Group mapping


Early Access for JIT user provisioning and group mapping

Just-in-time user provisioning and group mapping are early access features introduced to gain feedback. Use this feature only for evaluation and non-production testing purposes or to provide feedback to Confluent, particularly as it becomes more widely available in follow-on preview editions. To be considered for participation in the Early Access Program, contact Confluent Support.

Early Access Program features are intended for evaluation use in development and testing environments only, and not for production use. The warranty, SLA, and Support Services provisions of your agreement with Confluent do not apply to Early Access Program features. Early Access Program features are considered to be a Proof of Concept as defined in the Confluent Cloud Terms of Service. Confluent may discontinue providing preview releases of the Early Access Program features at any time in Confluent’s sole discretion.

Group mappings are a set of rules that you define to map groups in your SSO identity provider to Confluent Cloud RBAC roles. When a user signs in to Confluent Cloud for the first time using SSO, Confluent Cloud automatically creates a user account and assigns the Confluent Cloud RBAC roles you have mapped to the user’s groups.

Create a group mapping for each set of Confluent Cloud RBAC roles that you want to assign to a user based on the user’s group memberships in your SSO identity provider. Your organization might have groups with different sets of permissions based on teams, Confluent Cloud environments, or read/write/admin access. You can create a group mapping for each set of permissions.

For example, you might create a group mapping that assigns the Confluent Cloud RBAC roles DeveloperWrite and ResourceOwner to a user who is a member of the data-science group in your SSO identity provider.

Group mapping details

An admininstrator starts a group mapping by designating a SAML attribute for Confluent Cloud to pull as the group claim. For most organizations, the group claim is the user groups or security groups, but any SAML attribute configured by the identity provider can be used as groups (such as roles or a custom defined attribute).

A group mapping is an association between a literal group, or a more complex filter group mapping, and a set of Confluent Cloud RBAC roles.

Literal group mapping

A literal group mapping is a string value representing a single group value. The string is case-sensitive and space-sensitive.

Filter group mapping

A filter group mapping is a string value representing a group filter that uses a Common Expression Language (CEL) <> expression on multiple groups.

Using a filter group mapping, an administrator can give a condition with the keyword groups to determine whether the group mapping can be applied to the SSO user.

To create a filter for a group mapping, the following Common Expression Language (CEL) operators (in order of precedence) are supported:

  • in (Inclusion test)
  • && (Logical AND)
  • || (Logical OR)

Note that the filter has a default character limit of 300 characters.


An administrator can use a filter with CEL expressions to create a group mapping for users who are members of either the data-science group or the engineering group:

"data-science" in groups || "engineering" in groups

Using a filter group mapping like this avoids having redundant group mappings for users when the groups share identical RBAC permission sets.


API keys associated with user accounts cannot include permissions for group mappings. User API keys can only include permissions manually assigned to the user.

Enable group mappings

Required RBAC role: OrganizationAdmin.

Before you can map the SSO user groups in your SSO identity provider to Confluent Cloud RBAC roles, make sure that your SSO identity provider is configured to send group information in the SAML SSO assertion to Confluent Cloud.

To configure group mappings, you need to create a group mapping in Confluent Cloud and configure the SSO identity provider to send the group mapping to Confluent Cloud. The following tabs provide steps for configuring group mappings for two SSO identity providers: Azure Entra ID (Azure Active Directory) and Okta.

  1. Locate the Confluent Cloud application.

    Go to Azure portal, select Azure Active Directory > Enterprise applications. Search for the Confluent Cloud application.

  2. In the navigation bar, select Single sign-on under Manage.

  3. In Attributes & Claims, click Add a group claim. The Group Claim dialog appears.

  4. For the question Which groups associated with the user should be returned in the claim?:

    • If your organizations uses Groups to bulk assign applications to users, select Groups assigned to the application.
    • if you want to filter the group Display name to only include groups to be sent Confluent Cloud for group mapping, select All Groups and use the Advanced options to filter the groups.
    1. For Source Attribute:
      • Select Group ID to use the unique group identifier. If selected, the group mappings you create in Confluent Cloud are the identifier strings (for example, 9efcf0ab-9227-411d-bbea-0481e862c115).
      • Select Cloud-only group display names to use the group name for more meaningful names.
  5. Create group permission mappings in Confluent Cloud.

    1. Configure the SAML group attribute.

      Set the value to or the customer claim or attribute that contains the group information.

    2. Create mappings for each group.

      For each group, create the mapping with filters that match the group display name and Group ID.