Manage SSO Access to Confluent Support Portal¶

Note

Early Access for Managing SSO Access to Confluent Support Portal

Managing SSO access to Confluent Support Portal is an Early Access Program feature in Confluent Cloud introduced to gain feedback. This feature should be used only for evaluation and non-production testing purposes or to provide feedback to Confluent, particularly as it becomes more widely available in follow-on preview editions. To participate in this Early Access Program, contact your Confluent account manager.

Early Access Program features are intended for evaluation use in development and testing environments only, and not for production use. Early Access Program features are provided: (a) without support; (b) “AS IS”; and (c) without indemnification, warranty, or condition of any kind. No service level commitment will apply to Early Access Program features. Early Access Program features are considered to be a Proof of Concept as defined in the Confluent Cloud Terms of Service. Confluent may discontinue providing preview releases of the Early Access Program features at any time in Confluent’s sole discretion.

You can use Confluent Cloud Single Sign-On (SSO) authentication to let your users sign in to both Confluent Cloud and the Confluent Support using their existing SSO credentials. To enable this, you need to add any email domains used with your SSO identity provider as trusted domains for your Confluent Cloud Organization.

Prerequisites¶

Confluent Cloud SSO is enabled.
Access to edit DNS configurations or the website for the domains you want to verify ownership and add as a trusted domains.

Limitations¶

You can currently only use one Confluent Cloud Organization to represent your organization. If you have multiple Confluent Cloud Organizations, choose one to represent your organization. SSO users included in this Confluent Cloud Organization can use their SSO credentials to sign in to Confluent Cloud and the Confluent Support Portal.

Add a trusted domain¶

To add a trusted domain to your Confluent Cloud Organization, you need to verify that you own the email domain name by using domain verification. After you verify the ownership of the domain, users with email addresses from the trusted domain can authenticate to Confluent Cloud and the Confluent Support Portal using their SSO credentials.

To add a trusted domain to Confluent Cloud SSO in in your Confluent Cloud Organization, complete the following steps:

Open the Confluent Cloud Console and under your user name, click Organization settings.

The Organization settings page displays.
In the Trusted domains section, click Add domain.

The Add domain dialog displays.
Enter the domain name to be added as a trusted domain, then click Create domain and continue.

The Verification method section displays.

Select a verification method (DNS TXT Record or HTML File) and follow the steps for that method.

Verification method	Description
DNS TXT Record	(Preferred) If you can access the DNS records for the domain, you can add a TXT record, provided by Confluent, to the DNS configuration of your domain.
HTML File	Upload an HTML file that includes the verification code provided by Confluent. This method requires you to have access to the root directory of the domain.

Domain verification is required to ensure that you are the owner. The verification method you use does not affect the functionality of the trusted domain.

Sign in to your domain name host provider in a separate browser window.
Go to the DNS records for your domain.

The DNS records can be found in the domain settings or the DNS management section of your domain host provider.
Add a new TXT record with the following values:

Field Value

Record type TXT

Name/Host/Alias @

Value/Destination Enter the verification code provided by Confluent

Example of a verification code:
```
confluent-verification=b35a7fca2-becd-3c2e-adg6-26143db1853
```

Download or copy the HTML code displayed in the Confluent Cloud Console and save it as confluent-domain-verification.html.

Example of the HTML code:
```
<html>
  <head></head>
  <body>b35a7fca2-becd-3c2e-adg6-26143db1853</body>
</html>
```
Upload the HTML file (confluent-domain-verification.html) to the root directory of your domain at the following URL:
```
https://<your-domain-name>/.well-known/confluent-domain-verification.html
```

Click Verify domain.

If successfully verified, the domain is added as a trusted domain to the list of Trusted domains on the Organization settings page with the Status as “Verified”.

If the verification fails, an error message displays “Your domain verification has failed” and the domain is added to the Trusted domains list with the Status as “Not verified” and the option to click Verify domain again.

To verify the domain later, click Verify later. If you select this option, you are returned to the Organization settings page. Under Trusted domains, the domain name shows the status Not verified. To verify the domain later, click Verify domain when you are ready.
1. Open a web browser to the URL address above and verify that the HTML page includes your verification code.

If you successfully verified the domain, it is added to the Trusted domains listing and users with email addresses from the trusted domain can use SSO to authenticate to Confluent Cloud and the Confluent Support Portal.

If the domain verification fails, see Troubleshoot domain verification.

Remove a trusted domain¶

If you no longer want to allow users with email addresses from a trusted domain to authenticate to Confluent Cloud using SSO, you can remove the domain from the list of Trusted domains. After you remove the domain, users with email addresses from the deleted domain can no longer authenticate to Confluent Cloud using SSO.

To remove a trusted domain from your SSO configuration in Confluent Cloud:

Open the Confluent Cloud Console and under your user name, click Organization settings.

The Organization settings page displays.
In the Trusted domains section, click the Remove icon next to the domain you want to remove.

The Delete domain dialog displays.
Enter the domain name to be removed, then click Confirm.

Troubleshoot domain verification¶

If you encounter issues with domain verification, review the following common solutions or contact Confluent Support.

Ensure that the verification values are accurate¶

For the DNS TXT Record verification method, make sure the entire TXT verification code is used with the format: confluent-verification=xxxxxxxxxxxx.

For the HTML File verification method, make sure the filename matches confluent-domain-verification.html and is loaded at https://<your-domain-name>/.well-known/confluent-domain-verification.html.

Verify that Confluent Cloud SSO is working¶

If the SSO user account sign-in for the Confluent Support Portal fails, the Confluent Cloud SSO is not configured properly. The authentication for the Confluent Support Portal should match the authentication type of the user account in the Confluent Cloud Organization.

For help resolving SSO configuration issues, see Troubleshoot SSO Issues on Confluent Cloud and Enable SAML Single Sign-on (SSO) for Confluent Cloud.