> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cognite.com/llms.txt
> Use this file to discover all available pages before exploring further.

# About identity and access management

> Manage access to Cognite Data Fusion (CDF)applications and data using your existing identity provider framework with OAuth 2.0 and OpenID Connect.

With CDF, you can use your existing IdP framework to **manage access** to applications and data. Users authenticate with a single account to multiple applications. Use **identity providers** (IdPs) that support OAuth 2.0 and OpenID Connect, the two standards used in establishing trust between the CDF services, the front-end applications, and the identity provider.

<Info>
  We currently support **Microsoft Entra ID** and **Amazon Cognito**. If you want to use another IdP to manage access to CDF, it must meet [these minimum requirements](/cdf/access/concepts/minimum_idp_requirements).
</Info>

<Frame>
  <img src="https://apps-cdn.cogniteapp.com/@cognite/docs-portal-images/1.0.0/images/cdf/access/idp.png" alt="IdP" width="100%" />
</Frame>

<a id="step-1-get-set-up" />

## Step 1: Get set up

<a id="register-core-cognite-applications" />

### Register core Cognite applications

As an IdP administrator, you can consent for your entire organization to use the CDF application and other Cognite applications. Users can sign in with their organizational identity without having to consent themselves.

<CardGroup cols={2}>
  <Card title="Integrate Microsoft Entra ID" icon="microsoft" href="/cdf/access/entra/guides/configure_cdf_azure_oidc">
    Register Cognite applications in Entra ID, create linked groups, and configure authentication flows for users and services.
  </Card>

  <Card title="Integrate Amazon Cognito" icon="aws" href="/cdf/access/aws/guides/configure_cdf_cognito">
    Set up Cognito user pools, register CDF applications, and establish secure authentication with AWS-based identity management.
  </Card>
</CardGroup>

<Info>
  Need help choosing an identity provider? CDF fully supports **Microsoft Entra ID** and **Amazon Cognito**. Other providers must meet [minimum requirements](/cdf/access/concepts/minimum_idp_requirements) for OAuth 2.0 and OpenID Connect.
</Info>

<a id="set-up-groups-to-control-access" />

### Set up groups to control access

Instead of assigning capabilities to individual users and applications, you create **groups** in CDF to define what **capabilities** members (users or applications) have to work with different CDF resources. Then you link and synchronize the CDF groups to user groups in the IdP and continue to manage users and applications in your IdP.

<CardGroup cols={2}>
  <Card title="Create and link Entra ID groups" icon="users" href="/cdf/access/entra/guides/create_groups_oidc">
    Create groups in CDF and link them to Microsoft Entra ID user groups. Define capabilities and synchronize membership for centralized access control.
  </Card>

  <Card title="Create and link Cognito groups" icon="users" href="/cdf/access/aws/guides/create_groups_oidc_cognito">
    Create groups in CDF and link them to Amazon Cognito user groups. Configure capabilities and manage access through your AWS identity provider.
  </Card>

  <Card title="Assign capabilities to groups" icon="shield-check" href="/cdf/access/guides/capabilities">
    Define what users and applications can do with CDF resources. Configure capabilities for resource types, actions, and security categories.
  </Card>

  <Card title="Learn core concepts" icon="book" href="/cdf/access/concepts/concepts">
    Explore organizations, projects, groups, and capabilities. Understand how these components work together to secure your CDF environment.
  </Card>
</CardGroup>

<a id="step-2-register-and-configure-local-apps" />

## Step 2: Register and configure local apps

When you have set up the core applications and groups and verified that users can sign in with their organizational IDs, it's time to register and configure the apps and components you need for your data integration pipelines, contextualization flows, and data dashboards and to start developing solutions.

<CardGroup cols={2}>
  <Card title="Register and configure applications" icon="code" href="/cdf/access/entra/guides/configure_apps_oidc">
    Configure local applications and components to enable secure access to CDF resources.
  </Card>
</CardGroup>

<a id="step-3-dive-deeper" />

## Step 3: Dive deeper

Get in-depth knowledge that will help you implement an entire project.

<CardGroup cols={2}>
  <Card title="Learn design principles" icon="compass" href="/cdf/access/concepts/best_practices_oidc#design-principles-openid-connect-and-cdf">
    Understand the design principles for using Microsoft Entra ID's OpenID Connect implementation to manage access to CDF.
  </Card>

  <Card title="Follow best practices" icon="star" href="/cdf/access/concepts/best_practices_oidc#best-practices-register-applications-and-set-up-groups">
    Learn the best practices for registering applications and setting up groups to authenticate with CDF.
  </Card>

  <Card title="Understand authentication flows" icon="shuffle" href="/cdf/access/concepts/authentication_flows_oidc">
    Learn how OAuth 2.0 grant types work with CDF. Understand how tokens are obtained and choose the right authentication flow for users, services, and applications.
  </Card>

  <Card title="Understand access token scopes" icon="tag" href="/cdf/access/concepts/access_token_scopes">
    Learn how OAuth 2.0 scopes expand or restrict access granted by CDF groups. View the most relevant scopes defined by CDF.
  </Card>
</CardGroup>

<a id="step-4-fix-issues" />

## Step 4: Fix issues

If you are receiving errors or seeing unexpected behavior, our troubleshooting tips can help you resolve the issues.

<CardGroup cols={2}>
  <Card title="Troubleshoot access issues" icon="wrench" href="/cdf/access/troubleshooting/troubleshoot_oidc">
    Resolve common authentication and authorization problems. Debug token issues, permission errors, and configuration mistakes.
  </Card>
</CardGroup>
