Enable SSO for Cortex Self-manage

Cortex Self-Managed comes with support for Single Sign-On (SSO) with any authentication provider that supports OIDC.

Your self-managed instance does not include SSO enabled by default to allow for easy iteration.

Step 1: Configure an app in your SSO provider

  1. Create an app in your SSO provider to be used for Cortex.

  2. Set the redirect URL to be http(s)://[CORTEX BACKEND HOST]/login/oauth2/code/[PROVIDER],

    • for example, on Cortex Cloud, the Okta URL would be https://api.getcortexapp.com/login/oauth2/code/okta. Other common provider values include:

      • Amazon SAML - amazon

      • Azure Active Directory - azuread

      • Google SSO - google

      • JumpCloud SAML - jumpcloud

      • Okta SSO - okta

      • Generic OIDC - auth0

  3. Copy the client ID, client secret, and issuer URI. Store these in a secure location, as you will need them int he next steps.

Step 2: Configure SSO in Cortex

  1. In Cortex, navigate to Settings > OpenID Connector.

  2. Configure the OIDC form:

    • Type: Select your SSO provider.

      • If your provider is not listed, type its name into the Type dropdown then click +Add new.

    • Identifier: Enter your client ID.

    • Secret: Enter your client secret.

    • Issuer: Enter your Issuer URI, e.g., https://{your-org}.okta.com.

      • For Okta, if you are using the default authorization server then your Issuer will be https://{your-org}.okta.com/oauth2/default.

  3. At the bottom of the page, click Save.

If the Cortex settings screen doesn't include the provider you're using, just select any of the providers in the dropdown. Change the redirect URL in step 2 to include the provider you chose, like okta, even if your provider is not the same.

This process uses standard OIDC.

To verify your setup, log out and back in. You should be prompted to log in with SSO.

Disabling SSO

If you misconfigured your SSO setup, you can disable auth again by connecting to the database for your Cortex instance and running DELETE FROM oidc_client_secret_basic_connections;. After doing this, refresh the page to log back in.

Last updated

Was this helpful?