If you only do three things
Run
/api/v1/diagnose-claimsfirst — it confirms whether the problem is really the missing group claim before you change anything.Use a Post Authentication Lambda to write groups into
custom:groups, not a Pre-token generation trigger — only custom attributes are returned by the userinfo endpoint that Qlik reads.Update the groups claim mapping in the Qlik IdP from
cognito:groupstocustom:groupsafter deploying the Lambda — or groups will still not appear even when the attribute is populated.
Step 1 — Add a custom:groups attribute to your User Pool
In the AWS Console, go to Cognito → User Pools → {your pool} → Sign-in experience → User attributes → Custom attributes → Add custom attribute.
Set the attribute name to groups (Cognito will prefix it automatically as custom:groups), data type String, Mutable: Yes, Max length: 2048.
⚠ Custom attributes are permanent in Cognito. You cannot delete them after creation.
Step 2 — Grant your Qlik Cloud app client Read access to custom:groups
Go to App clients → {your Qlik Cloud app client} → Attribute read and write permissions → custom:groups → enable Read.
Step 3 — Create the Lambda
Runtime: Node.js 22.x. No extra dependencies — the AWS SDK is included in the runtime.
JavaScript (Node.js 22.x)
import {
CognitoIdentityProviderClient,
AdminListGroupsForUserCommand,
AdminUpdateUserAttributesCommand
} from "@aws-sdk/client-cognito-identity-provider";
const client = new CognitoIdentityProviderClient({ region: process.env.AWS_REGION
});
export const handler = async (event) => {
const { userPoolId, userName } = event;
const groupsResponse = await client.send(
new AdminListGroupsForUserCommand({ UserPoolId: userPoolId, Username: userName })
);
const groups = groupsResponse.Groups .map((g) => g.GroupName).join(",");
await client.send(
new AdminUpdateUserAttributesCommand({
UserPoolId: userPoolId,
Username: userName,
UserAttributes: [{ Name: "custom:groups", Value: groups }],
})
);
return event; // Post Authentication triggers must return the event unchanged
};
Step 4 — IAM permissions for the Lambda role
Add an inline policy to the Lambda execution role, scoped to your specific user pool ARN.
JSON (IAM Policy)
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"cognito-idp:AdminListGroupsForUser",
"cognito-idp:AdminUpdateUserAttributes"
],
"Resource": "arn:aws:cognito-idp:{REGION}:{ACCOUNT_ID}:userpool/{USER_POOL_ID}" }]
}
Step 5 — Register as a Post Authentication trigger
Go to User Pool → Extensions → Lambda triggers → Authentication → Post authentication → Add Lambda trigger.
⚠ If you have a Pre-token generation trigger from an earlier attempt to inject groups into the ID token, remove it. It won't help and may cause side effects.
Step 6 — Update the Qlik Cloud IdP
Go to Administration → Identity Providers → {your Cognito IdP} → Edit → Claims mapping.
Change the groups claim from cognito:groups to custom:groups. Qlik Cloud parses the comma-separated value automatically.
Verify it worked
Log out, log back in, then call /api/v1/diagnose-claims again. You should now see custom:groups populated under claimsFromIdp and the groups listed under mappedClaims.groups.
Groups will also appear in Administration → Groups after the first login.
For additional troubleshooting, read the full article on Qlik Community: Qlik Cloud + AWS Cognito: why cognito:groups silen... - Qlik Community - 2548779
The problem
You have configured AWS Cognito as a Generic OIDC provider in Qlik Cloud. Your users can log in, but they have no groups — even though everything looks correctly set up. No error is shown anywhere.
The root cause: Qlik Cloud reads user claims from Cognito's userinfo endpoint, and that endpoint does not return cognito:groups. The claim exists in the ID token, but Qlik never reads the ID token. The groups are silently dropped on every login.
You can confirm this by calling GET https://{your-tenant}/api/v1/diagnose-claims after logging in — you will see "claimSource": "idp-userinfo" with no group data at all.
Qlik Cloud + AWS Cognito: why cognito:groups silently fails and how to fix it
A step-by-step fix for the silent group claim failure when using AWS Cognito as a Generic OIDC provider in Qlik Cloud.
By Ana Silva, Senior Systems Engineer and Administrator at IPC Global
May 8, 2026
6 min read
Qlik Tips
Related Insights
Qlik Tips
6 min read
Qlik Cloud + AWS Cognito: why cognito:groups silently fails and how to fix it
A step-by-step fix for the silent group claim failure when using AWS Cognito as a Generic OIDC provider in Qlik Cloud.
By Ana Silva, Senior Systems Engineer and Administrator at IPC Global