All candidates can review their exam history and score reports by logging into Pearson VUE and utilizing the “My Account” menu.

Qlik is partnering with Credly to provide digital badges and certificates for our Qlik Product Certifications. 24-48 hours after you pass your exam, you will receive an email from Credly. Follow the instructions in the email to accept your digital badge and access your certificate.

If you experience issues while accepting your digital badge, please contact Credly support.

More information, see: Certifications and Qualificiations 

Please note that due to changes in how browsers handle third-party cookies, you may wish to instead leverage the new qlik-embed framework with OAuth2 for your embedding needs, rather than the guidance in this tutorial.

In Qlik Cloud Services (Qlik Sense Enterprise SaaS), it is possible to get the iFrame HTML code to embed a chart in a webpage by right-clicking that chart and choosing "embed chart".

However, just placing this code on a web page is not sufficient to handle the authentication part.

The information provided in this article provides an example of how this can be achieved. Further customization is likely necessary. For assistance, join our active community in the Integrations and Extensions forum or contact our Consulting Services for an engagement. 

Environments:

• Qlik Cloud Services April 2019 and later

Resolution:

The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.

Steps

1. Open the Qlik Tenant Management Console
2. Scroll to Integration Settings
3. Open Web
4. Click Create new 
5. Fill out the form:
   • Name: The name of the integration 
   • Add an origin: The allowed origins for the requests (such as the webserver hosting the integrations)
6. Click Create to confirm
7. Open Content Security Policy in the Integrations Settings section 
8. Click Add
9. Fill out the form:
   • Name: The name of the integration
   • Origin: The allowed origins for the requests (such as the webserver hosting the integrations)
   • Directive: Choose frame-ancestors
10. Click Add to confirm
11. Copy the script provided in this example:
    
    To handle the authentication and be able to see the chart on an external web page, the parent site needs to do a redirection and let the user authenticate, below is a code example of how to do that.
    

    <!DOCTYPE html>
    <html lang="en">
    
    <head>
      <meta charset="UTF-8">
      <meta name="viewport" content="width=device-width, initial-scale=1.0">
      <meta http-equiv="X-UA-Compatible" content="ie=edge">
      <title>Document</title>
      <script type="text/javascript">
        const webIntegrationId = "g-yrbnOz9wV5-YnIqYLZMgfAxf_iKg30";
        function login() {
          function isLoggedIn() {
            return fetch("https://yourtenant.eu.qlikcloud.com/api/v1/users/me", {
              method: 'GET',
              mode: 'cors',
              credentials: 'include',
              headers: {
                'Content-Type': 'application/json',
                'qlik-web-integration-id': webIntegrationId,
              },
            }).then(response => {
              return response.status === 200;
            });
          }
          return isLoggedIn().then(loggedIn => {
            if (!loggedIn) {
              // check login
                window.top.location.href = "https://yourtenant.eu.qlikcloud.com/login?qlik-web-integration-id=" + webIntegrationId + "&returnto=" + top.location.href;
              throw new Error('not logged in');
            }
          });
        }
    	login()
      </script>
    </head>
    
    <body style="height:600px;">
    	<iframe
        src="https://yourtenant.eu.qlikcloud.com/single/?appid=9539b869-1c84-4e6d-9129-4c5b031ca88a&obj=WJhPv&opt=ctxmenu,currsel"
        style="border:none;width:100%;height:100%;"></iframe>
    </body>
    
    </html>​

    
    
    
12. Paste it into a new file using Visual Studio Code and save it with the HTML extension
13. Replace all mentions of yourtenant in the script with the name of your Qlik Sense SaaS tenant
14. Copy the Web Integration ID from the Web Integration menu and paste it into the script at:
    

    const webIntegrationID = "IDGOESHERE";​

15. Add the link to the Qlik App Object you want to embed in the <iframe> section:
    

    <iframe>src="linktotheobjecthere"></iframe>

16.  Save the file and place it where your web server can read it. 

After upgrading to v8-R2025-01/02, a Talend Job containing both tRest and tRestClient components encounters an error as shown below:

- javax.ws.rs.client cannot be resolved to a type
- The type javax.ws.rs.client.ClientBuilder cannot be resolved. It is indirectly referenced from required type org.glassfish.jersey.client.JerseyClientBuilder
- javax.ws.rs.client.WebTarget cannot be resolved to a type
- javax.ws.rs.core.Response cannot be resolved to a type
-  javax.ws.rs.client.Invocation cannot be resolved to a type
-  javax.ws.rs.WebApplicationException cannot be resolved to a type

Cause

When tRest and tRestClient components are used together within a Job, a conflict arises in the implementation of the Rest API.

Resolution 

To resolve this issue, a temporary workaround as shown below is to use tLibraryLoad to load external jar files in the beginning of Job:
tPrejob --onComponentOK-> tLibrary (javax.ws.rs-api-2.1.jar) --onComponentOK-> tLibrary (javax.annotation-api-1.3.2.jar)

Note: If the aforementioned workaround proves effective, kindly remember to remove the tLibraryLoad components after installing the Studio v8-R2025-03 patch.

Alternatively, apply the Studio v8-R2025-03 patch.

Related Content

Qlik Talend Data Integration: tRest post failed because of size limitation (Transfer-Encoding: chunked) from API

Internal Investigation ID(s) 

QTDI-1208

QTDI-1300

Environment

• Talend Data Integration 8.0.1

Qlik Cloud is a modern analytics and data platform built on the same software engine as QlikView and Qlik Sense Client-Managed and adds significant value to empower everyone in an organization to make better decisions daily. Qlik Cloud allows you to use one common platform for all users – executives, decision-makers, and analysts.

