Early Access for JIT user provisioning and group mapping
Just-in-time user provisioning and group mapping are early access features introduced to gain feedback. Use this feature only for evaluation and non-production testing purposes or to provide feedback to Confluent, particularly as it becomes more widely available in follow-on preview editions. To be considered for participation in the Early Access Program, contact Confluent Support.
Early Access Program features are intended for evaluation use in development and testing environments only, and not for production use. The warranty, SLA, and Support Services provisions of your agreement with Confluent do not apply to Early Access Program features. Early Access Program features are considered to be a Proof of Concept as defined in the Confluent Cloud Terms of Service. Confluent may discontinue providing preview releases of the Early Access Program features at any time in Confluent’s sole discretion.
Group mappings are a set of rules that you define to map groups in your SSO identity provider to Confluent Cloud RBAC roles. When a user signs in to Confluent Cloud for the first time using SSO, Confluent Cloud automatically creates a user account and assigns the Confluent Cloud RBAC roles you have mapped to the user’s groups.
Create a group mapping for each set of Confluent Cloud RBAC roles that you want to assign to a user based on the user’s group memberships in your SSO identity provider. Your organization might have groups with different sets of permissions based on teams, Confluent Cloud environments, or read/write/admin access. You can create a group mapping for each set of permissions.
For example, you might create a group mapping that assigns the Confluent Cloud RBAC roles
DeveloperWrite and ResourceOwner to
a user who is a member of the
data-science group in your SSO identity provider.
Group mapping details¶
An admininstrator starts a group mapping by designating a SAML attribute for Confluent Cloud to pull as the group claim. For most organizations, the group claim is the user groups or security groups, but any SAML attribute configured by the identity provider can be used as groups (such as roles or a custom defined attribute).
A group mapping is an association between a literal group, or a more complex filter group mapping, and a set of Confluent Cloud RBAC roles.
Literal group mapping¶
A literal group mapping is a string value representing a single group value. The string is case-sensitive and space-sensitive.
Filter group mapping¶
A filter group mapping is a string value representing a group filter that uses a Common Expression Language (CEL) <> expression on multiple groups.
Using a filter group mapping, an administrator can give a condition with the keyword
groups to determine whether the group mapping can be applied to the SSO user.
To create a filter for a group mapping, the following Common Expression Language (CEL) operators (in order of precedence) are supported:
Note that the filter has a default character limit of 300 characters.
An administrator can use a filter with CEL expressions to create a group mapping
for users who are members of either the
data-science group or the
"data-science" in groups || "engineering" in groups
Using a filter group mapping like this avoids having redundant group mappings for users when the groups share identical RBAC permission sets.
API keys associated with user accounts cannot include permissions for group mappings. User API keys can only include permissions manually assigned to the user.
Enable group mappings¶
Required RBAC role: OrganizationAdmin.
Before you can map the SSO user groups in your SSO identity provider to Confluent Cloud RBAC roles, make sure that your SSO identity provider is configured to send group information in the SAML SSO assertion to Confluent Cloud.
To configure group mappings, you need to create a group mapping in Confluent Cloud and configure the SSO identity provider to send the group mapping to Confluent Cloud. The following tabs provide steps for configuring group mappings for two SSO identity providers: Azure Entra ID (Azure Active Directory) and Okta.
Locate the Confluent Cloud application.
Go to Azure portal, select Azure Active Directory > Enterprise applications. Search for the Confluent Cloud application.
In the navigation bar, select Single sign-on under Manage.
In Attributes & Claims, click Add a group claim. The Group Claim dialog appears.
For the question Which groups associated with the user should be returned in the claim?:
- If your organizations uses Groups to bulk assign applications to users, select Groups assigned to the application.
- if you want to filter the group Display name to only include groups to be sent Confluent Cloud for group mapping, select All Groups and use the Advanced options to filter the groups.
- For Source Attribute:
- Select Group ID to use the unique group identifier. If selected,
the group mappings you create in Confluent Cloud are the identifier strings
- Select Cloud-only group display names to use the group name for more meaningful names.
- Select Group ID to use the unique group identifier. If selected, the group mappings you create in Confluent Cloud are the identifier strings (for example,
Create group permission mappings in Confluent Cloud.
Configure the SAML group attribute.
Set the value to
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsor the customer claim or attribute that contains the group information.
Create mappings for each group.
For each group, create the mapping with filters that match the
group display nameand
Open your Okta administrator console and select the Confluent Cloud application.
In the General tab, scroll to SAML Settings and send Group Attribute Statements.
In the second Configure SAML step in the SAML Integration settings, scroll to Group Attribute Statements (optional) and enter groups for the Name and set Matches regex to
.*. This ensures all user groups are sent when a SAML SSO request is sent to Confluent Cloud.
If you only want to send a specific set of groups, rather than all groups that a user is a member of, change the filter to match only the groups you want sent to Confluent Cloud. You can also send a different user attribute than groups for other use cases.
Test that groups are sent correctly by clicking Preview the SAML Assertion.
The preview shows the SAML assertion sent to Confluent Cloud when a user signs in. In the SAML attribute with
Name="groups", verify that the groups to be sent are listed.
Click Next and Finish to save the changes.
Open the Confluent Cloud Console and to to the Single sign on page.
Create group permission mappings.
- Set the SAML group attribute to
groupsor the custom claim or attribute that contains the group information.
- Create mappings for each group, using filters that match the group names being sent by Okta.
- Set the SAML group attribute to