Minimum identity provider (IdP) requirements
At a minimum, your identity provider (IdP) must meet the requirements below to manage access to Cognite Data Fusion (CDF) data securely.
We currently only support Microsoft's Microsoft Entra ID (formerly Azure Active Directory).
The IdP must issue access tokens that the CDF API can validate. The access tokens must be a valid JWT, signed using RS256, with a public key at the location specified by the JWKS URL. Also, the IdP must have a JWKS URL that's reachable by the CDF API, and respond to requests for the JWKS end or the token endpoint within 1 second, as measured from the CDF API. Contact Cognite to have the JWKS URL added to the list of allowed JWKS URLs.
The IdP must support the following OAuth 2.0 flows:
Tokens and claims
Within a token, there are multiple claims used to assert pieces of information about a subject. Tokens issued to authenticate and authorize a subject to access CDF should contain the following claims, some are reserved, and the others are custom configured. See this article for more information about tokens and claims.
The table below shows the minimum required claims in a token for CDF to authenticate and authorize the subject.
|Must||Audience of the JWT (intended recipient).||URI of the service requiring authentication.|
|Must||Expiration time of the JWT.||Datetime stamp.|
|Must||Issued at Time of the JWT.||Datetime stamp.|
|Must||Issuer of the JWT.||URI and path from the IdP from which the JWT was issued.|
|Must||Subject of the JWT (the user).||User name from IdP.|
|Should||Not Before Time of the JWT (before which the token shouldn't be accepted).||Datetime stamp.|
|Should (strongly recommended)||Scope of the JWT (attribute inherited from the scopes defined for the subject in the IdP).||Text field.|
|Should (strongly recommended)||Groups of the JWT (attribute inherited from the groups defined for the subject in the IdP).||Object ID of a security group.|