Entra ID (Azure AD) SSO

Cortex supports configuring Single Sign-On (SSO) with Microsoft Entra ID (formerly known as Azure Active Directory) with OpenID Connect for protecting access to your Cortex workspace.

Cortex also supports an integration to track Entra ID teams and team members as entity owners as well as create Scorecards involving your Entra ID teams. See the Entra ID (Azure AD) integration page for more information.

How to configure Entra ID SSO for Cortex

You must have the Configure OpenID Connector & SCIM permission.

Step 1: Set up a new Entra ID application in Azure

  1. From the Entra ID overview page in your Azure portal, click Add > App registration.

  2. Enter a descriptive name for the application, such as "Cortex login." .

  3. Under "Supported account types," select Accounts in this organizational directory only.

    1. Selecting this option means the SSO will only work for the given Entra instance and not for other organizations.

  4. Under "Redirect URI (optional)," select Web from the dropdown menu.

  5. In the Authorized redirect URI field, enter https://cortexapp.auth0.com/login/callback .

  6. Click Register to save the app. You will be redirected to the app's overview page.

  7. Copy the Application (client) ID value and store it in a secure location, as you will need this in the next steps.

You can find more detailed instructions on registering an app with the Microsoft identity platform in its quickstart guide.

Step 2: Create a client secret in Azure

  1. From the app's Overview page in Azure, click Add a certificate or secret then go to the Client secrets tab.

  2. Click New client secret. Enter a description and expiration.

    • The SSO will stop working when the secret expires, so set an expiration that makes sense for your process. If you regularly rotate secrets, a shorter expiration period might make more sense. If you do not, a longer duration will ensure that SSO continues to function without frequent interruption.

  3. Click Save.

  4. Copy the value of the secret and store it in a secure location, as you will need this in the next steps.

Step 3: Obtain the metadata document endpoint in Azure

  1. Go to the Overview page in Azure and click the Endpoints tab.

  2. Copy the OpenID Connect metadata document up to /v2.0.

    • It should be in the format https://login.microsoftonline.com/<uuid>/v2.0.

Step 4: Configure SSO in Cortex

  1. In your Cortex workspace, navigate to Settings > OpenID Connector.

  2. Configure the form:

    • Type: Select Azure.

    • Identifier: Enter the application (client) ID from Step 1.

    • Secret: Enter the client secret created in Step 2.

    • Issuer: Enter the issuer URI from Step 3.

      • Do not include a backslash after v2.0 in the issuer URI. This will process as an invalid configuration for the URI.

  3. At the bottom of the page, click Save.

After saving your configuration, users will only have the option to sign in to your Cortex workspace via Microsoft Entra ID.

Last updated

Was this helpful?