Enable SSO for Cortex Self-managed

Cortex Self-Managed comes with support for SSO out of the box with any auth provider that supports OIDC.

Your self-managed instance is auth-less out of the box, to allow for easy iteration. Once you're ready to set up SSO, just adding the right configurations will immediately trigger the SSO gate.

Configure your SSO provider

1. Create an app in your SSO provider to be used for Cortex.

2. Set the redirect URL to be http(s)://[CORTEX BACKEND HOST]/login/oauth2/code/[PROVIDER],

   • for example, on Cortex Cloud, the Okta URL would be https://api.getcortexapp.com/login/oauth2/code/okta. Other common provider values include:

     • Amazon SAML - amazon

     • Azure Active Directory - azuread

     • Google SSO - google

     • JumpCloud SAML - jumpcloud

     • Okta SSO - okta

     • Generic OIDC - auth0

3. Copy the Client ID, Client Secret, and Issuer URI. (See individual provider sections below for details).

Configure SSO in Cortex

1. Navigate to Settings → OpenID Connector in your Cortex workspace.

2. Select your provider and add the ID, Secret, and Issuer URI.

3. To verify your setup, log out and back in. You should be prompted to log in with SSO.

Here are some common tips to Okta SSO:

1. Your Okta Issuer URL will look be [YOUR OKTA URL]/oauth2/default, for example https://dev-123.okta.com/oauth2/default. You must include the /oauth2/default.

If you are unable to log in to your instance, try the following troubleshooting tips.

• If using Okta, make sure that your Issuer URI ends in /oauth2/default, and is not just the Okta domain.

• To make changes to your SSO setup after misconfiguring it, you can disable auth again by connecting to the database for your Cortex instance and running DELETE FROM oidc_client_secret_basic_connections;. Refreshing the page will allow you to log back in.