Navigation:

• Recommended Resources
• Migrating from Client-Managed Qlik Sense
• Migrating fromQlikView

Migrating to Qlik Cloud can help your organization:

• Expand your analytics possibilities.
• Reduce infrastructure costs and the total cost of ownership of your Qlik solutions.
• Automate entitlement management and upgrades.

Recommended Resources

Q&A with Qlik: Qlik Sense Migration to Qlik Cloud 
Articles relevant to migration and new Qlik Cloud users

Migrating from Client-Managed Qlik Sense     

This site provides you the tools to monitor, manage, and execute a migration from Client-Managed Qlik Sense to Qlik Cloud.

Index and home
Planning your migration
Setting up the Qlik Cloud migration tools
Create and configure a cloud tenant

Migrating from QlikView

This site provides you the tools to begin your journey to move from QlikView to Qlik Sense and Qlik Cloud.

• Index and home
• Comparing QlikView and Qlik Sense
• Comparing QlikView and Qlik Cloud for administrators
• Concepts and best practices 
• Migrating QlikView to Qlik Cloud

This Techspert Talks session covers:

- What to plan for
- Migration Pathways
- Cloud Best Practices

Chapters:

• 01:20 - Cloud Tenant Locations
• 01:47 - Qlik Cloud Architecture
• 03:08 - Planning the migration
• 03:50 - Migration Journey
• 05:13 - Licensing Guardrails
• 06:39 - Migrating users, groups, and permissions
• 11:11 - Migrating apps
• 14:44 - Migrating the data connections
• 21:07 - Completed Migration
• 21:35 - 5 Key Take Aways
• 22:48 - Q&A: How to license sync with hybrid?
• 23:59 - Q&A: Best practices for 1 app migration?
• 24:47 - Q&A: What's included with license cost?
• 26:03 - Q&A: How to customize the UI?
• 26:45 - Q&A: How safe is the data in Cloud?
• 27:37 - Q&A: What are common stumbling blocks?
• 28:41 - Q&A: How are reload monitored?
• 29:28 - Q&A: What is the data size cap?
• 30:15 - Q&A: What cannot be migrated?

Resources:

• Qlik Cloud Best Practices
• Troubleshooting Qlik Data Gateway Direct Access
• Qlik Cloud Migration Center
• Qlik Professional Services
• Space-aware data source syntax examples
• Trust and Security at Qlik
• The Reload Analyzer for Qlik Cloud Customers
• Qlik Licensing Service Reference Guide
• Migrating NPrinting to Qlik Cloud Reporting

A talend Job is experiencing a tGoogleDriveGet permission issue during credential file initialization in Talend Administration Center Application. It works well in side of  Talend Studio.

Here is the error log below:

[ERROR] 15:55:50 org.talend.components.google.drive.runtime.GoogleDriveGetRuntime- D:\GDCredential\InterflourGDrive
[FATAL] 15:55:50 id_distributor_sellout.copy_of_getfile_v3__manohara_0_3.Copy_of_GetFile_V3__Manohara- tGoogleDriveGet_6 UNEXPECTED_EXCEPTION
org.talend.components.api.exception.ComponentException: UNEXPECTED_EXCEPTION
    at org.talend.components.google.drive.runtime.GoogleDriveGetRuntime.getFile(GoogleDriveGetRuntime.java:87) ~[components-googledrive-runtime-0.37.42.jar:?]
    at org.talend.components.google.drive.runtime.GoogleDriveGetRuntime.runAtDriver(GoogleDriveGetRuntime.java:60) ~[components-googledrive-runtime-0.37.42.jar:?]
    at id_distributor_sellout.copy_of_getfile_v3__manohara_0_3.Copy_of_GetFile_V3__Manohara.tGoogleDriveGet_6Process(Copy_of_GetFile_V3__Manohara.java:673) [copy_of_getfile_v3__manohara_0_3.jar:?]
    at id_distributor_sellout.copy_of_getfile_v3__manohara_0_3.Copy_of_GetFile_V3__Manohara$5.run(Copy_of_GetFile_V3__Manohara.java:2429) [copy_of_getfile_v3__manohara_0_3.jar:?]
Caused by: java.nio.file.AccessDeniedException: D:\Simon_Folder\GDCredential\InterflourGDrive
    at sun.nio.fs.WindowsAclFileAttributeView.getFileSecurity(WindowsAclFileAttributeView.java:89) ~[?:?]
    at sun.nio.fs.WindowsAclFileAttributeView.getOwner(WindowsAclFileAttributeView.java:122) ~[?:?]
    at sun.nio.fs.FileOwnerAttributeViewImpl.getOwner(FileOwnerAttributeViewImpl.java:91) ~[?:?]
    at com.google.api.client.util.store.FileDataStoreFactory.setPermissionsToOwnerOnlyWindows(FileDataStoreFactory.java:160) ~[google-http-client-1.38.0.jar:1.38.0]
    at com.google.api.client.util.store.FileDataStoreFactory.<init>(FileDataStoreFactory.java:80) ~[google-http-client-1.38.0.jar:1.38.0]
    at org.talend.components.google.drive.runtime.client.GoogleDriveCredentialWithInstalledApplication$Builder.<init>(GoogleDriveCredentialWithInstalledApplication.java:91) ~[components-googledrive-runtime-0.37.42.jar:?]
    at org.talend.components.google.drive.runtime.client.GoogleDriveCredentialWithInstalledApplication$BuilderWithIdAndSecret.<init>(GoogleDriveCredentialWithInstalledApplication.java:128) ~[components-googledrive-runtime-0.37.42.jar:?]
    at org.talend.components.google.drive.runtime.client.GoogleDriveCredentialWithInstalledApplication.builderWithIdAndSecret(GoogleDriveCredentialWithInstalledApplication.java:42) ~[components-googledrive-runtime-0.37.42.jar:?]
    at org.talend.components.google.drive.runtime.GoogleDriveRuntime.getCredential(GoogleDriveRuntime.java:164) ~[components-googledrive-runtime-0.37.42.jar:?]
    at org.talend.components.google.drive.runtime.GoogleDriveRuntime.getDriveService(GoogleDriveRuntime.java:178) ~[components-googledrive-runtime-0.37.42.jar:?]
    at org.talend.components.google.drive.runtime.GoogleDriveRuntime.getDriveUtils(GoogleDriveRuntime.java:186) ~[components-googledrive-runtime-0.37.42.jar:?]
    at org.talend.components.google.drive.runtime.GoogleDriveGetRuntime.getFile(GoogleDriveGetRuntime.java:66) ~[components-googledrive-runtime-0.37.42.jar:?]
    ... 3 more

