User Accounts for Confluent Cloud

User account types

Confluent Cloud provides two user account types (local and SSO) and four authentication methods (username/password, Google, GitHub, and SSO), as summarized in the following table. Click on the account type to go directly to the relevant section below.

User account type	Authentication method	Description
Local	Username/password	A local user that authenticates using a username and password.
Local	Google (using Sign in with Google)	A local user account that authenticates using a user’s Google account.
Local	GitHub (using Sign in with GitHub)	A local user account that authenticates using a user’s GitHub account.
SSO	SSO	A user account that authenticates using single sign-on (SSO) with an organization’s identity provider (IdP).

Important

In order to create a more secure Confluent Cloud, the Authentication type of Local and SSO was deprecated on July 27, 2022 and all Local and SSO users were automatically converted to Local users.

Note that Confluent Cloud user accounts have the following conditions and limitations:

• Each user account represents one user and allows management of their access to Confluent Cloud.
• User accounts are organization-level resources and there is a limit on the number of user accounts in an organization. An organization can have only one identity provider (IdP).
• You can sign in to a user account using the Confluent Cloud Console or Confluent CLI. User accounts may own all types of API keys.
• You can bind role-based access control (RBAC) roles to user accounts.
• Principals (user and service accounts) can be granted ACLs, RBAC role bindings, or a combination of the two. For details, see Use ACLs with RBAC.
• You can create and manage user accounts using the Confluent Cloud Console or the Confluent CLI command confluent iam user invitation create.
• A user account can be a member of one or more organizations. When a user is a member of multiple organizations, their authentication type is the same across all organizations. For details, see Manage Multiple Organizations in Confluent Cloud.
• If your email provider supports creating multiple accounts or aliases by adding a plus sign (+) and a tag or word before the @ sign in an email address, you can use this feature to create multiple user accounts on Confluent Cloud.

Use multi-factor authentication with user accounts

Multi-factor authentication (MFA), including two-factor authentication (2FA), is supported for Confluent Cloud accounts when you use single sign-on (SSO) with an MFA option, provided by your SSO identity provider.

Note

For local user accounts in Confluent Cloud, multi-factor authentication is not available.

Local user accounts

Local user accounts are uniquely identified by their email address and authenticate using a username and password managed in Confluent Cloud.

You can create local user accounts that sign in to Confluent Cloud and authenticate using

• Local user: username/password
• Local user: Sign in with Google
• Local user: Sign in with GitHub

For information on security protections used by Confluent to prevent unauthorized access to user accounts and Confluent Cloud resources, see Confluent Cloud Security Protections for Authentication.

Local user: username/password

Create a local user (initial)

If you don’t have a Confluent Cloud account, you can create a local user account authenticating using a username and password.

To create a local user in Confluent Cloud:

1. Go to the Confluent Cloud Console (https://confluent.cloud/signup).
2. The Welcome to Confluent Cloud page appears.
3. To sign up for a new account, click Sign up and try it for free.
4. On the Confluent Cloud page, you can sign up and start using the account in minutes by completing the form, fill in values for your full name, organization, country, email address, and password. Then click Start free. A verification link is sent to the email address.
5. Check your email account for a Welcome to Confluent Cloud! message.
6. In the message, click Verify email address. You will be redirected to Confluent Cloud to finish creating your Confluent Cloud account.
7. Click Submit. You are signed in to Confluent Cloud and can begin exploring and using the Confluent Cloud Console.

Add a local user account using the Confluent Cloud Console

If you have been granted the OrganizationAdmin, EnvironmentAdmin, or CloudClusterAdmin role, you can use the Confluent Cloud Console to add, or invite, a local user.

For SSO-enabled organizations, only a user with the OrganizationAdmin role can invite a user to a local user account.

1. Go to the Confluent Cloud Console and sign in using a local user account that has been granted an OrganizationAdmin role.
2. Go to ADMINISTRATION > Accounts and access. The Accounts and access page appears listing User account.
3. Click Add user. The Add user page appears.
4. In Account, enter the email address for the user and, optionally, grant one or more role assignments.
5. Click Review to verify that the email address and role assignments are correct, and then click Create.

The new user is sent an email message to verify their account.

Important

An invitation for a user account expires 7 days after being sent.

For the maximum default quota on invitations (pending user accounts), see Organization quotas.

Password requirements

Local user accounts in Confluent Cloud and the Confluent Support Portal require passwords that conform to the following restrictions:

• Minimum length of 8 characters.
• Must contain at least one character from each of the following four character types:
  • Uppercase letter (A-Z)
  • Lowercase letter (a-z)
  • Number
  • Special character (! @ # $ % ^ & *)

Confluent Cloud local user accounts use Auth0 for authentication. For details about password strengths, see Password Strength in Auth0 Database Connections.

Local user: Sign in with Google

Users can create a local user account for Confluent Cloud using Google as their social identity provider (IdP). This simplifies user registration and sign-in and is a convenient alternative to mandatory account creation.

If your organization starts on Confluent Cloud using the “Sign in with Google” option, you can migrate later to use SAML-based single sign-on (SSO).

Note

You cannot currently disable Google authentication to use username/password authentication.

Use Sign in with Google to authenticate

You can sign up for a Confluent Cloud local user account with Google and then you will be able to use Sign in with Google on every future visit.

