Integrating and embedding
Many of Qlik’s systems integrators, OEMs, partners, and customers want to build solutions and portals for their internal and/or external customers that leverage Qlik Cloud Analytics or Qlik Cloud Data Integration technologies. Qlik allows a flexible set of deployment options to support this, based on the core concept of one Qlik Cloud tenant per external customer organization.
This could mean deploying a single tenant for an enterprise, or multiple tenants for Qlik partners who themselves provide embedding of Qlik technology to their end customers.
Qlik is currently designing ways for OEM partners to change the branding and customize certain styling elements to enable Qlik Cloud to look and feel like the OEM solution, without having to build unique user interfaces.
The initial release allows OEMs to use an API to set a custom logo, as well as remove the Qlik brand from several high-visibility areas across the product. This eliminates the need for many OEMs to recreate UI elements of Qlik Cloud to build their solution.
Irrespective of deployment size, Qlik provides APIs to support platform orchestration and embedding to meet your organization's needs. Qlik supports several approaches and techniques to support this, based on one or many Qlik Cloud tenants. Qlik Cloud is built on an API-first philosophy, so it is easy to implement and manage multiple tenants as part of a wider solution.
Qlik Cloud’s APIs allow provisioning, configuration, and hydration of Qlik Cloud tenants to serve automated deployment pipelines alongside your software and customer lifecycles.
Working with multiple Qlik Cloud tenants
Qlik Cloud is a shared platform with each customer having one or more tenants of their own. These tenants are not integrated with each other or a sub-tenant of a larger tenant. They are connected through the license as well as the integration the customer builds. This means the tenants can operate independently, and are secured with unique encryption keys ensuring end customers of the solution’s data in protected from other end customers.
Deployment of tenants and the content of tenants can be fully automated using the Qlik Cloud APIs.
Tenant creation and deletion
Tenants can be created using Qlik Cloud's REST APIs, or with our developer tooling (such as qlik-cli or the platform SDK). When using the CLI or API methods, oAuth credentials provided through My Qlik can be used to authenticate with Qlik Cloud. By connecting to the registration endpoint for your region (e.g. https://register.eu.qlikcloud.com/ ) you can create tenants, for example:
qlik tenant create --licenseKey "my-key” –json
Tenant deletion is not currently available through a public API however this is currently a roadmap item.
Tenant hydration
Hydration is the process of populating a new tenant with the spaces, applications and configuration needed to meet the needed use cases. It is possible to configure your tenant using APIs. This includes configuring the identity provider, spaces, connections, and apps. It is possible to configure most aspects of a tenant required to provide users a ready-to-consume tenant without any manual intervention.
Tenant administration
When administering many tenants, it is inefficient to switch between many management consoles for administrative tasks. Using Qlik’s APIs or the qlik-cli, it is possible to perform administrative tasks such as license and permissions management, as well as monitoring tasks such as viewing audit information and integrating these tasks into a multiple tenant workflow. Qlik’s monitoring applications are currently being updated to support multi-tenant environments.
Tenant administration features are designed to be used by the managing organization only. End-users should not be given direct access to admin roles or the management console as user license assignments will be visible for the whole license rather than just that tenant. If access to administrative features is to be provided to end customers, this should be implemented in the end solution with appropriate restrictions in place.
QlikWorld behind the curtain - how Qlik is able to create tenants on-demand for attendees
Qlik holds our annual conference, QlikWorld, each year. Thousands of customers and partners attend to learn more about Qlik product innovations and to get hands-on experience in our technical workshops.
In the years before Qlik Cloud, providing environments for QlikWorld attendees to learn about our products was an extremely resource- and time-intensive process. In just a few days, Qlik's Global Enablement team would set up hundreds of laptops with virtual machines for attendees to use. These would be loaded with VM images for all the workshops offered and would need to be reset after each session. This process meant we needed to schedule costly downtime between each session, and a team of people would need to be on hand the minute a session ended to have it ready for the next session.
However QlikWorld 2023 was very different thanks to our platform as a service investments in our APIs, along with connectors for tenant provisioning in Qlik Application Automation. When an attendee registered for a workshop, an automation would run, creating a tenant for them, configuring it, and pre-populating it with any required applications, data files, and other content used in the workshop. This would all happen in less than 15 seconds after the user had registered, with no manual intervention and the user receiving a link to the new tenant immediately in their inbox. Similar techniques were used for workshops where a shared tenant was used.
Qlik was able to save approximately 80% of the staffing costs and 25% of the time required compared to how this was done at the previous in-person QlikWorld. As an added bonus, attendees no longer lost access to their workshop environment the minute the session ended, allowing them to revisit the workshop environment later if desired.
Architecting a multiple-tenant solution
When working with multiple tenants, there are different architectures that can be used for the solution. The two main architectures are covered here.
Source-to-target architecture
In this model, data connections are set up in a source tenant and applications reloads all occur there. Applications are then distributed to the target tenants once reloaded. This provides the advantage of centralizing integration with data sources, scheduling and testing in one location. The main downside of this approach is that it increases the latency of application reloads so is not suitable for all use-cases.