Resolution

Ensure that the credential file owner matches the user who are running Jobserver to prevent permission access exceptions.

Please use the following command to set owner in Windows

icacls D:\GDCredential /setowner "SYSTEM" /t /l

Cause

The Error logs indicates that when tGoogleDriveGet component initializes the credential file, the new API design will verify the owner and modify ACL permissions. Since the credential file was configured using a non-Jobserver-running user, a permission exception occurs.  

com.google.api.client.util.store.FileDataStoreFactory.setPermissionsToOwnerOnlyWindows  
FileOwnerAttributeViewImpl.getOwner  

Environment

• Talend Data Integration 
• Talend Studio 

Qlik Answers is Qlik's personalized AI assistant that generates on-point answers from your own trusted business content. See this article to learn how to get started with Qlik Answers

This connector unlocks new powerful use cases like indexing new data ad-hoc and taking your action oriented automations to the next level by including unstructured insights. This article explains how the Qlik Answers connector in Qlik Application Automation can be used.

Article contents

• Authentication
• Use cases
• 1. Re-indexing a knowledge base
• 2. Ask questions
• Notes
• Related Content

Authentication

This connector does not require additional configuration to authenticate, it will automatically connect to the automation owner's Qlik account. Whenever blocks of this connector are executed, they will use that account.

Use cases

For this connector's first release, we will introduce blocks that can re-index knowledge bases and ask questions to an assistant. We will deliver more blocks in future releases, do not hesitate to request new blocks through Ideation.

1. Re-indexing a knowledge base

This use case focuses on ad-hoc updates to the knowledge base. The creation and initial configuration of a knowledge base should happen through the Qlik Answers UI as described here:

Once your knowledge base is configured and you've set up a data connection to a cloud storage location, you can then use Qlik Application Automation to add specific files to the Cloud Storage location and trigger a re-indexing. This could be useful in scenarios when you only want to index specific records that might depend on a context.

For this use case, you can use the blocks Add Data Source To A Knowledge Base and Sync Knowledge Base Data Source. The below example will fetch incidents from ServiceNow, store them in a Dropbox folder and then add the Dropbox folder as a data source to a Knowledge Base in Qlik Answers. After this, the data source will be synced to the knowledge base index.

2. Ask questions

By using the blocks Create Thread and Execute Synchronous Prompt, you can ask questions from an assistant to enrich other messages that are sent through automations with unstructured insights. In the below example, these blocks are added to the existing "Notify your team on Microsoft Teams based on a measure" template that can be found in the template picker:

Notes

Don't ask a question immediately after indexing. Asking a question should be done after the knowledge base has completed indexing successfully.

Related Content

• Introducing Qlik Answers
• Qlik.com product page for Qlik Answers

Environment

• Qlik Cloud Analytics
• Qlik Application Automation
• Qlik Answers

The information in this article is provided as-is and will be used at your discretion. Depending on the tool(s) used, customization(s), and/or other factors, ongoing support on the solution below may not be provided by Qlik Support.

With a Unified license (formerly called Dual Use License) the legacy QlikView license is complemented with a Qlik Sense license that can be applied to the QlikView server as it includes QlikView entitlement license attributes. Such license needs to be activated with the Signed License Key (SLK). When a customer enters an Analytics Modernization Program (AMP, formerly known as Dual Use program), QlikView CALs (e.g. Named User CALs, Document CALS, Session CALs and Usage CALs) are converted into Professional User, Analyzer User,  and Analyzer Capacity User allocations based on the Analytics Modernization Program conversion ratios.

Here are two scenarios:

I. If a customer transitions to AMP with on-premise (client-managed) Qlik software (e.g. converts to the perpetual estate or convert to subscription Qlik Sense Enterprise on Windows), a Unified License containing the converted quantity of Professional Users, Analyzer Users and Analyzer Capacity would be delivered. This license contains a customized Qlik Sense Enterprise Signed License Key (SLK) which can also be deployed on QlikView Server and/or QlikView Publisher. If a user is assigned a Professional or Analyzer user license, this assignment information is synchronized to all Qlik Sense and QlikView deployments activated using this Unified License key. As such one user just needs one license to access the entire Qlik software platform (regardless if it is Qlik Sense or QlikView).

In this scenario, as long as the QlikView Server and Qlik Sense edition use the same Identity Provider (IdP) the user can access apps on both environments consuming only one user license allocation.

If the user license is reallocated in any of the systems to a different user, the same will occur across both QlikView and Qlik Sense environments.

II. If a customer transitions to AMP with Qlik Sense Enterprise SaaS add-on, a Qlik Sense Enterprise SaaS tenant may use a Unified License  for the on-premise deployment. The customer is able to upload QlikView document prepared by the on-premise QlikView software directly into Qlik Sense Enterprise SaaS for distribution.

