User Accounts

Important

In order to create a more secure Confluent Cloud, the Authentication type for existing Local and SSO user accounts must be changed to SSO or Local. The deprecated Local and SSO authentication type will be removed on July 27, 2022 and all Local and SSO users will automatically be converted to Local users.

To change existing Local and SSO users:

  1. In Confluent Cloud Console, go to the User accounts page at https://confluent.cloud/settings/org/accounts/users.
  2. For each user account showing Local and SSO in the Type column:
    1. Click on the user account in the Name column.
    2. In the Authentication settings section, click Edit.

Note that after you select Local or SSO, the deprecated Local and SSO option is no longer available. For existing SSO organizations, there is no impact—all user types will stay as-is until July 2022. For new SSO organizations, after setting up SSO, all users will continue to remain local users and you must change the authentication type for the user to SSO.

User account types

Confluent Cloud provides two user account types (local and SSO) and four authentication methods (username/password, Google, GitHub, and SSO), as summarized in the following table. Click on the account type to go directly to the relevant section below.

User account type Authentication method Description
Local Username/password A local user that authenticates using a username and password.
Local Google (using Sign in with Google) A local user account that authenticates using a user’s Google account.
Local GitHub (using Sign in with GitHub) A local user account that authenticates using a user’s GitHub account.
SSO SSO A user account that authenticates using single sign-on (SSO) with an organization’s identity provider (IdP).

Note that Confluent Cloud user accounts have the following conditions and limitations:

  • Each user account represents one user and allows management of their access to Confluent Cloud.
  • User accounts are organization-level resources and there is a limit on the number of user accounts in an organization. An organization can have only one identity provider (IdP).
  • You can sign in to a user account using the Confluent Cloud Console or Confluent CLI. User accounts may own all types of API keys.
  • You can bind role-based access control (RBAC) roles to user accounts.
  • You cannot apply Kafka ACLs to user accounts. Instead, use service accounts with ACLs for accessing Kafka clusters in Confluent Cloud while limiting access to only what’s necessary.
  • You can create and manage user accounts using the Confluent Cloud Console or the Confluent CLI command confluent iam user invitation create.
  • A user account can be a member of one or more organizations. When a user is a member of multiple organizations, their authentication type is the same across all organizations. For details, see Manage multiple organizations.
  • If your email provider lets you can create multiple accounts or aliases by adding a plus sign (+) and a tag or word before the @ sign in an email address.

Local user accounts

Local user accounts are uniquely identified by their email address and authenticate using a username and password managed in Confluent Cloud.

You can create local user accounts that sign in to Confluent Cloud and authenticate using

Local user: username/password

Create a local user (initial)

If you don’t have a Confluent Cloud account, you can create a local user account authenticating using a username and password.

To create a local user in Confluent Cloud:

  1. Go to the Confluent Cloud Console (https://confluent.cloud/signup).
  2. The Welcome to Confluent Cloud page appears.
  3. To sign up for a new account, click Sign up and try it for free.
  4. On the Confluent Cloud page, you can sign up and start using the account in minutes by completing the form, fill in values for your full name, organization, country, email address, and password. Then click Start free. A verification link is sent to the email address.
  5. Check your email account for a Welcome to Confluent Cloud! message.
  6. In the message, click Verify email address. You will be redirected to Confluent Cloud to finish creating your Confluent Cloud account.
  7. Click Submit. You are signed in to Confluent Cloud and can begin exploring and using the Confluent Cloud Console.

Add a local user account using the Confluent Cloud Console

If you have been granted the OrganizationAdmin, EnvironmentAdmin, or CloudClusterAdmin role, you can use the Confluent Cloud Console to add, or invite, a local user.

For SSO-enabled organizations, only a user with the OrganizationAdmin role can invite a user to a local user account.

  1. Go to the Confluent Cloud Console and sign in using a local user account that has been granted an OrganizationAdmin role.
  2. Go to ADMINISTRATION > Accounts and access. The Accounts and access page appears listing User account.
  3. Click Add user. The Add user page appears.
  4. In Account, enter the email address for the user and, optionally, grant one or more role assignments.
  5. Click Review to verify that the email address and role assignments are correct, and then click Create.

The new user is sent an email message to verify their account.

Local user: Sign in with Google

Users can create a local user account for Confluent Cloud using Google as their social identity provider (IdP). This simplifies user registration and sign-in and is a convenient alternative to mandatory account creation.

If your organization starts on Confluent Cloud using the “Sign in with Google” option, you can migrate later to use SAML-based single sign-on (SSO).

Note

You cannot currently disable Google authentication to use username/password authentication.

