Add an OAuth/OIDC Identity Provider for Confluent Cloud¶
Follow the procedures below to use the Confluent Cloud Console to configure an OAuth 2.0 identity provider (IdP) and identity pool.
To use the Confluent Cloud APIs to create, read, update, list, and delete identity providers, see Identity Providers (iam/v2).
Add an identity provider using Confluent Cloud Console¶
Required RBAC roles: OrganizationAdmin
Important
Before you add a new identity provider, review Best Practices for OAuth Identity Providers.
You can use the Confluent Cloud Console to configure an OAuth 2.0 identity provider with one of the following options:
- Azure Active Directory (Azure AD)
- Okta
- Other OIDC identity provider
To configure an OAuth 2.0 identity provider:
In Confluent Cloud Console, go to the Identity providers tab under Accounts & access at http://confluent.cloud/settings/org/identity_providers.
Click Add identity providers.
Select the OIDC identity provider type and click Next.
Click Azure AD, Okta or Other OIDC identity provider and complete the fields.
- Name
Enter a meaningful name for your Azure AD identity provider.
- Description
Enter meaningful information for using and managing this provider.
- Tenant ID
Enter the tenant identifier.
- Import from OIDC Discovery URL
Click to import metadata required to configure your OIDC provider. This option adds the OIDC Discovery URL and automatically fills the JWKS URI and Issuer URI fields.
- JWKS URI
Enter the URI for JSON Web Key Set (JWKS).
JSON Web Key Sets (JWKS) provides a set of keys containing the public keys used to verify any JSON Web Token (JWT) issued by your Azure AD identity provider.
Example:
https://login.microsoftonline.com/common/discovery/v2.0/keys
- Issuer URI
Enter the issuer URI for your Azure AD authorization server.
The unique issuer URI represents a string that represents the entity for issuing tokens.
Example:
https://login.microsoftonline.com/{tenant_id}/v2.0
- Name
Enter a meaningful name for your Okta identity provider.
- Description
Enter meaningful information for using and managing this provider.
- Authorization server
Enter the authorization server identifier for your Okta identity provider. The default value is
default
, but can be modified.- Domain
Enter the domain. Default value is
{yourDomain}.okta.com
. Replace{yourDomain}
with your domain name for Okta.- Import from OIDC Discovery URL
Click to import metadata required to configure your OIDC provider. This option adds the OIDC Discovery URL and automatically fills the JWKS URI and Issuer URI fields.
- JWKS URI
Enter the URI for JSON Web Key Set (JWKS).
JSON Web Key Sets (JWKS) provides a set of keys containing the public keys used to verify any JSON Web Token (JWT) issued by your Okta identity provider.
Example:
https://mycompany.okta.com/oauth2/default/v1/keys
- Issuer URI
Enter the issuer URI for your Okta identity provider.
The unique issuer URI represents a string that represents the entity for issuing tokens.
Example:
https://mycompany.okta.com/oauth2/default
- Name
Enter a meaningful name for your OAuth identity provider.
- Description
Enter meaningful information for using and managing this provider.
- OIDC Discovery URL
Enter your OIDC Discovery URL.
- Import from OIDC Discovery URL
Click to import metadata required to configure your OIDC provider. This option adds the OIDC Discovery URL and automatically fills the JWKS URI and Issuer URI fields.
- JWKS URI
Enter the URI for JSON Web Key Set (JWKS).
JSON Web Key Sets (JWKS) provides a set of keys containing the public keys used to verify any JSON Web Token (JWT) issued by your OAuth 2.0 identity provider.
- Issuer URI
Enter the issuer URI for your OAuth identity provider.
The unique issuer URI represents a string that represents the entity for issuing tokens.
Click Validate and save. The Accounts & access page appears, displaying the Identity providers tab.
Click on your new identity provider. A details page appears, showing a summary listing of your identity provider name, description, issuer URI, and JWKS URI.
You have successfully created your identity provider, but you need to set up an identity pool to use your new identity provider.