A QlikView Server or a Qlik Publisher software can be activated in two ways:

1) Using a legacy method with 16-digit QlikView license key and the corresponding control number

2) Using a modern Unified License with Signed License Key containing needed QlikView Server and Publisher Service attribute(s). In this latter scenario, user license assignment (Professional/Analyzer) and analyzer capacity would be synchronized with other deployments using the same Signed License Key as it is done in the Unified License model

If the customer opts to remain in Perpetual licensing, the existing QlikView license model can be retained. Otherwise, if the customer opts for conversion into Subscription licensing model, a set of QlikView subscription license attributes mirroring the existing QlikView perpetual license key setup would be delivered such that the customer switch to the subscription QlikView keys without the need for an immediate migration project towards using Unified licensing.

Note: Please note that Qlik is no longer starting clients on the Perpetual license model. See End of Perpetual License Sales 

Environment:

• QlikView 
• Qlik Cloud 
• Qlik Sense Enterprise on Windows 
   

Related Content:

• How to Apply an unified Signed License Key for QlikView and Qlik Sense
• Qlik Multi-Cloud Frequently Asked Questions (FAQ)

This article provides step-by-step instructions for implementing Azure AD as an identify provider for Qlik Cloud. We cover configuring an App registration in Azure AD and configuring group support using MS Graph permissions.

It guides the reader through adding the necessary application configuration in Azure AD and Qlik Sense Enterprise SaaS identity provider configuration so that Qlik Sense Enterprise SaaS users may log into a tenant using their Azure AD credentials.

Content:

• Prerequisites
• Helpful vocabulary
• Considerations when using Azure AD with Qlik Sense Enterprise SaaS
• Configure Azure AD
• Create the app registration
• Create the client secret
• Add claims to the token configuration
• Add group claim
• Collect Azure AD configuration information
• Configure Qlik Sense Enterprise SaaS IdP
• Recap
• Addendum
• Related Content (VIDEO)

Prerequisites

• An Microsoft Azure account
• A Microsoft Azure Active Directory instance
• A Qlik Sense Enterprise SaaS tenant
• The BYOIDP feature in your Qlik license is set to YES. Contact customer support to find out if you are entitled to bring your own identity provider to your tenant.

Helpful vocabulary

Throughout this tutorial, some words will be used interchangeably.

• Qlik Sense Enterprise SaaS: Qlik Sense hosted in Qlik’s public cloud
• Microsoft Azure Active Directory: Azure AD
• Tenant: Qlik Sense Enterprise SaaS tenant or instance
• Instance: Microsoft Azure AD
• OIDC: Open Id Connect
• IdP: Identity Provider

Considerations when using Azure AD with Qlik Sense Enterprise SaaS

• Qlik Sense Enterprise SaaS allows for customers to bring their own identity provider to provide authentication to the tenant using the Open ID Connect (OIDC) specification (https://openid.net/connect/)
• Given that OIDC is a specification and not a standard, vendors (e.g. Microsoft) may implement the capability in ways that are outside of the core specification. In this case, Microsoft Azure AD OIDC configurations do not send standard OIDC claims like email_verified. Using the Azure AD configuration in Qlik Sense Enterprise SaaS includes an advanced option to set email_verified to true for all users that log into the tenant.
• The Azure AD configuration in Qlik Sense Enterprise SaaS includes special logic for contacting Microsoft Graph API to obtain friendly group names. Whether those groups originate from an on-premises instance of Active Directory and sync to Azure AD through Azure AD Connect or from creation within Azure AD, the friendly group name will be returned from the Graph API and added to Qlik Sense Enterprise SaaS.

   

Configure Azure AD

Create the app registration

1. Log into Microsoft Azure by going to https://portal.azure.com.
2. Click on the Azure Active Directory icon in the browser Or search for "Azure Active Directory" in the search bar on the top. The overview page for the active directory will appear.
   
   
   
   
3. Click the App registrations item in the menu to the left.
   
   
   
   
4. Click the New registration button at the top of the detail window. The application registration page appears.
   
   
   
   
5. Add a name in the Name section to identify the application. In this example, the name of the hostname of the tenant is entered along with the word OIDC.
   
   
   
   
   
   
6. The next section contains radio buttons for selecting the Supported account types. In this example, the default – Accounts in this organizational directory only – is selected.
   
   
   
   
7. The last section is for entering the redirect URI. From the dropdown list on the left select “web” and then enter the callback URL from the tenant. Enter the URI https://<tenant hostname>/login/callback.
   
   
   

   The tenant hostname required in this context is the original hostname provided to the Qlik Enterprise SaaS tenant.

   
   
   Using the Alias hostname will cause the IdP handshake to fail.
8. Complete the registration by clicking the Register button at the bottom of the page.
   
   
   
   
9. Click on the Authentication menu item on the left side of the screen.
   
   
   
   
10. On the middle of the page, the reference to the callback URI appears. There is no additional configuration required on this page.
    
    

Create the client secret

1. Click on the Certificates and secrets menu item on the left side of the screen.
   
   
   
   
2. In the center of the Certificates and secrets page, there is a section labeled Client secrets with a button labeled New client secret. Click the button.
   
   
   
   
3. In the dialog that appears, enter a description for the client secret and select an expiration time. Click the Add button after entering the information.
   
   
   
   
4. Once a client secret is added, it will appear in the Client secrets section of the page.
   

   Copy the "value of the client secret" and paste it somewhere safe.

   After saving the configuration the value will become hidden and unavailable.
   
   

Add claims to the token configuration

1. Click on the Token configuration menu item on the left side of the screen.
   
   
   
   
2. The Optional claims window appears with two buttons. One for adding optional claims, and another for adding group claims. Click on the Add optional claim button.
   
