Use Google as the identity provider

To allow users to use their Google identity to log in to Cognite Data Fusion (CDF), you need to configure CDF to use Google as the Identity Provider (IdP).

In this article:

Configure CDF to use Google as the IdP

Note: To perform the steps below, you need to be an administrator of both CDF and a Google Cloud project.

  1. Set up an OAuth consent screen for your Google Cloud project:

    NOTE

    This step only needs to be done once per Google Cloud project. If an OAuth consent screen has already been configured for your project, skip to step 2.

    1. Sign in to https://console.cloud.google.com.

    2. In the sidebar, select APIs & Services > OAuth consent screen.

    Select OAuth consent screen

    1. Select Internal to give access to members of your organization.

      NOTE

      Select External in this step only if you want your CDF project to be publicly accessible. Anyone with a Google account, inside or outside your organization, will be able to log in to your project.

    Internal or External

    1. Enter a name for your consent screen. Users will see this when they log in with their Google identity.

    Consent screen name

    1. Add cogniteapp.com and cognitedata.com under authorized domains and save.

    Consent screen authorized domains

  2. Create OAuth credentials for CDF in your Google Cloud project:

    1. Sign in to https://console.cloud.google.com.

    2. In the sidebar, select APIs & Services > Credentials.

    3. Create a new OAuth client ID credential.

      Create new OAuth client ID credential

    4. Set Web application as the application type, and set Cognite Data Fusion as the application name.

    5. Add https://api.cognitedata.com and https://api.cognitedata.com/login/oauth2 as authorized redirect URIs.

      NOTE

      api is the name of the CDF cluster where your CDF project is located. If your project is located in a different cluster, replace the api part of the redirect URI with the name of that cluster, for example https://mycluster.cognitedata.com/login/oauth2.

      Configure OAuth client

    6. Click Create. Make a note of the client ID and client secret.

      Client ID and secret

  3. Update your CDF project to use Google to authenticate users. For example, follow these steps if you're using Postman.

    1. In Postman, select Projects > Update a project and add this code in the Body section:
    {
      "name": "{{projectName}}",
      "urlName": "{{projectUrlName}}",
      "defaultGroupId": null,
      "authentication": {
        "protocol": "oauth2",
        "oAuth2Configuration": {
          "clientId": "{{clientID}}",
          "clientSecret": "{{clientSecret}}",
          "loginUrl": "https://accounts.google.com/o/oauth2/v2/auth",
          "logoutUrl": "https://accounts.google.com/logout",
          "tokenUrl": "https://www.googleapis.com/oauth2/v4/token"
        }
      }
    }
    
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15

    Where:

    • projectName - is the display name of the CDF project.
    • projectUrlName - is the URL name of the project.
    • clientId - is the OAuth client ID from step 3.
    • clientSecret - is the OAuth client secret from step 3.
    1. Select Send.

      Update CDF project using Postman

  4. Your CDF project is now configured to use Google to authenticate users.

    To test the configuration, navigate to https://console.cognitedata.com and log in with your CDF project name and Google credentials.

    You should see the Console home page and the CDF features you have access to. Which features you have access to depends on the configuration of the default group in CDF.

Last Updated: 8/6/2020, 10:02:19 AM