Advanced Authentication

You can use our Advanced authentication mode, which incorporates Mutual TLS (mTLS), to enhance the security of your Qualtrics Fivetran connector. This added layer of security ensures a 2-way authentication process, where Qualtrics and Fivetran verify each other’s identities before any data exchange occurs. During the connection setup, both Qualtrics and Fivetran exchange and validate each other's certificates, ensuring a secure and trusted communication channel.

IMPORTANT:

• Read the Qualtrics mTLS guide before enabling Advanced Authentication with Fivetran. It is not possible to use mTLS for just Fivetran, you need to enable all users of your public APIs to use mTLS.

• If you enable mTLS in Qualtrics while running a Fivetran connector in Standard Authentication mode, the connector fails until you set up Advanced Authentication.

Setup instructions

Generate and save client certificate and private key

Perform the following steps to generate and save a client certificate and private key for your Qualtrics account.

1. Follow the instructions in the Qualtrics mTLS doc to generate the client certificate and Private Key.
2. Make a note of the client certificate, private key, and pass-phrase. You will need them to configure Fivetran.

IMPORTANT: Ensure the generated Client certificate and its private key are in the .cert and .pem formats.

Enable mutual authentication in your Qualtrics account

Follow the instructions provided in this Qualtrics mTLS doc (Step no. 16) to enable mutual authentication for your Qualtrics account.

IMPORTANT:

• Enabling mTLS impacts ALL users who access your public APIs. Ensure that all users in your organization who access your APIs can support mTLS before enabling this feature.

Configure private app

To use mTLS with OAuth2.0 client-credential flow, you need to configure a new private app in your Qualtrics account.To do this, perform the following steps:

1. Follow the instructions provided in this Qualtrics Client Credential document to configure a private app for the client-credential flow.

2. In the scope section, assign the following scopes to the app:

   • read:contact_frequency_rules
   • read:contact_transactions
   • read:directories
   • read:directory_contacts
   • read:distributions
   • read:groups
   • read:libraries
   • read:mailing_list_contacts
   • read:mailing_lists
   • read:organizations
   • read:samples
   • read:subscriptions
   • read:survey_responses
   • read:survey_sessions
   • read:surveys
   • read:tickets
   • read:users

3. Make a note of the client ID and client secret.

Finish Fivetran configuration

Return to the Fivetran Qualtrics connector setup form, select Advanced as the Authentication Method and finish your Fivetran configuration for Qualtrics connector.

Frequently Asked Questions

Do I need to generate a private certificate or a public certificate?

Qualtrics mTLS works with a private certificate. There is no need for a public, CA-signed certificate.

Why do I need to configure a private app?

Setting up mTLS with a private app is the most secure option because it allows you full control over when to rotate your public and private key as well as what permissions you want to configure.

How is certificate rotation handled?

The certificate expires in one year and needs to be rotated manually in Qualtrics and uploaded to Fivetran's setup form. You will need to re-authenticate once the new certificate is uploaded in order to avoid disruption to your syncs.

Fivetran will provide a warning 60 days before the certificate needs to be rotated.

NOTE : Qualtrics documentation mentions that up to 10 active certificates can be in use at any one time. Qualtrics will deny requests for more than ten certificates until old certificates are revoked/deleted. You must manually revoke/delete certificates, because expiry will not remove them from counting against your certificate limit.