   
   
   
3. For optional claims, select the ID token type, and then select the claims to include in the token that will be sent to the Qlik Sense Enterprise SaaS tenant. In this example, ctry, email, tenant_ctry, upn, and verified_primary_email are checked. None of these optional claims are required for the tenant identity provider to work properly, however, they are used later on in this tutorial.
   
   
   
   
4. Some optional claims may require adding OpenId Connect scopes from Microsoft Graph to the application configuration. Click the check mark to enable and click Add.
   
   
   
   
5.  The claims will appear in the window.
   
   

Add group claim

1. Click on the API permissions menu item on the left side of the screen.
   
   
   
   
2. Observe the configured permissions set during adding optional claims.
   
   
   
   
3. Click the Add a permission button and select the Microsoft Graph option in the Request API permissions box that appears. Click on the Microsoft Graph banner.
   
   
   
   
4. Click on Delegated permissions. The Select permission search and the OpenId permissions list appears.
   
   
   
   
   

   In the OpenID permissions section, check email, openid, and profile. In the Users section, check user.read.

5. In the Select permissions search, enter the word group. Expand the GroupMember option and select GroupMember.Read.All. This will grant users logging into Qlik Sense Enteprise SaaS through Azure AD to read the group memberships they are assigned.
   
   
   
   
6. After making the selection, click the Add permissions button.
   
   
   
   
7. The added permissions will appear in the list. However, the GroupMember.Read.All permission requires admin consent to work with the app registration. Click the Grant button and accept the message that appears.
   
   
   
   

Failing to grant consent to GroupMember.Read.All may result in errors authenticating to Qlik using Azure AD. Make sure to complete this step before moving on.

Collect Azure AD configuration information

1. Click on the Overview menu item to return to the main App registration screen for the new app. Copy the Application (client) ID unique identifier. This value is needed for the tenant’s idp configuration.
   
   
   
   
2. Click on the Endpoints button in the horizontal menu of the overview.
   
   
   
   
3. Copy the OpenID Connect metadata document endpoint URI. This is needed for the tenant’s IdP configuration.
   
   

Configure Qlik Sense Enterprise SaaS IdP

1. With the configuration complete and required information in hand, open the tenant’s management console and click on the Identity provider menu item on the left side of the screen.
   
   
   
   
2. Click the Create new button on the upper right side of the main panel.
   
   
   
   
3. Select OIDC from the Type drop-down menu item, and select  Microsoft Entra ID (Azure AD) from the Provider drop-down menu item.
   
   
   
   
4. Scroll down to the Application credentials section of the configuration panel and enter the following information:
   1. ADFS discovery URL: This is the endpoint URI copied from Azure AD.
   2. Client ID: This is the application (client) id copied from Azure AD.
   3. Client secret: This is the value copy and pasted to a safe location from the Certificates & secrets section from Azure AD.
   4. The Realm is an optional value used if you want to enter what is commonly referred to as the Active Directory domain name.
      
      
      
      
5. Scroll down to the Claims mapping section of the configuration panel. There are five textboxes to confirm or alter.
   
   
   
   
   1. The sub field is the subject of the token sent from Azure AD. This is normally a unique identifier and will represent the UserID of the user in the tenant. In this example, the value “sub” is left and appid is removed. To use a different claim from the token, replace the default value with the name of the desired attribute value.
      
      
      
      
   2. The name field is the “friendly” name of the user to be displayed in the tenant. For Azure AD, change the attribute name from the default value to “name”.
      
      
      
      
   3. In this example, the groups, email, and client_id attributes are configured properly, therefore, they do not need to be altered.
      
      
      

      In this example, I had to change the email claim to upn to obtain the user's email address from Azure AD. Your results may vary.

      
      
      
      
6. Scroll down to the Advanced options and expand the menu. Slide the Email verified override option ON to ensure Azure AD validation works. Scope does not have to be supplied.
   
   
   
   
7. The Post logout redirect URI is not required for Azure AD because upon logging out the user will be sent to the Azure log out page.
8. Click the Save button at the bottom of the configuration to save the configuration. A message will appear confirming intent to create the identity provider. Click the Save button again to start the validation process.
   
   
   
   
9. The validation procedure begins by redirecting the person configuring the IdP to the login page for the IdP.
   
   
   
   
10. After successful authentication, Azure AD will confirm that permission should be granted for this user to the tenant. Click the Accept button.
    
    
    
    
11. If the validation fails, the validation procedure will return a window like the following.
    
    
    
    
12. If the validation succeeds, the validation procedure will return a mapped claims window. If the validation states it cannot map the user's email address, it is most likely because the email_verified switch has not been turned on. Go ahead and confirm, move through the remaining steps, and update the configuration as per the previous step. Re-run the validation to map the email.
    
    
    
    
13. After confirming the information is correct, the account used to validate the IdP may be elevated to a TenantAdmin role. It is strongly recommended to do make sure the box is checked before clicking continue.
    
    
    
    
14. The next to last screen in the configuration will ask to activate the IdP. By activating the Azure AD IdP in the tenant, any other identity providers configured in the tenant will be disabled.
    
    
    
    
15. Success.
    
    
    
    
16. Please log out of the tenant and re-authenticate using the new identity provider connection. Once logged in, change the url in the address bar to point to https://<tenanthostname>/api/v1/diagnose-claims. This will return the JSON of the claims information Azure AD sent to the tenant. Here is a slightly redacted example.
    
    
    
    
17. Verify groups resolve properly by creating a space and adding members. You should see friendly group names to choose from.
    
    
    
    
    
    
    
    

Recap

While not hard, configuring Azure AD to work with Qlik Sense Enterprise SaaS is not trivial. Most of the legwork to make this authentication scheme work is on the Azure side. However, it's important to note that without making some small tweaks to the IdP configuration in Qlik Sense you may receive a failure or two during the validation process.

