Skip to main content

Register the Cognite API and applications in Amazon Cognito

To allow users to sign in to Cognite Data Fusion (CDF) and Cognite apps with their existing organizational ID, you first need to register the Cognite API and permit it to access user profiles in your Amazon Cognito tenant. You then register the Cognite applications you want to allow users to access.

Follow the steps below to allow users to sign in to Cognite Data Fusion (CDF) and Cognite apps.

Step 1: Register the Cognite API and authentication and authorization servers

  1. Sign in to the Amazon Cognito console as an admin. If prompted, enter your AWS credentials.

  2. Select User Pools.

  3. Select an existing user pool from the list, or create a user pool.

  4. Select the App integration tab.

  5. Register the Cognite API:

    1. Under Resource servers, select Create resource server.

    2. In Resource server name, enter Cognite API.

    3. In Resource server identifier, enter https://cognitedata.com.

    4. Under custom scopes, add two scopes:

      1. Scope name: IDENTITY and description: identity
      2. Scope name: user_impersonation and description: User impersonation.

      Learn more about the scopes.

    5. Select Create resource server.

  6. Register the resource server for Cognito service account authentication:

    1. Under Resource servers, select Create resource server.

    2. In Resource server name, enter Service account.

    3. In Resource server identifier, enter https:/.

    4. Under custom scopes, add a scope:

      1. Scope name: IDENTITY and description: identity
      2. Scope name: {{cluster}}.cognitedata.com and description: audience.

      Learn more about the scopes.

    5. Select Create resource server.

  7. Register a Cognite authorization server:

    1. Under App client list, select Create app client.

    2. Under App type, select Confidential client.

    3. In App client name, enter Cognite authorization server.

    4. Under Client secret, select Generate a client secret.

    5. Under Authentication flows, select ALLOW_USER_SRP_AUTH and ALLOW_REFRESH_TOKEN_AUTH.

      Keep the default settings for the remaining fields under Authentication flows.

    6. Under Hosted UI settings, set Allowed callback URLs to https://auth.cognite.com/oauth2/external/callback.

    7. In Identity providers, select Cognito user pool.

    8. In OAuth 2.0 grant types, select Authorization code grant.

    9. In OpenID Connect scopes, select OpenID and Profile.

    10. At the bottom of the page, select Create app client.

Step 2: Register the Cognite Data Fusion application

  1. Sign in to the Amazon Cognito console as an admin. If prompted, enter your AWS credentials.

  2. Select User Pools.

  3. Select an existing user pool from the list, or create a user pool.

  4. Select the App integration tab.

  5. Under App client list, select Create app client.

  6. Under App type, select Public client.

  7. In App client name, enter Cognite Data Fusion.

  8. Under Client secret, select Don't generate a client secret.

  9. Under Authentication flow, select ALLOW_USER_SRP_AUTH and ALLOW_REFRESH_TOKEN_AUTH.

    Keep the default settings for the remaining fields under Authentication flows.

  10. Under Hosted UI settings, set Allowed callback URLs to https://<your CDF org>.fusion.cognite.com/.

  11. In Identity providers, select Cognito user pool.

  12. In OAuth 2.0 grant types, select Authorization code grant.

  13. In OpenID Connect scopes, select OpenID.

  14. In Custom scopes, select https://cognitedata.com/user_impersonation.

  15. At the bottom of the page, select Create app client.