Identity and access management

With Cognite Data Fusion (CDF), you can use your existing IdP framework to manage access to applications and data. Users authenticate with a single account to multiple applications. Use identity providers (IdPs) that support OAuth 2.0 and OpenID Connect, the two standards used in establishing trust between the CDF services, the front-end applications, and the identity provider.

Info

We currently support Microsoft Entra ID and Amazon Cognito. If you want to use another IdP to manage access to CDF, it must meet these minimum requirements.

Tip

Visit the Manage access to CDF getting started course for an introduction to the technology behind CDF authentication and authorization.

Step 1: Get set up

Register core Cognite applications

As an IdP administrator, you can consent for your entire organization to use the CDF portal application and other Cognite applications. Users can sign in with their organizational identity without having to consent themselves.

• Microsoft Entra ID: Register core Cognite applications
• Amazon Cognito: Register core Cognite applications

Set up groups to control access

Instead of assigning capabilities to individual users and applications, you create groups in CDF to define what capabilities members (users or applications) have to work with different CDF resources. Then you link and synchronize the CDF groups to user groups in the IdP and continue to manage users and applications in your IdP.

Warning

We currently support Microsoft Entra ID and Amazon Cognito. If you want to use another IdP to manage access to CDF, it must meet these minimum requirements.

• Microsoft Entra ID: Create and link groups
• Amazon Cognito: Create and link groups

Step 2: Register and configure local apps

When you have set up the core applications and groups and verified that users can sign in with their organizational IDs, it's time to register and configure the apps and components you need for your data integration pipelines, contextualization flows, and data dashboards and to start developing solutions.

• Register and configure components and applications

Step 3: Dive deeper

Get in-depth knowledge that will help you implement an entire project.

Danger

We currently support Microsoft Entra ID and Amazon Cognito. If you want to use another IdP to manage access to CDF, it must meet these minimum requirements.

Design principles

Learn about the design principles for using Microsoft Entra ID's OpenID Connect implementation to manage access to CDF.

• Design principles: OpenID Connect and CDF

Best practices

See the best practices for registering and configuring applications to authenticate with CDF. You'll also find information about setting up groups to authorize what data users and applications can access and what they can do with the data.

• Best practices: Register applications and set up groups

Authentication flows

Users, services, and applications are responsible for obtaining the appropriate token from the IdP to access the Cognite API.

The way these tokens are granted may vary, depending on the software vendor's implementation. Learn more about the most relevant grants for CDF.

• Authentication flows

Access token scopes

• Access token scopes

Step 4: Fix issues

If you are receiving errors or seeing unexpected behavior, our troubleshooting tips can help you resolve the issues.

• Troubleshoot access management