Addendum

For many of you, adding Azure AD means you potentially have a bunch of clean up you need to do to remove legacy groups. Unfortunately, there is no way to do this in the UI but there is an API endpoint for deleting groups. See Deleting guid group values from Qlik Sense Enterprise SaaS for a guide on how to delete groups from a Qlik Sense Enterprise SaaS tenant.

Related Content (VIDEO)

Qlik Cloud: Configure Azure Active Directory as an IdP

A user as developer role cannot log in to Talend Cloud and SSO was enabled for Talend Cloud in the environment. 

Resolution

• Adding the permission for this user from SSO end to use Talend cloud application.
• You can also add the user to a group that has access to the Talend Cloud application.

Cause

Based on the error below, it appears the user lacks the necessary permissions on the Single Sign-On (SSO) provider's end.

Error: Your Administrator has configured the application Talend Cloud to block the users. The signed in user is blocked and doen't have the access to the application

SSOPermissionMissing

Environment

Talend Cloud 

Qlik Web Connectors allows loading Excel files (xls, xlsx) hosted in online file storage services such as Box, Dropbox, Google Drive and OneDrive directly into QlikView and Qlik Sense without having to save the file to disk first.

Different methods need to be applied to fetch files depending on what edition of Qlik Sense is used. 

• With Qlik Sense SaaS Editions (Qlik Sense Enterprise Business and Qlik Sense Enterprise on Cloud Services), Qlik offers a number of built in connectors. See Built-in Qlik Web Connectors for a list of available connectors. 
• With Qlik Sense Enterprise on Windows, Qlik offers Standard and Premium web connectors for install. See Data sources included in Qlik Web Connectors. 

With Qlik Sense SaaS Editions:

Note that the in-built Web Connectors are available are:

• Google Drive
• Dropbox

Unavailable at the moment are:

• OneDrive
• Box
• Sharepoint getfile and download file

To connect to, for example an excel file, stored on Google Drive:

• Open a Qlik Sense App
• Navigate to Add data

• Choose Google Drive

• Click Authenticate and follow the Google Drive authentication steps
• Copy the authentication code and paste it into the provided text bar
• Click Verify

• You can now choose supported files.

More information: Managing data sources in spaces. 
You can add data files and data connections directly in shared and personal spaces. This enables data sources to be added outside of apps for use by other space members.

With Qlik Sense Enterprise on Windows:

We use the query GetRawFileAsBinary of the appropriate connector in Qlik Web Connectors.

Once the binary content is sucessfully loaded in Qlik Web Connectors web console, you can create a webfile connection in QlikView or Qlik Sense to load data from Qlik Web Connectors.

• Choose the connector (for this test we are using the Qlik Box Connector)
• Select the query ListFilesAndFolders to identify the ID of the Excel file you want to load
• Run the query with the Folder ID parameter left blank
• This returns all files and folders in the root folder of the Box account
• Copy the ID of the folder which the Excel file is located in and paste it into the Folder ID parameter of the ListFilesAndFolders query
• Run the query again
• This will list all the files in the subfolder
• Copy the ID of the file we want to load
• Switch to the query GetRawFileAsBinary, choose Parameters and fill in the File ID
• Click Save Inputs & Run Table
• In our example, no Data Preview is shown. 
• Obtain the URL to use by switching to the QlikView tab and copying the connection string 

In QlikView:

• Open QlikView and the Script Editor
• Select Web Files...
• Paste the link previously obtained into the Internet File text box
• Click Next >
• Proceed to load in the table

Related Content:

SaaS Topics:
Managing data sources in spaces.
Built-in Qlik Web Connectors
STT - Reloading Your Data in Qlik Sense Business

WebConnectors (not SaaS):
Data sources included in Qlik Web Connectors
Google Drive and Spreadsheets
OneDrive
Dropbox
Qlik Web Connectors authentication fails with error "Could not establish trust relationship for the SSL/TLS secure channel"

Recent versions of Qlik connectors have an out-of-the-box value of 255 for their DefaultStringColumnLength setting. 

This means that, by default, any strings containing more than 255 characters is cut when imported from the database.

To import longer strings, specify a higher value for DefaultStringColumnLength.

This can be done in the connection definition and the Advanced Properties, as shown in the example below. 

The maximum value that can be set is 2,147,483,647.

Environment

• Qlik Connectors
• Built-in Connectors Qlik Sense Enterprise on Windows November 2024 and later

A scheduled Qlik Replicate task does not show up in the Executed Jobs list.

This is working as intended. The Executed Jobs tab will only show executed jobs that were scheduled to run once only. In other words, jobs scheduled to run periodically (e.g. Daily, Weekly, Monthly) will not be shown.

See Scheduling jobs.

Environment

Qlik Replicate 

Advanced options is not visible when editing a sheet. This can happen on a specific app even if the option was present before.

Resolution

You can activate the "Show Sheet Header" option in the app settings to make the "Advanced option" button visible again.

1. Open the App settings.
   
2. Activate "Show Sheet Header".
   

Cause 

For some reasons, the "Show Sheet Header" could be deactivated in an app. "Advanced Options" is invisible when this happens, because it is located in the sheet header that is removed. The app looks like this in editing mode:

Environment

• Qlik Cloud

For better performance of Talend Runtime Server, you could uninstall Kar files to free up storage space. 

This article briefly introuduces How to uninstall kar files from Talend Runtime Server

Prerequiste

For command 

kar:uninstall

It is a command used to uninstall a KAR file (identified by a name).

