Skip to main content
Use an organization to group CDF projects and facilitate their management. An organization contains users, projects, and potentially other organizations. Users enter the organization ID when logging into Cognite apps, such as Cognite Data Fusion. Each organization has one IdP configuration used for both interactive login and service account authentication across all projects in the organization.

External identity providers (IdP)

CDF supports interfacing with external IdPs to manage users and groups. The following vendors are supported:
  • Microsoft Entra ID (formerly known as Azure AD or Azure Active Directory)
  • Auth0
  • Keycloak

Users

If a user can log into the external IdP configured for the organization, they have access to the CDF organization. Project access settings determine which of the organization’s projects a user can access and what actions they can perform. After a user logs into the organization for the first time, they appear in the organization’s user list. Users can see each other, enabling collaboration on projects.

Organization hierarchy

An organization can have child organizations. The ownership relationship is materialized through the parentId field of the organization resource.

Projects

An organization holds CDF projects. Users logged into the organization can see all projects in the organization. However, the project’s access control lists (ACLs) and other access control settings control what actions users can perform within each project.

Allowed clusters

An organization has a list of clusters where it can hold projects. This is defined in the allowedClusters field on the resource.

Organization admins

An organization can have admins, who are identified principals authorized to perform an extended set of modifications on the organization, such as creating projects or changing admins. Admins are identified by the adminGroupId field on the organization resource, which is the ID of a group managed in the external IdP. Different organization API endpoints have specific access rules documented under each endpoint. Generally, organization admins control most aspects of the organization itself and have full control over any sub-organizations.

Authentication for this API

Organizations are global and not tied to specific projects or clusters. Direct API requests against organizations to auth.cognite.com instead of a specific cluster and projects used for other resources. The organizations API accepts only OAuth tokens issued by https://auth.cognite.com (such as those issued when logging into Fusion). You can also obtain a token by initiating a login flow against the authorization server directly. See the “Authorizations” sections for more information.
Last modified on April 23, 2026