Skip to main content

Integration, Extension & APIs

Discussion board where members can learn more about Integration, Extensions and API’s for Qlik Sense.

Announcements
Welcome to Qlik Community! Check out our new navigation! FIND OUT MORE
cancel
Showing results for 
Search instead for 
Did you mean: 
MatiasA
Partner - Contributor
Partner - Contributor

UDC for Cognito and Qlik Sense

Right now in my company we're trying  to obtain, manage and assign licences to users in Qlik Sense, using AWS Cognito as the user source. For this, we're trying to obtain the user list from a user pool in AWS Cognito through the UDC (User Directory Connector). Has anyone done this or have an idea on how it can be achieved?

Labels (2)
1 Solution

Accepted Solutions
Levi_Turner
Employee
Employee

In searching through Amazon's documentation on Cognito (https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html), I am not seeing an available method which Qlik Sense Enterprise supports (i.e. LDAP* or ODBC). As such, I don't see a direct method.

That being said, let's take a step back. Some of this may be on your radar, so you can fast forward to the next steps below.

What is a user directory connector (UDC)?

A connection to a user identity store. Common examples of this are Windows Active Directory, LDAP servers, or sources accessible via an ODBC connection (i.e. SQL Server, or even Excel / CSV files).

What does a user directory connector do?

Synchronize users (and optionally attributes) into Qlik Sense Enterprise.

Why would someone use a user directory connector?

Well there are a number of reasons, some good, some bad. They can range from:

  • A desire to bring in attribute information (i.e. groups, metadata) about users to compose security rules to dynamically allocate entitlements (Good)
  •  A desire to manually allocate a user a license
    • Alternative: use License rules to dynamically allocate a license based on group / metadata membership
  • A desire to manually allocate a user a role
    • Alternative: use Security rules to dynamically allocate a user access

What if I do not have or cannot connect to my desired user identity store?

As an alternative, you can do a few things.

If you use an authentication provider that can provide session attributes, then pass session attributes to Qlik Sense Enterprise. Whilst these will not be persisted (aka they will not show up when you click on the user's record in the QMC), as long as the authentication source provides them you can use them in rules inside of Qlik Sense or Section Access (https://community.qlik.com/t5/Qlik-Design-Blog/User-Environment-What-Session-Attributes-in-Qlik-Sens...).

If session attributes are either not possible (for example if the authentication provider does not have the user metadata) or are undesirable (for example, you want a list of groups ahead of time to pre-populate the QMC for writing security rules), then you can build your own supported UDC. By that I mean you can:

With AWS Cognito, the user identity information looks to be exposed via APIs so it shouldn't too difficult to query and build a CSV for ingestion by Qlik Sense Enterprise.

* Active Directory is just a specific implementation of LDAP.

View solution in original post

1 Reply
Levi_Turner
Employee
Employee

In searching through Amazon's documentation on Cognito (https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html), I am not seeing an available method which Qlik Sense Enterprise supports (i.e. LDAP* or ODBC). As such, I don't see a direct method.

That being said, let's take a step back. Some of this may be on your radar, so you can fast forward to the next steps below.

What is a user directory connector (UDC)?

A connection to a user identity store. Common examples of this are Windows Active Directory, LDAP servers, or sources accessible via an ODBC connection (i.e. SQL Server, or even Excel / CSV files).

What does a user directory connector do?

Synchronize users (and optionally attributes) into Qlik Sense Enterprise.

Why would someone use a user directory connector?

Well there are a number of reasons, some good, some bad. They can range from:

  • A desire to bring in attribute information (i.e. groups, metadata) about users to compose security rules to dynamically allocate entitlements (Good)
  •  A desire to manually allocate a user a license
    • Alternative: use License rules to dynamically allocate a license based on group / metadata membership
  • A desire to manually allocate a user a role
    • Alternative: use Security rules to dynamically allocate a user access

What if I do not have or cannot connect to my desired user identity store?

As an alternative, you can do a few things.

If you use an authentication provider that can provide session attributes, then pass session attributes to Qlik Sense Enterprise. Whilst these will not be persisted (aka they will not show up when you click on the user's record in the QMC), as long as the authentication source provides them you can use them in rules inside of Qlik Sense or Section Access (https://community.qlik.com/t5/Qlik-Design-Blog/User-Environment-What-Session-Attributes-in-Qlik-Sens...).

If session attributes are either not possible (for example if the authentication provider does not have the user metadata) or are undesirable (for example, you want a list of groups ahead of time to pre-populate the QMC for writing security rules), then you can build your own supported UDC. By that I mean you can:

With AWS Cognito, the user identity information looks to be exposed via APIs so it shouldn't too difficult to query and build a CSV for ingestion by Qlik Sense Enterprise.

* Active Directory is just a specific implementation of LDAP.