Skip to main content

Identity and access management

It can be challenging to build secure applications while minimizing complexity for users. How do you give users secure access to an application to help them do their jobs without requiring them to remember a new username, password, or other credentials?

OpenID Connect lets users authenticate with a single account to multiple applications. It's an industry-standard protocol supported by many popular identity providers (IdP).


We currently only support Microsoft's Microsoft Entra ID (formerly Azure Active Directory). If you want to use another IdP than Microsoft Entra ID to manage access to CDF, it must meet these minimum requirements.


By registering the Cognite Data Fusion (CDF) portal application and other Cognite components and applications in your IdP, you can use OpenID Connect and your existing IdP framework to manage access to CDF applications and data securely. We currently support Microsoft Entra ID.


Visit the Manage access to CDF getting started course for an introduction to the technology behind CDF authentication and authorization.

Step 1: Get set up

Register core Cognite applications

As an Microsoft Entra ID (EM-ID) administrator, you can consent for your entire organization to use the CDF portal application and other Cognite applications. Users can sign in with their organizational identity without having to consent themselves.

Next steps: Register core Cognite applications in Microsoft Entra ID

Set up groups to control access

Instead of assigning capabilities to individual users and applications, you create groups in CDF to define what capabilities members (users or applications) have to work with different CDF resources. Then you link and synchronize the CDF groups to user groups in the IdP and continue to manage users and applications in your IdP.

Next steps: Create and link groups

Step 2: Register and configure local apps

When you have set up the core applications and groups and verified that users can sign in with their organizational IDs, it's time to register and configure the apps and components you need for your data integration pipelines, contextualization flows, and data dashboards and to start developing solutions.

Next steps: Register and configure components and applications

Step 3: Dive deeper

Get in-depth knowledge that will help you implement an entire project.

Design principles

Learn about the design principles for using Microsoft Entra ID's OpenID Connect implementation to manage access to CDF.

Next steps: Design principles: OpenID Connect and CDF

Best practices

See the best practices for registering and configuring applications to authenticate with CDF. You'll also find information about setting up groups to authorize what data users and applications can access and what they can do with the data.

Next steps: Best practices: Register applications and set up groups

Authentication flows

Users, services, and applications are responsible for obtaining the appropriate token from the IdP to access the Cognite API.

The way these tokens are granted may vary, depending on the software vendor's implementation. Learn more about the most relevant grants for CDF.

Next steps: Authentication flows

Access token scopes

Next steps: Access token scopes

Step 4: Fix issues

If you are receiving errors or seeing unexpected behavior, our troubleshooting tips can help you resolve the issues.

Next steps: Troubleshooting access management