Skip to main content

Minimum identity provider (IdP) requirements

At a minimum, your identity provider (IdP) must meet the requirements below to manage access to Cognite Data Fusion (CDF) data securely.

info

We currently only support Microsoft's Microsoft Entra ID (formerly Azure Active Directory).

The IdP must issue access tokens that the CDF API can validate. The access tokens must be a valid JWT, signed using RS256, with a public key at the location specified by the JWKS URL. Also, the IdP must have a JWKS URL that's reachable by the CDF API, and respond to requests for the JWKS end or the token endpoint within 1 second, as measured from the CDF API. Contact Cognite to have the JWKS URL added to the list of allowed JWKS URLs.

The IdP must support the following OAuth 2.0 flows:

Tokens and claims

Within a token, there are multiple claims used to assert pieces of information about a subject. Tokens issued to authenticate and authorize a subject to access CDF should contain the following claims, some are reserved, and the others are custom configured. See this article for more information about tokens and claims.

The table below shows the minimum required claims in a token for CDF to authenticate and authorize the subject.

ClaimRequired?DescriptionExpected value
audMustAudience of the JWT (intended recipient).URI of the service requiring authentication.
expMustExpiration time of the JWT.Datetime stamp.
iatMustIssued at Time of the JWT.Datetime stamp.
issMustIssuer of the JWT.URI and path from the IdP from which the JWT was issued.
subMustSubject of the JWT (the user).User name from IdP.
kidShouldKey identifier.RS256
nbfShouldNot Before Time of the JWT (before which the token shouldn't be accepted).Datetime stamp.
scpShould (strongly recommended)Scope of the JWT (attribute inherited from the scopes defined for the subject in the IdP).Text field.
groupsShould (strongly recommended)Groups of the JWT (attribute inherited from the groups defined for the subject in the IdP).Object ID of a security group.