Satellite architecture
In this model, data connections, reloads, and schedules are managed in the target tenants used by the end customers of the solution. The advantage of this approach is that it can provide much lower latency in terms of reloads and, in cases where the solution provides one tenant per customer, provides a physical separation of customer data. The disadvantage of this approach is that it increases the administrative load (although automation can minimize this).
Coordinated orchestration architecture
In this model, the orchestration tenant will connect to data sources via data gateway, which then fills S3 buckets with data processed from on-premise data sources. It then triggers the reloads of apps in the target tenants, which each reload their apps directly from the S3 buckets fed from the orchestration tenant.
Building a solution on the Qlik Cloud platform
Building a solution based on the Qlik Cloud platform may involve several techniques including:
Web solutions
Rendering visualizations from the Qlik Sense client on websites
Connect to the Qlik Associative Engine and create custom analytics
Create custom administration pages to, for example, trigger reloads
Embedding analytics
iFrames
Building a solution is an advance topic and the details are beyond the scope of this document. For more details on this, including an in-depth exploration of the alternatives with examples, see the Qlik Developer Portal.
Authentication approaches
API keys
An API key is a token representing a user in the Qlik Sense Enterprise tenant. Anyone may interact with the platform programmatically using the API key. The token contains the user context, respecting the access control privileges the user has in the tenant. API keys use cases include qlik-cli (command line interface), making requests through scripts, or a machine-to-machine backend solution(s).
When using OAuth clients generated via My Qlik (relevant in multiple tenant environments), API keys generated via these clients will run as a tenant administrator, known as a “bot user”.
Interactive login
Typically, use of an interactive identity provider (and therefore interactive login) is not recommended for embedding use cases. This is because it is difficult to ensure that the user is not prompted multiple times to log in – for example, once when they access the page containing the embedded content, and again when the embedded content starts to load.
However, if you wish to use this method to authenticate users in web apps, there are REST endpoints which help you to evaluate if the browser has an active Qlik Sense SaaS session. If no session exists, then use a redirect to the tenant's sign-in URL.
Web apps embedding Qlik Sense objects or data, also known as mashups in our client-managed offerings, require a web integration ID in the tenant's configuration. Web integration IDs are a security feature of Qlik Sense Enterprise SaaS for handling Cross-Origin Resource Sharing (CORS) of embedded Qlik Sense Enterprise SaaS content.
In addition, web apps with content embedded in them require a cross-site request forgery (CSRF) token supplied in the URI referencing Qlik Sense Enterprise SaaS APIs and the Qlik Associative Engine.
OAuth 2.0
OAuth is a standard security protocol for authorization and delegation. It allows third party applications to access API resources without disclosing the end-user credentials.
The OAuth client can obtain an authorization code and exchange it with an access token that can be used to access Qlik Sense SaaS APIs. Qlik Sense SaaS supports 2 Authorization grant types:
- Authorization code flow
- Authorization Code Flow with Proof Key for Code Exchange (PKCE).
OAuth scopes provide a way to limit the amount of access that is granted to OAuth client apps. For example, an access token issued to a client app may be granted full access to protected resources, or just read access. Each scope grants a different level of access.
For more information on OAuth, see Creating and managing OAuth clients.
JSON web tokens (JWT)
JSON web tokens, digitally signed, are commonly referred to as a “JWT.” A JWT is a standard for transmitting information between software applications in the form of a JSON object, verified and trusted using a public / private key pair. The two primary use cases for JWTs are authorization and information exchange. Qlik Sense Enterprise SaaS reads JWTs from external identity providers during the authentication phase. Qlik Sense Enterprise SaaS creates an internal JWT post-authentication for use during a session.
The external JWT authorization option in Qlik Sense Enterprise SaaS enables client applications to directly send a custom JWT, bypassing the interactive sign-in to the Qlik tenant. The user is then authorized to access Qlik Sense Enterprise SaaS. The JWT capability enables customers to provide seamless integrations between their applications and Qlik Sense Enterprise SaaS.
Applications connecting to Qlik Sense Enterprise SaaS with JWTs require the same web integration ID and cross-site request forgery prevention as all integrations within the platform.
Tools and resources
Developer portal
The (Qlik Developer portal) is a central location for developers to find the information they need to develop with Qlik products, including Qlik Sense Enterprise SaaS and featuring developer documentation, API references, tutorials, and more.
Qlik-cli
Qlik-cli is a command line interface for automating management activities in Qlik Sense Enterprise SaaS. For more information in the Qlik Developer Portal, see qlik-cli.
Qlik's Platform SDK
Qlik's Platform SDK (software development kit) is a python module that allows developers to leverage the APIs of the Qlik Cloud platform from the comfort of python. The SDK provides access to both the REST and RPC clients to access all the APIs available for the Qlik Cloud platform.
For more information on the Platform SDK, see: Qlik SDK.
Did this page help you?
If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!