By uninstall, it means that:

• The features previously installed by the KAR file are uninstalled
• Delete (from the  KARAF_DATA/system  repository) all files previously "populated" by the KAR file

For instance, to uninstall the previously installed my-kar-1.0-SNAPSHOT.kar KAR file:

karaf@root()> kar:uninstall my-kar-1.0-SNAPSHOT

Talend Runtime Server

Please run the following karaf commands to clean Kar files from your Repository

#stop running artifact task 
bundle:list |grep -i <artifact-name>
bundle:uninstall <artifact-name | bundle-id>
#clean task kar cache
kar:list |grep -i <artifact-name>
kar:uninstall <artifact-name>  

Related Content

For more information about KAR file, please refer to Apache Content

kar:* commands to manage KAR archives.

Environment

Talend ESB 

There may be several different symptoms associated with a need to regenerate and redistribute certificates;

• After installing, renewing, or changing a third-party certificate for use with Qlik Sense the Qlik Management Console (QMC) and Hub may become inaccessible leading to Page Cannot Be Displayed error.
  
  

  This article does not cover the use of a 3rd party certificate for end user Hub access, but the certificates used for communication between the Sense services. For recommendation on how to use a 3rd party certificate for end user access, see How to: Change the certificate used by the Qlik Sense Proxy to a custom third party certificate

• In the Qlik Sense Proxy trace logs, the last line may be indicating waiting for certificates to be installed or similar. In addition, even though Proxy service remains running, port 443 (by default) will fail to bind and start listening for requests.
  
  
• Qlik Sense may sometimes fail to create the correct certificates during installation if there are old/unused certificates left from a previous installation.  Also, certs can become corrupted, or newly installed certificates configured to be used may not be compatible. See Qlik Sense: Compatibility information for third-party SSL certificates and Requirements for configuring Qlik Sense with SSL.

Do not perform the below steps in a production environment, without first doing a backup of the existing certificates. Certificates are being used to encrypt information in the QRS database, such as connection strings. By recreating certificates, you may lose information in your current setup.
By removing the old/bad certificates, and restarting the Qlik Sense Repository Service (QRS), the correct certificates can be recreated by the service. If trying to remove certs, only the removal steps need to be followed.

The instructions are to be carried out on the Qlik Sense Central Node. In the case of a multi-node deployment, verify which node is the central node before continuing.

1. Open Qlik Sense Management Console (QMC)
2. Navigate to Nodes section
3. Add the column Central Node column through Column selector

If the current central node role is held by the failover, you need to fail the role back to the original central node by shutting down all the nodes (this implies downtime). Then start the original central node, reissue the certificates on it with this article, and when the central node is working apply the article Rim node not communicating with central node - certificates not installed correctly on each Rim node.

Step by Step instructions:

Test all data connections after the certificates are regenerated.  It is likely that data connections with passwords will fail.  This is because passwords are saved in the repository database with encryption.  That encryption is based on a hash from the certificates.  When the Qlik Sense signed certificates are regenerated, this hash is no longer valid, and the saved data connection passwords can not be decrypted.  The customer must re-enter the passwords in each data connection and save.  See article: Repository System Log Shows Error "Not possible to decrypt encrypted string in database"

1. Log on to the Central node using the Qlik Service Account and navigate to the 'Services' and to the Qlik Services.
   
   
2. Stop the QRS (this will also stop the other services; however, make sure the postgresql-64-12 or Qlik Sense Repository Database is still running).
   
   
    
3. Open Microsoft Management Console (MMC). 
   
   Important: Execute the MMC as the account configured to run the services (using Run as a different user [Ctrl-Shift & Right click on the exe to see option]... )
   
   
4. Add the following snap-ins for Certificates:
   
   
   • My user account
   • Local Computer account
     
     
5. In Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates, delete the Self-Signed certificates created by Qlik Sense, issued by HOSTNAME.domain-CA*
   
   *Where HOSTNAME is the machine name of the server in question and domain is the domain of the server.
   So for example, QlikServer1 is the computer hostname and the domain is domain.local, the certificate will be issued by QlikServer1.domain.local-CA
    
6. In Certificates (Local Computer) > Personal > Certificates, delete the Self-Signed certificate issued by HOSTNAME.domain-CA
   
   
7. In Certificates > Current User > Personal > Certificates, delete the Self-Signed certificate named QlikClient
    
8. Go to the folder C:\ProgramData\Qlik\Sense\Repository, delete the folder 'Exported Certificates'
   
   
9. Run this command from an elevated (admin) command prompt to create new certificates:
   
   "C:\Program Files\Qlik\Sense\Repository\Repository.exe" -bootstrap -iscentral -restorehostname 
   
   Note: If the script doesn't get to "Bootstrap mode has terminated. Press ENTER to exit.." and gets stuck at "[INFO] Entering main startup phase.." start the "Qlik Sense dispatcher service" and it will get to the end)
   
   
10. Verify the new certificates have been created by REFRESHING the screen for each certificate location, and then start the rest of the Qlik Sense services. In addition, verify that duplicate or multiple certificates were not created (rarely occurs). If so, the article will need to be followed again by starting with the deletion of the certificates.
    

There is no need to perform a full reinstall to propagate new certificates. Certificates are created by the QRS automatically if not found during the service startup process.

For Qlik Sense multi-cloud deployment (September 2020 or later):

The steps in this section must be performed after recreating certificates as described above.

1. Start Qlik Sense Repository Database service on CENTRAL NODE, or PostgreSQL Server service if running a dedicated instance of PostgreSQL database server.
   
   
2. Using pgAdmin tool or any other database client, connect to SenseServices database. (IMPORTANT: the below query needs to be executed on the SenseServices DB)
   
   

3. Execute following query against SenseServices database:

   DROP TABLE IF EXISTS hybrid_deployment_service.mt_doc_asymmetrickeysencrypt CASCADE;

    

4. Navigate to Deployments page of Multi-cloud Setup Console (MSC).

5. Delete and re-add any existing deployments by following the steps mentioned in Distributing apps from Qlik Sense Enterprise on Windows to Qlik Sense Enterprise SaaS  and Distributing apps to Qlik Sense Enterprise on Kubernetes.

