Single Sign-on (SSO) for Confluent Cloud¶

Use single sign-on (SSO) for Confluent Cloud to manage your Confluent Cloud users and authenticate them using your existing identity provider instead of using Confluent Cloud local user accounts and passwords. Enabling SSO in Confluent Cloud lets you manage your users in one place and allows users to sign in to Confluent Cloud using their existing SSO credentials. Using SSO improves your security and lets you use multi-factor authentication (MFA), if provided by your identity provider.

You can use single sign-on (SSO) with Confluent Cloud with:

Your SAML-based identity provider. To enable, see Enable SAML Single Sign-on (SSO) for Confluent Cloud.
Your OIDC-based Azure Marketplace identity provider. See Azure Marketplace and OIDC-based SSO.

In Confluent Cloud, SSO is enabled at the organization level. After SSO is enabled, the authentication behavior changes as follows:

All new invited users to the organization are authenticated using SSO (by default).
Once a user authenticates using SSO, they cannot be added as a local user in other organizations.

Warning

When SSO is disabled, the authentication method for users does not automatically change. Before you disable SSO, make sure that you have a local user account with the OrganizationAdmin role to be able to sign in to your organization.

For details about SSO user accounts, see Single sign-on (SSO) user accounts. Multi-factor authentication (MFA), including two-factor authentication (2FA), is an SSO option available from most identity providers.

Azure Marketplace and OIDC-based SSO¶

When you create a Confluent Cloud organization through Azure Marketplace, Confluent automatically enables Azure OIDC SSO for your organization based on OpenID Connect (OIDC) using the associated Microsoft Entra ID (Azure Active Directory) as the identity provider. OIDC is an authentication protocol that is built on top of the OAuth 2.0 framework for user identities.

On the Single sign-on page in the Confluent Cloud Console at https://confluent.cloud/settings/security/sso, you can:

Verify that Azure OIDC SSO is enabled for your organization. You should see the following message: “You have already enabled Single Sign-on (SSO) through your Azure Active Directory and you cannot change the configuration.”
Get the Sign-On link for your organization. This is the URL that you can use to sign in to your Confluent Cloud organization using Azure OIDC SSO.

With Azure OIDC SSO, the user identification is the email address attribute in Microsoft Entra ID (Azure Active Directory). If the email address attribute is not available, the user identification is the user principal name (UPN) attribute is used as the Confluent email address identifier.

Confluent Cloud SAML-based SSO workflow¶

Web browser¶

With SSO enabled, users sign in at confluent.cloud/login/sso/<sso-identifier>. The browser makes an OpenID Connect (OIDC) request to the identity broker at login.confluent.io, which then redirects the browser to send a SAML request to the organization’s identity provider. After the user successfully authenticates, the identity provider responds with a signed SAML ID Assertion, which the identity broker translates into a JSON Web Token (JWT). Confluent Cloud uses this token to authenticate additional requests from the browser.

Confluent Cloud SSO workflow¶

Confluent CLI¶

When SSO is enabled and the confluent login command is issued, the following browser-based workflow is launched:

Generates an HTTP server on localhost to receive the authentication callback.
Initiates the SSO flow by navigating to login.confluent.io in the browser.
The browser automatically redirects the user to the identity provider sign-in page.
After successfully signing in, the browser redirects the user back to localhost with a signed id_token.
Confluent CLI uses the id_token to obtain a Confluent Cloud back-end session.

Note

If the Confluent CLI is running on a server without a web browser (also known as a “jump” host”), then this flow does not work. In such cases, you must log in using the --no-browser option. For details, refer to Sign in to Confluent Cloud using SSO.

Sign in to Confluent Cloud using SSO¶

You can sign in to Confluent Cloud using the Confluent CLI or the Confluent Cloud Console.

For SSO-enabled organizations, you can sign in to your Confluent Cloud organization using the following Confluent CLI command with your SSO user account:

confluent login

Note

For the “SSO” authentication method, the confluent login command does not prompt the user for a password. SSO relies on your identity provider for authentication.

If the Confluent CLI is running on a server without a web browser (also known as a “jump host”), then you cannot sign in using confluent login. In such cases, you must use the --no-browser option:

confluent login --no-browser

After running this command, you receive a printout of a URL, which you must copy and paste into a local browser. After you provide your credentials and successfully log in, the browser displays a code that you must copy and paste back into in the Confluent CLI. Your workflow should look like the following:

confluent login --no-browser
Updates are available for ccloud. To install them, please run:
$ confluent update

Enter your Confluent credentials:
Email: smith@confluent.io
Navigate to the following link in your browser to authenticate:
https://login.confluent.io/authorize?response_type=code&code_challenge=NovO_c6FO44G-6cfRbqTrBcEOrDnvm7GNZLCHCmbPM8&code_challenge_method=S252&client_id=hPbGLM8G55HSaUsaaieiiAprnJaEc3rH&redirect_uri=https://confluent.cloud/cli_callback&scope=email%20openid&audience=https://confluent.auth0.com/api/v2/&state=CoOGX1aQhvwdH2dFSvKV-gh09INnYcXFaYbUnWq3Ekw&connection=big-company

After authenticating in your browser, paste the code here:
#### The following code was copied and pasted from the browser #####
CoOGX1aQhvwdH2dFSvKV-gh09INnXcXFaYbUnWq3Ekw/bf1jJFSANhlQBqPn
Logged in as smith@confluent.io
Using environment t21388 ("default")

After new users are invited to use SSO, they receive an email notification that includes a link to the new SSO sign-in page. The wording and format of the notification will vary by organization, but it will always include a link that the recipient must click to accept the invitation and complete account setup.

Note

The link in the notification is for one-time use. Do not share the link with other users in your organization. This link only works for the recipient of the email notification.

Fill in the acceptance form and click Submit. The new SSO login screen appears. The organization-specific SSO login URL should look like https://confluent.cloud/login/sso/<sso-identifier>, where sso-identifier is replaced by the identifier for your organization. This is your new permanent Confluent Cloud SSO login page. If using bookmarks, save this URL.

Disable SSO¶

To disable SSO:

In Confluent Cloud Console, open the sidebar menu and click ADMINISTRATION -> Single sign-on.

The Single sign-on page displays.
Scroll to the bottom of the Single sign-on page and click Disable.

When SSO is disabled, the SSO user accounts associated with your organization cannot authenticate using your identity provider, and must select Forgot Password? to create a Confluent Cloud password to authenticate.

To re-enable SSO, you must repeat the steps in Enable SAML Single Sign-on (SSO) for Confluent Cloud.

Troubleshoot SSO¶

If you attempt to sign in for the first time after enabling SSO while you are still signed in to your identity provider, you might be signed in immediately and bypass the identity provider sign-in window. If this occurs, sign out of your identity provider session, then sign in using an incognito browser window.