Just-in-time user provisioning

Just-in-time (JIT) user provisioning automatically creates Confluent Cloud user accounts, then uses group mappings, to grant Confluent Cloud access to Confluent Cloud resources based on group memberships in your single sign-on (SSO) identity provider.

When a user from your SSO-enabled organization uses their SSO credentials to sign in to Confluent Cloud for the first time, Confluent Cloud automatically creates a user account with no predefined access to Confluent Cloud resources. If group mappings are available, the user is automatically granted Confluent Cloud role-based access control (RBAC) roles and permissions based on their group memberships in the organization’s user directory at your SSO identity provider.

JIT user provisioning and group mappings reduce your administrative workload and expedite user onboarding because you no longer must manually provision users by creating Confluent Cloud user accounts and configuring roles and permissions in advance.


Keep the following limitations in mind when using JIT user provisioning:

  • For Azure Marketplace organizations, JIT user provisioning is not supported.

You can disable JIT user provisioning at any time. For details, see Disable JIT user provisioning.

Disable JIT user provisioning

RBAC role required: OrganizationAdmin.

By default, JIT user provisioning is enabled for users in your SSO identity provider. If the behavior listed in Limitations is not wanted, an organization administrator can disable JIT user provisioning.

To disable JIT user provisioning for users in your SSO identity provider, use the Organizations API to update the organization settings by making an HTTP PATCH request to /org/v2/organizations/<org_uuid> with the jit_enabled field set to false. The following curl command shows an example request:

curl --request PATCH --url 'https://api.confluent.cloud/org/v2/organizations/<org_uuid>' \
 --header 'Authorization: Basic <user-credentials>' \
 --header 'content-type: application/json' \
 --data '{"jit_enabled": false}'

The response, in JSON format, returns the updated organization setting in JSON format.

For details about updating an organization using the Organizations API, see Update an Organization.