Enabling SSO for Cortex Self-Managed
Cortex Self-Managed comes with support for SSO out of the box with any auth provider that supports OIDC.
Your self-managed instance is auth-less out of the box, to allow for easy iteration. Once you're ready to set up SSO, just adding the right configurations will immediately trigger the SSO gate.
All providers require essentially the same steps to set up SSO.
- Create an app in your SSO provider to be used for Cortex.
- Set the redirect URL to be
http(s)://[CORTEX BACKEND HOST]/login/oauth2/code/[PROVIDER], for example, on our Cortex Cloud, the Okta URL would be
https://api.getcortexapp.com/login/oauth2/code/okta. See below for other PROVIDER values:
- Amazon SAML -
- Azure Active Directory -
- Google SSO -
- JumpCloud SAML -
- Okta SSO -
- Amazon SAML -
- Copy the Client ID, Client Secret, and Issuer URI. (See individual provider sections below for details).
- Navigate to Settings → OpenID Connector in your Cortex workspace.
- Select your provider and add the ID, Secret, and Issuer URI.
- If you log out and try to log back in, you'll now hit the SSO screen!
If the Cortex settings screen doesn't include the provider you're using, just select any of the providers in the dropdown.
Change the redirect URL in step 2 to include the provider you chose, like
okta, even if your provider is not the same.
Under the hood, this is using standard OIDC and should work automatically!
If you're looking to configure a specific provider, here are some tips for common SSO providers.
Okta is fairly simple to set up. Simple create a new app in your Okta admin portal and follow the steps in Basic Setup.
- Your Okta Issuer URL will look be
[YOUR OKTA URL]/oauth2/default, for example
https://dev-123.okta.com/oauth2/default. You must include the
- In the Cortex dashboard, the OIDC settings are found under OpenID Connector, not Okta. The Okta page is used when setting up Okta as an ownership provider.
If you've borked your instance and are unable to log in to your instance, try the following steps.
- If using Okta, make sure that your Issuer URI ends in
/oauth2/default, and is not just the Okta domain.
To make changes to your SSO setup after misconfiguring it, you can disable auth again by connecting to the database
for your Cortex instance and running
DELETE FROM oidc_connections;. Refreshing the page will allow you to log back in.