To use Sign in with Google:

1. Go to Confluent Cloud Console (https://confluent.cloud/signup).
2. Click Sign up with Google.
3. On the Choose an account page, click on your Google account.
4. In the Finish creating your Confluent account section, enter values for your Full name, Organization, and Country. Submit is now enabled.
5. Click Submit. You are signed in to Confluent Cloud and can now begin exploring and using the Confluent Cloud Console.

After registering your Google account with Confluent Cloud, you can sign in to Confluent Cloud by going to the Confluent Cloud Console and clicking Sign in with Google.

Local user: Sign in with GitHub

Users can create a local user account for Confluent Cloud using GitHub as their social identity provider (IdP). As a convenient alternative to mandatory account creation, using Sign in with GitHub simplifies user registration and sign-in.

If your organization starts on Confluent Cloud using the “Sign in with GitHub” option, you can migrate later to use SAML-based single sign-on (SSO).

Note

You cannot currently disable GitHub authentication to use username/password authentication.

Use Sign in with GitHub to authenticate

You can sign up for a Confluent Cloud local user account with GitHub and then you will be able to use Sign in with GitHub on every future visit. The primary email address on your GitHub account will be associated with your Confluent Cloud account.

To use Sign in with GitHub:

1. Go to the Sign-up page for Confluent Cloud at https://confluent.cloud/signup <https://confluent.cloud/signup>.
2. Click Sign up with GitHub. The Sign in to GitHub to continue to Confluent Cloud dialog appears.
3. Complete the Username or email address and Password fields and then click Sign in. The Two-factor authentication dialog appears.
4. Verify that you are signing in using two-factor authentication and, optionally, select the option to Use this method for future logins.
5. In the Finish creating your Confluent account section, enter values for your Full name, Organization, and Country. Submit is now enabled.
6. Click Submit. You are signed in to Confluent Cloud and can now begin exploring and using the Confluent Cloud Console.

After registering your GitHub account with Confluent Cloud, you can sign in to Confluent Cloud by going to the Confluent Cloud Console and clicking Sign in with GitHub.

Single sign-on (SSO) user accounts

User accounts created after enabling single sign-on (SSO) for your organization provide access to Confluent Cloud using an existing SAML-based identity provider (IdP) and a unique SSO sign-in URL. For more information on enabling and using SSO with Confluent Cloud, see SSO in Confluent Cloud.

Add an SSO user

To add an SSO user to your Confluent Cloud account, the user must be a member of the same organization domain, which is determined by the domain name part of the email address that follows the @ symbol.

The organization domain is determined by the first user to create a Confluent Cloud account using email address that includes the domain name. The first user is automatically assigned the OrganizationAdmin role, which grants permission to add users. Only users with the OrganizationAdmin role can invite a user to a local user account.

Note

SSO users cannot change their authentication method – they must use SSO.

To add an SSO user to your SSO-enabled organization:

1. Open the Confluent Cloud Console, open the sidebar menu, and click Accounts & access.
2. On the Accounts & access page, click Add user. The Add user page appears.
3. In the Account field, enter the email address of the user you want to add and then click Next.
4. Select the resources and associated roles for the user, and then click Review. A summary of the new account and the access appears.
5. Review the email address and access permissions, and then click Create user. The Accounts & access page reappears and displays the new user account Name, their ID, and a Status of Pending.

You have successfully created the user account. An email message is sent to the email address for the account and provides the unique organization-specific SSO URL (for example, https://confluent.cloud/login/sso/<sso-identifier>) for signing in to the organization on Confluent Cloud.

After the initial sign-in by the user, the user account on the Accounts and access page shows the Status as Active.

If a user does not have a Confluent Cloud account and attempts to sign in using the IdP, they will receive an “Invalid username” message.

Change the authentication type

Required RBAC role: OrganizationAdmin

If your organization has enabled SSO, you can change the authentication type of a user account from Local to SSO or vice versa.

To change the authentication type of an existing user account:

1. In the Confluent Cloud Console, go to the User accounts page at https://confluent.cloud/settings/org/accounts/users.

2. In the Name column, click the username of the user account you want to modify.

   The user account page opens displaying Details and Authentication settings.

3. Click the Edit authentication settings icon.

   The Authentication type and Authentication settings dropdowns appear.

4. Select the new authentication type: Local or SSO.

   When you select a different option than the current selection, Save Changes is enabled.

5. Click Save Changes.

   The authentication type you selected is now active.

Change the authentication method

A local user account in Confluent Cloud can use one of three authentication methods: username/password, Google, or GitHub, and the authentication method can be changed after an account is created.

To change the authentication method of an existing local user account:

1. Go to the User accounts page.

   • For your own user account: In the Confluent Cloud Console, go to the Settings page at https://confluent.cloud/settings/user-settings/identity. Or, expand the sidebar menu and click your name.
   • For another user account: In the Confluent Cloud Console, go to the Accounts & access page at https://confluent.cloud/settings/org/accounts/users and click the name of the account you want to modify.

   The Settings page opens displaying Details and Authentication settings.

2. Click the Edit authentication settings icon.

   The Authentication type and Authentication method options appear.

3. Select the new authentication type: username/password, Google or GitHub.

   When you select a different option than the current selection, Save Changes is enabled.

4. Click Save Changes.

   The authentication type you selected is now active.