Logging into the CDP CLI/SDK

You can log into the CDP CLI using two different methods. The interactive method described in this topic integrates with any SAML-compliant external identity provider.

There are two ways to log into the CDP CLI/SDK. The traditional method requires generating access credentials (an API access key and private key), then configuring the ~/.cdp/credentials file with the key pair. In this method the access credentials are permanent until they are removed from the ~/.cdp/credentials file. If you prefer to use this method of access, you can skip to the following topics: Generating an API access key and Configuring CDP client with the API access key. It is possible that this traditional login method may be disabled by an administrator, and therefore unavailable to some users.

If you would prefer that user access to the CLI/SDK is shorter-lived, you can use the "interactive" method of logging into the CDP CLI/SDK. By default, this login method grants a 12-hour access key to the CLI/SDK. The access key will time out after one hour of inactivity. The interactive method integrates with any SAML-compliant external identity provider. To set up the interactive method of logging into the CLI/SDK, follow the steps below.

Determine which identity provider you want to use for login. If you do not specify an IdP in the login command, the login command will use your default IdP, which is typically the oldest identity provider configured under User Management > Identity Providers.
Verify that the identity provider you are using has been configured for SAML-based sign on.
Take note of your CDP tenant/account ID. To find it, click your user name in the bottom left hand navigation menu, select Profile, and then copy the Tenant ID field.

Use the following command to login to the CDP CLI:
```
cdp login --account-id <tenant-account-id> --identity-provider <idp-name> --use-device-code 
```
- --account-id is required unless it is configured in the ~/.cdp/config file (account_id).
- --identity-provider is optional, but if not specified, the command uses the default IdP. Give the name or the CRN of the desired IdP as listed in the details page for the IdP, which you can access from User Management > Identity Providers.
- --use-device-code allows for the CDP CLI login on a device that does not have a browser. If you use this parameter in the login command, you are instructed to open a URL from any other device with a browser present, input a code displayed on the CLI screen, then complete the authentication flow in the browser.
  note
  The --use-device-code option is not enabled by default. To have this feature enabled, contact your account team.
Running the command sends a request to the specified IdP, which opens the login page in a browser window.
Login to the IdP using your company credentials.
The browser window will inform you when it is safe to close the window. The access key that is generated by the command is saved to the ~/.cdp/credentials file. You can run a test command in the CLI to verify that you are successfully logged in. If you receive an authentication error, login in again.