Check the
documentation
Ask the
Community
Take a look
at
Academy
Cognite
Status
Page
Contact
Cognite Support
Introduction
Effective Identity and Access Management (IAM) is crucial for securing your data and controlling who can perform which actions within your Cognite Data Fusion (CDF) project. This guide provides a structured overview of setting up your Identity Provider (IdP) and managing access for users, groups, applications, and service accounts within CDF. It primarily directs you to the official Cognite documentation for detailed, step-by-step instructions.
Section 1: Setting Up Your Identity Provider (IdP) for Cognite Data Fusion
Integrating CDF with your organization's IdP enables Single Sign-On (SSO) and allows you to manage user identities and group memberships centrally.
- Understand CDF Authentication and Core Access Management Concepts:
- Before configuring, familiarize yourself with how access managment works in CDF and familiarize yourself with how CDF manages access through groups, capabilities, scopes
- Documentation: Access management concepts
- Steps to configure your IdP with CDF:
- As an admin, create a group in your IdP and add the users who should have admin access as members of that group.
- Share the Tenant ID and Group ID with your contact at Cognite.
- Documentation: CDF and identity providers (IdPs)
- Connect Your IdP Configuration to CDF:
- Once your IdP is configured, you will need to register the Cognite API and application as trusted applications within your IdP.
- Documentation: Register the Cognite API and applications
Section 2: Authorization Users and Service Accounts using groups in CDF
Once your IdP is set up, you need to control what actions various principals can perform. Authorization for these principals in CDF is primarily managed using groups - capabilities and scope.
- Managing Groups:
- Groups are central to CDF access control. You assign capabilities to group with appropriate scopes and then add users, service accounts as members
- Tasks include creating groups and assigning capabilities.
- Documentation: Assign capabilities
- Managing group membership of users and service accounts:
- Users typically sign in via the configured IdP. Their access is determined by the CDF groups they belong to (often via linked IdP groups).
- Direct user management within CDF is less common when using an IdP for authentication but might be needed in specific scenarios.
- Documentation: Manage groups and group membership
- Managing Service Accounts:
- Create service accounts for applications or services that need to authenticate and interact with CDF APIs autonomously (not on behalf of a specific user). These use token-based authentication.
- Assign capabilities to service accounts by adding them to relevant CDF groups.
- Documentation: Add a service account to a CDF group
Properly configuring your IdP and managing access through groups and capabilities are fundamental steps for a secure and well-governed Cognite Data Fusion environment. Always refer to the official Cognite documentation for the most up-to-date and detailed procedures. The links provided above serve as starting points for each topic.
