Skip to main content
To allow users to sign in to Cognite Data Fusion (CDF) and Cognite apps with their existing organizational ID, you first need to register the Cognite API and permit it to access user profiles in your Amazon Cognito tenant. You then register the Cognite applications you want to allow users to access. Follow the steps below to allow users to sign in to Cognite Data Fusion (CDF) and Cognite apps.

Step 1: Register the Cognite API and authentication and authorization servers

1

Sign in to Amazon Cognito

Sign in to the Amazon Cognito console as an admin. If prompted, enter your AWS credentials.
2

Select a user pool

Select an existing user pool from the list, or create a user pool.
3

Register the Cognite API:

  1. Under Branding, select Domain.
  2. Under Resource servers, select Create resource server.
  3. In Resource server name, enter Cognite API.
  4. In Resource server identifier, enter https://cognitedata.com.
  5. Under Custom scopes, add two scopes:
    • Scope name: IDENTITY and description: identity
    • Scope name: user_impersonation and description: User impersonation.
    Learn more about the scopes.
  6. Select Create resource server.
4

Register the resource server

Register the resource server for Cognito service account authentication:
  1. Under Branding, select Domain.
  2. Under Resource servers, select Create resource server.
  3. In Resource server name, enter Service account.
  4. In Resource server identifier, enter https:/. (NOTE: It’s https:/ and not https:// )
  5. Under custom scopes, add a scope:
    • Scope name: IDENTITY and description: identity
    • Scope name: {{cluster}}.cognitedata.com and description: audience.
    Learn more about the scopes.
  6. Select Create resource server.
5

Register a Cognite authorization server

  1. Under Applications, select App clients > Create app client.
  2. Under Application type, select Machine-to-machine application.
  3. Name your application Cognite authorization server and select Create app client. The client secret is created automatically.
  4. In App client information, select Edit.
    • Under Authentication flows, select ALLOW_USER_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH, and then select Save changes.
  5. Under the Login pages tab, select Edit.
    • In Identity providers, select Cognito user pool.
    • In OAuth 2.0 grant types, select Client credentials.
    • In Custom scope, select {{cluster}}.cognitedata.com.
    • At the bottom of the page, select Save changes.

Step 2: Register the Cognite Data Fusion application

1

Sign in to Amazon Cognito

Sign in to the Amazon Cognito console as an admin. If prompted, enter your AWS credentials.
2

Select a user pool

Select an existing user pool from the list, or create a user pool.
3

Select Create app client

Under Applications, select App clients, and then select Create app client.
4

Under Application type, select Traditional web application

5

Name the application

Name your application Cognite Data Fusion.
6

Create a client secret

In Return URL, enter https://auth.cognite.com/oauth2/external/callback, and select Create app client. The client secret is created automatically.
7

In App client information, select Edit

  • Under Authentication flows, select ALLOW_USER_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH, and then select Save changes.
8

Under the Login pages tab, select Edit

  • In Identity providers, select Cognito user pool.
  • In OAuth 2.0 grant types, select Authorization code grant.
  • In OpenID Connect scopes, select Email, OpenID, and Profile.
  • In Custom scopes, select https://cognitedata.com/user_impersonation.
  • At the bottom of the page, select Save changes.
9

Activate the Cognite Data Fusion sign-in page

  • Under Branding, select Managed login > Create a style.
  • Select the Cognite Data Fusion app client, and then select Create.
Last modified on January 27, 2026