Use Sign in with Google to authenticate

You can sign up for a Confluent Cloud local user account with Google and then you will be able to use Sign in with Google on every future visit.

To use Sign in with Google:

  1. Go to Confluent Cloud Console (https://confluent.cloud/signup).
  2. Click Sign up with Google.
  3. On the Choose an account page, click on your Google account.
  4. In the Finish creating your Confluent account section, enter values for your Full name, Organization, and Country. Submit is now enabled.
  5. Click Submit. You are signed in to Confluent Cloud and can now begin exploring and using the Confluent Cloud Console.

After registering your Google account with Confluent Cloud, you can sign in to Confluent Cloud by going to the Confluent Cloud Console and clicking Sign in with Google.

Local user: Sign in with GitHub

Users can create a local user account for Confluent Cloud using GitHub as their social identity provider (IdP). As a convenient alternative to mandatory account creation, using Sign in with GitHub simplifies user registration and sign-in.

If your organization starts on Confluent Cloud using the “Sign in with GitHub” option, you can migrate later to use SAML-based single sign-on (SSO).

Note

You cannot currently disable GitHub authentication to use username/password authentication.

Use Sign in with GitHub to authenticate

You can sign up for a Confluent Cloud local user account with GitHub and then you will be able to use Sign in with GitHub on every future visit. The primary email address on your GitHub account will be associated with your Confluent Cloud account.

To use Sign in with GitHub:

  1. Go to the Sign-up page for Confluent Cloud at https://confluent.cloud/signup <https://confluent.cloud/signup>.
  2. Click Sign up with GitHub. The Sign in to GitHub to continue to Confluent Cloud dialog appears.
  3. Complete the Username or email address and Password fields and then click Sign in. The Two-factor authentication dialog appears.
  4. Verify that you are signing in using two-factor authentication and, optionally, select the option to Use this method for future logins.
  5. In the Finish creating your Confluent account section, enter values for your Full name, Organization, and Country. Submit is now enabled.
  6. Click Submit. You are signed in to Confluent Cloud and can now begin exploring and using the Confluent Cloud Console.

After registering your GitHub account with Confluent Cloud, you can sign in to Confluent Cloud by going to the Confluent Cloud Console and clicking Sign in with GitHub.

Single sign-on (SSO) user accounts

User accounts created after enabling single sign-on (SSO) for your organization provide access to Confluent Cloud using an existing SAML-based identity provider (IdP) and a unique SSO sign-in URL. For more information on enabling and using SSO with Confluent Cloud, see SSO in Confluent Cloud.

Add an SSO user

To add an SSO user to your Confluent Cloud account, the user must be a member of the same organization domain, which is determined by the domain name part of the email address that follows the @ symbol.

The organization domain is determined by the first user to create a Confluent Cloud account using email address that includes the domain name. The first user is automatically assigned the OrganizationAdmin role, which grants permission to add users. Only users with the OrganizationAdmin role can invite a user to a local user account.

Note

SSO users cannot change their authentication method – they must use SSO.

To add an SSO user to your SSO-enabled organization:

  1. Open the Confluent Cloud Console, open the sidebar menu, and click Accounts & access.
  2. On the Accounts & access page, click Add user. The Add user page appears.
  3. In the Account field, enter the email address of the user you want to add and then click Next.
  4. Select the resources and associated roles for the user, and then click Review. A summary of the new account and the access appears.
  5. Review the email address and access permissions, and then click Create user. The Accounts & access page reappears and displays the new user account Name, their ID, and a Status of Pending.

You have successfully created the user account. An email message is sent to the email address for the account and provides the unique organization-specific SSO URL (for example, https://confluent.cloud/login/sso/<sso-identifier>) for signing in to the organization on Confluent Cloud.

After the initial sign-in by the user, the user account on the Accounts and access page shows the Status as Active.

If a user does not have a Confluent Cloud account and attempts to sign in using the IdP, they will receive an “Invalid username” message.

Change the authentication type

Confluent Cloud user accounts can have an authentication type of either Local or SSO. For details, see User account types.

To change the authentication type of an existing user account:

  1. In the Confluent Cloud Console, go to the User accounts page at https://confluent.cloud/settings/org/accounts/users.

  2. In the Name column, click the username of the user account you want to modify.

    The user account page opens displaying Details and Authentication settings.

  3. Click the Edit authentication type icon.

    The Authentication type dropdown appears.

  4. Select the new authentication type: Local or SSO.

    When you select a different option than the current selection, Save Changes is enabled.

  5. Click Save Changes.

    The authentication type you selected is now active.