Prerequisites

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Customer Managed Applies to customer-managed instances of Alation

Core Connector Core connectors are included with all Alation platform tiers (subject to each tier’s connector limits) and are fully supported by Alation.

Before you install and configure the Qlik Sense Connector, ensure that your environment meets the following prerequisites:

• Firewall Configuration

• Authentication Requirements

• Qlik Cloud Integration

Firewall Configuration

Open the outbound TCP port 4747 to the Qlik Sense Engine Service (QES).

Authentication Requirements

You need the following certificates to configure Qlik Sense as a BI source in Alation:

• client.pfx

• root.cer

Refer to Export Certificates through the QMC to export the certificates to your local machine.

Section Access

Qlik Sense OCF connector accesses the Qlik Sense engine using an internal Qlik user (INTERNAL\SA_ENGINE). If you have Qlik reports with Section Access applied to them, ensure this internal Qlik user (INTERNAL\SA_ENGINE) has access using the section access load script.

Load Script Example:

SECTION ACCESS;
LOAD * INLINE [
    ACCESS, USERID, REDUCTION
    ADMIN, DOMAIN\USER1,
    USER, DOMAIN\USER2, 1
    USER, DOMAIN\USER3, 2
    ADMIN, INTERNAL\SA_ENGINE, * // Allows the Qlik Engine to access all data
];SECTION APPLICATION;LOAD * INLINE [
    REDUCTION, Region, Sales
    ,North, 1000
    1,South, 2000
    2,East, 3000
];

Qlik Sense Virtual Proxies (SAML)

Qlik Sense Enterprise environments commonly use virtual proxies to manage user authentication, including SAML-based single sign-on (SSO). While virtual proxies are fully supported for interactive user access, Qlik Sense OCF connector does not authenticate using SAML.

Connector Authentication Model

The Qlik Sense OCF connector authenticates directly to Qlik Engine APIs using Qlik-generated certificates. This is the only supported authentication method for non-interactive access to the Qlik Engine and is a technical requirement of the Qlik Engine APIs.

SAML, OAuth, and Header Authentication mechanisms are not supported for Engine API access and cannot be used by the connector.

Supported and Unsupported Authentication Methods

Authentication Method	Supported for Connector	Remarks
Certificate-based (Qlik Engine)	Yes	Required for engine API access
SAML via virtual proxy	No	Applies only to interactive user sessions
Header authentication (dynamic user directory)	No	Not used by connector
OAuth (Qlik Cloud – lineage only)	Yes	Used only for optional lineage enrichment

Use Virtual Proxies

Virtual proxies may be enabled in the Qlik Sense environment when using the Qlik Sense OCF connector. However, the connector does not participate in virtual proxy authentication flows.

When a virtual proxy is configured:

• The connector must still be able to connect directly to the Qlik Engine.

• Certificate-based authentication must remain enabled.

• The Qlik Engine must accept WebSocket connections required by the Engine APIs.

• The connector URL do not require interactive login or SAML redirection.

Virtual proxy settings must not block or override certificate-based Engine API access.

Important

Even if your organization enforces SAML authentication for all user access via a virtual proxy, the Qlik Sense OCF connector remains a machine-to-machine integration and always uses certificate-based authentication.

Why SAML Is Not Supported

SAML authentication is designed for interactive user sessions. Qlik Engine APIs do not support SAML or OAuth for non-interactive, machine-to-machine access. As a result, certificate-based authentication is mandatory for connector operation.

This is a Qlik Engine limitation, not a configurable option within the Qlik Sense OCF connector.

Qlik Cloud Integration

QlikCloud Integration will provide additional lineage information if this is available. You can choose not to use QlikCloud Integration, which will result in reduced lineage information.

Install the Qlik Lineage connector (provided by Qlik Sense) on your Qlik Sense customer-managed instance. This connector integrates with Qlik Cloud for lineage generation. Follow the instructions below to install and configure the Qlik Lineage connector:

1. Before you install the connector, create a managed space under Analytics in Qlik Cloud to host the lineage data. See Manage spaces for more information.

2. Install the Qlik Lineage connector on your Qlik Sense instance. See Qlik Lineage Connector for more information.

3. Once the installation is complete, configure the connector to connect to Qlik Cloud and provide the name of the managed space created in step 1. See Configure Qlik Lineage Connector for more information.

4. Ensure that the System Name is set to your Qlik Sense on-prem instance name.

5. Create a rule to allow the connector to access Qlik Sense Enterprise for lineage extraction. See Qlik Sense application rules for more information.

   • Ensure you have added the streams or applications from which you want to extract lineage.

6. On the Qlik Lineage connector settings page, go to Scheduler and click the Play Now icon to extract lineage from Qlik Sense Enterprise and push it into Qlik Cloud.

Generate OAuth Credentials

Generate an OAuth client ID and client secret to connect to Qlik Cloud. See Steps to create an OAuth client to generate the credentials.

Ensure the following when creating the OAuth client:

• Select Client Type as Web.

• Select the checkboxes of the following Scopes:

  • user_default

  • apps:read

  • spaces.shared:read

  • spaces.managed:read

  • spaces.data:read

  • offline_access

  • users:read

• Select Allow Machine-to-Machine (M2M) checkbox.

After generating the OAuth credentials, save the client ID and client secret securely for future use.

Go to Spaces and select the managed space created earlier. Click Change Owner and assign the OAuth client as the owner of the space. See Managing permissions in managed spaces for more information.