct method.

That being said, let's take a step back. Some of this may be on your radar, so you can fast forward to the next steps below.

What is a user directory connector (UDC)?

A connection to a user identity store. Common examples of this are Windows Active Directory, LDAP servers, or sources accessible via an ODBC connection (i.e. SQL Server, or even Excel / CSV files).

What does a user directory connector do?

Synchronize users (and optionally attributes) into Qlik Sense Enterprise.

Why would someone use a user directory connector?

Well there are a number of reasons, some good, some bad. They can range from:

  • A desire to bring in attribute information (i.e. groups, metadata) about users to compose security rules to dynamically allocate entitlements (Good)
  •  A desire to manually allocate a user a license
    • Alternative: use License rules to dynamically allocate a license based on group / metadata membership
  • A desire to manually allocate a user a role
    • Alternative: use Security rules to dynamically allocate a user access

What if I do not have or cannot connect to my desired user identity store?

As an alternative, you can do a few things.

If you use an authentication provider that can provide session attributes, then pass session attributes to Qlik Sense Enterprise. Whilst these will not be persisted (aka they will not show up when you click on the user's record in the QMC), as long as the authentication source provides them you can use them in rules inside of Qlik Sense or Section Access (https://community.qlik.com/t5/Qlik-Design-Blog/User-Environment-What-Session-Attributes-in-Qlik-Sens...).

If session attributes are either not possible (for example if the authentication provider does not have the user metadata) or are undesirable (for example, you want a list of groups ahead of time to pre-populate the QMC for writing security rules), then you can build your own supported UDC. By that I mean you can:

With AWS Cognito, the user identity information looks to be exposed via APIs so it shouldn't too difficult to query and build a CSV for ingestion by Qlik Sense Enterprise.

* Active Directory is just a specific implementation of LDAP.

View solution in original post

1,323 Views
0 Likes
1 Reply
Levi_Turner
Employee
Employee
‎2020-08-20 05:57 PM

In searching through Amazon's documentation on Cognito (https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html), I am not seeing an available method which Qlik Sense Enterprise supports (i.e. LDAP* or ODBC). As such, I don't see a direct method.

That being said, let's take a step back. Some of this may be on your radar, so you can fast forward to the next steps below.

What is a user directory connector (UDC)?

A connection to a user identity store. Common examples of this are Windows Active Directory, LDAP servers, or sources accessible via an ODBC connection (i.e. SQL Server, or even Excel / CSV files).

What does a user directory connector do?

Synchronize users (and optionally attributes) into Qlik Sense Enterprise.

Why would someone use a user directory connector?

Well there are a number of reasons, some good, some bad. They can range from:

  • A desire to bring in attribute information (i.e. groups, metadata) about users to compose security rules to dynamically allocate entitlements (Good)
  •  A desire to manually allocate a user a license
    • Alternative: use License rules to dynamically allocate a license based on group / metadata membership
  • A desire to manually allocate a user a role
    • Alternative: use Security rules to dynamically allocate a user access

What if I do not have or cannot connect to my desired user identity store?

As an alternative, you can do a few things.

If you use an authentication provider that can provide session attributes, then pass session attributes to Qlik Sense Enterprise. Whilst these will not be persisted (aka they will not show up when you click on the user's record in the QMC), as long as the authentication source provides them you can use them in rules inside of Qlik Sense or Section Access (https://community.qlik.com/t5/Qlik-Design-Blog/User-Environment-What-Session-Attributes-in-Qlik-Sens...).

If session attributes are either not possible (for example if the authentication provider does not have the user metadata) or are undesirable (for example, you want a list of groups ahead of time to pre-populate the QMC for writing security rules), then you can build your own supported UDC. By that I mean you can:

With AWS Cognito, the user identity information looks to be exposed via APIs so it shouldn't too difficult to query and build a CSV for ingestion by Qlik Sense Enterprise.

* Active Directory is just a specific implementation of LDAP.

1,324 Views
0 Likes