Use Azure Active Directory as the identity provider

To allow users to use their Azure Active Directory (Azure AD) identity to log in to Cognite Data Fusion (CDF), you need to configure CDF to use Azure AD as the Identity Provider (IdP).

If you want to synchronize group membership from Azure AD to CDF groups, you need to use the Object ID for the groups in Azure AD.

NOTE

You need to link CDF groups to an Azure AD group when you first create them. You can not update an existing CDF group to link it to an Azure AD group.

In this article:

Configure CDF to use Azure AD as the IdP

NOTE: To perform the steps below, you need to be an administrator of both CDF and Azure AD.

  1. Register CDF as an application in Azure AD:

    1. Sign in to https://portal.azure.com as an admin, and select Azure Active Directory on the home page.

      Select Azure Active Directory

    2. In the sidebar, select App registrations > New registration.

      Register a new app in Azure

    3. Specify the name, the supported account types, the redirect URI, and then click Register.

      Register an application

    4. Select Authentication, add https://api.cognitedata.com/login/azure as your redirect URI, and click Save.

      Note: apiis the name of one of the clusters where CDF projects are located. If your project is located in a different cluster, replace the api part of the redirect URI with the name of that cluster, for example https://mycluster.cognitedata.com/login/azure.

      Redirect URIs

  2. Create an Azure secret key for the CDF application:

    1. Select Certificates & secrets > New client secret.

    2. Give the client secret a Description, set the Expires time and select Add.

      Secret key

    3. IMPORTANT: Make sure that you copy the new client secret value and store it in a safe place. You won't be able to retrieve it after you leave the window.

      Copy the secret key

  3. Enable group integration for the Cognite application (Optional).

    Follow these steps if you need to give access to specific AD groups:

    1. Select API permissions and then Add a permission.

    2. On the next screen select Microsoft Graph.

    3. For Delegated permissions select these permissions:

      • Group.Read.All
      • Directory.Read.All
      • User.Read (should already be selected)
    4. For Application permissions select these permissions:

      • Group.Read.All
    5. Click Add permissions.

    6. The API permissions should look like this:

      API permissions

    7. Select Grant admin consent for Default Directory to make the new list of permissions active.

      Grant admin consent

  4. Get the Azure application ID and tenant ID:

    1. Select Overview.

    2. Copy and make a note of the Application (client) ID and the Directory (tenant) ID.

      Copy the app ID

  5. Update your CDF project to use Azure Active Directory to authenticate users. For example, follow these steps if you're using Postman.

    1. In Postman, select Projects > Update a project and add this code in the Body section:
    {
        "name": "$projectName",
        "urlName": "$projectUrlName",
        "defaultGroupId": null,
        "authentication": {
        	"azureADConfiguration": {
        		"appId": "$applicationID",
        		"appSecret": "$applicationSecret",
        		"tenantId": "$activeDirectoryID",
        		"appResourceId": "00000002-0000-0000-c000-000000000000"
        	},
    	    "validDomains": []
       }
    }
    
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14

    Where:

    • $projectName - is the display name of the CDF project.
    • $projectUrlName - is the URL name of the project.
    • $applicationId - is the Azure Active Directory application (client) ID.
    • $applicationSecret - is the Azure Active Directory client secret.
    • $activeDirectoryID - is the Azure Active Directory (tenant) ID.
    1. Select Send.

      Update CDF project using Postman

  6. Your CDF project is now configured to use Azure Active Directory to authenticate users.

    To test the configuration, navigate to https://console.cognitedata.com and log in with your CDF project name and Azure Active Directory credentials.

    You should see the Console home page and the CDF features you have access to. Which features you have access to depends on the configuration of the default group in CDF.

Find the Object Id for an Azure AD group

To get the Object ID for an Azure AD group:

  1. Sign in to https://portal.azure.com as an admin, and select Azure Active Directory on the home page.

    Select Azure Active Directory

  2. In the sidebar, select Groups.

    Select Groups

  3. Select the AAD group you want to find Object ID for.

    Select AAD group

    1. Copy and make a note of the Object Id.

    Copy Object Id

To use the Object ID to link an Azure AD group to a CDF group, see create a CDF group.

See also: the Get-AzureADGroup PowerShell command.

Last Updated: 11/29/2019, 9:56:27 AM