Node.js certificates

After the certificates have been recreated and then redistributed to all of the rim nodes, the node.js certificates stored locally on the central and all rim nodes also need to be recreated. Follow the below steps to perform this action:

1. Stop all Qlik Sense services
   
   
2. In Windows File Explorer, navigate to %ProgramData%\Qlik\Sense\Repository\Exported_certificates
   
   
3. Back up the Local certificates directory and then delete it
   
   
4. Restart the Qlik Sense services

Test all data connections after the certificates are rebuilt.  It is likely that data connections with passwords will fail.  This is because passwords are saved in the repository database with encryption.  That encryption is based on a hash from the certs.  When the Qlik Sense self-signed cert is rebuilt, this hash is no longer valid, and so the saved data connection passwords will fail.  The customer must re-enter the passwords in each data connection and save.  See article: Repository System Log Shows Error "Not possible to decrypt encrypted string in database"

Self Signed Certificates:

Notice if using an official Signed Server Certificate from a trusted Certificate Authority

The certificate information will also be in the QMC, under Proxies, with the Certificate thumbprint listed. If trying to merely remove all aspects of certs, this will need to be removed as well.

1. Go to Proxies 
   
   
2. Select your Proxy and click Edit
   
   
3. In the right pane, select Security
   
   
4. Scroll down and locate "SSL browser certificate thumbprint" in the Security section to locate the thumprint info.

If the Central Node repository service hanging in the logs:

1. Open C:\ProgramData\Qlik\Sense\Log\Repository\Trace
   
   
2. Look for this Example "API service initialized with 1501 available methods".  This is Central Node. 
   
   
3. If you see this Example "API service initialized with 2 available methods". This is a Rim node. 
   
   
4. For Central Node you should see as an example ""API service initialized with 1501 available methods". 
   
   
5. Running this command "C:\Program Files\Qlik\Sense\Repository\Repository.exe" -bootstrap -iscentral -restorehostname will resolved this issue.
   
   

If the above does not work, see Qlik Sense Enterprise Hub and Qlik Management Console (QMC) down - bootstrap fails with "Newly created client certificate not valid; root certificate can't sign new certificates"

Environment

• Replicate
• Table/Field level transformation

The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.

Field Transformation

On my Source  table from Oracle, I am using the source lookup function under Data Enrichment in order to retrieve the Oracle ROWID field value.  Not all fields are logged by oracle into the Redo Logs. In the case of ROWID we will use a source lookup function to query the source table and retrieve the field value, putting it  into the Add Column that we defined and called ROWID. This source lookup function is documented in the replicate user guide and the on-line help.

The general form of the function is as follows:

For this example in am doing the lookup into the Employees table:

NO_CACHING is important to ensure it keeps changing for each value and doesn’t re-use values
HR is the schema in oracle
EMPLOYEES is the table
ROWID is what I want returned
EMPLOYEE_ID=:1 is the predicate for the lookup 
$EMPLOYEE_ID is the value from the redo log that we are using in the predicate in place of :1

NOTE: If the source lookup needed more than one field in the key then: 
(Multiple variables would look like: 'EMPLOYEE_ID=:1 AND DEPARTMENT_ID=:2)
$EMPLOYEE_ID, $DEPARTMENT_ID (in this example we are using field values that the task has read from the redo log file.

NOTE: That the lookup may have a performance implication and will need to be tested to see if it meets all of your latency criteria. Please also note that the Oracle ROWID is not guaranteed to persist. Traditional Oracle ROWID's can change if a table is quiesced or rebuilt with dbms_redefinition.

This expression is created for the Add Column transformation ROWID as seen in the screen shot below.

Transformation Screen shot

NOTE: Unfortunately data enrichment function can not be tested on the screen, they must be saved and the task run for the transformation to be tested.

The screen shot below shows the target table with the ROWID field after the task has run.

Target Table with ROWID field

Related Content

Beginning with Qlik Sense Enterprise on Windows 2024, Qlik has extended CSRF protection to WebSockets. For reference, see the Release Notes.

In the case of mashups, extensions,and or other cross-site domain setups, the following two steps are necessary: 

1. Add additional response headers. These headers help protect against Cross-Site Forgery (CSRF) attacks.
2. Change the applicable code in your mashup or extension.

Content

• Add the Response Headers
• Adapt your Mashup or Extension code
• Workflow
• Verification

Add the Response Headers

The three additional response headers are:

Access-Control-Allow-Origin: https://localhost:8080
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: qlik-csrf-token

Localhost and port 8080 are examples. Replace them with the appropriate hostname. Defining the port is optional. 

If you have multiple origins, seperate them by comma.

Example:

For more information about adding response headers to the Qlik Sense Virtual proxy, see Creating a virtual proxy. Expand the Advanced section to access Additional response headers.

Adapt your Mashup or Extension code

In certain scenarios, the additional headers on the virtual proxy will not be enough and a code change is required. In these cases, you need to request the CSRF token and then send it forward when opening the session on the WebSocket. See Workflow for a visualisation of the process.

An example written in Enigma.js is available here:

• Authentication: Qlik Sense JSON Web Token (JWT) 
• Code Sample 

The information and example in this article are provided as-is and are not directly supported by Qlik Support. More assistance can be found on the Qlik Integration forum. Professional Services are available to help where needed.

Workflow

Workflow

Verification

To verify if the header information is correctly passed on, capture the web traffic in your browser's debug tool.

Environment

• Qlik Sense Enterprise on Windows November 2024 and later