Manage Single Sign-on (SSO) User Accounts¶
RBAC role required: OrganizationAdmin or AccountAdmin.
After enabling single sign-on (SSO) for your organization, you can manage SSO user accounts in Confluent Cloud, including modifying default user permissions, adding new SSO users, and changing the authentication type of existing user accounts.
Default user permissions¶
Note
Starting on April 10, 2024, all SSO user accounts in new SSO-enabled organizations are assigned default user permissions. Existing SSO-enabled organizations can opt in by clicking Enable on the recommended action on the Confluent Cloud Console home page.
When SSO is enabled for an organization, a default group mapping (all-sso-users)
is applied to all SSO user accounts. This mapping binds them to two predefined RBAC
roles, providing the essential minimum permissions needed to access Confluent Cloud resources
across all environments in the organization.
An SSO user account’s effective permissions are the combination of these default
user permissions and any additional permissions granted through other group mappings.
Organization administrators can modify the default user permissions included in the
all-sso-users group mapping.
The default user permissions assigned to all SSO user accounts in an organization by
the all-sso-users group mapping include the following roles:
- FlinkDeveloper
- The FlinkDeveloper role allows users to create and execute Flink statements within existing compute pools across any environment in the organization. For details about the permissions and allowed operations, see FlinkDeveloper.
- DataDiscovery
- The DataDiscovery role allows users to access stream goverance tools for any environment in their organization. Users can view and manage data resources in Confluent Cloud, including Data portal, Schema Registry, Stream Catalog, and Stream Lineage. For details about the permissions and allowed operations, see DataDiscovery.
Enable default user permissions¶
Required RBAC role: OrganizationAdmin
To enable the default user permissions for all SSO user accounts in your organization, you can either enable the option on the Confluent Cloud Console home page or manually create the group mapping in the Confluent Cloud Console.
The following steps create the default user permissions by enabling the option on the Confluent Cloud Console home page and letting Confluent Cloud automatically create the group mapping.
Go to the Confluent Cloud Console.
Under Recommended on the home page, find the Enable Flink and Data Portal for all users option.
Click Enable to apply the default user permissions to all SSO user accounts in your organization.
The Flink and Data Portal unlocked message appears stating:
- Congratulations! A group permission to access Flink and the Data Portal has been created for all SSO users.
- Users will stil need topic access to view data. You can modify access in the Group Permissions settings of Single sign-on.
Click Okay to close the dialog, click Learn more to access the documentation, or click Manage access to go to the User group permissions section in the Single sign-on tab under Accounts & access.
The User group permissions section in the Single sign-on tab displays the new default user permissions mapping with the following values:
Column Value Name Default User Permissions Mapping all-sso-users Group mapping ID group-<auto-generated> Description User permissions given to all SSO user accounts in the organization, created by Confluent.
The following steps create the same default user permissions as in the Cloud Console - Enable tab, but you manually create the group mapping.
Go to the Confluent Cloud Console and in the sidebar menu, click Accounts & access.
Click the Single sign-on tab.
In the User group permissions section, click Add group mapping.
The New group mapping dialog appears.
In the Group mapping details section, enter the following values:
Column Value Name Default User Permissions (or a name of your choice) Description User permissions given to all SSO user accounts in the organization, created by Confluent (or a description of your choice) In the Map group or attribute section, click Advanced and enter the following value:
all-sso-users
Click Next.
The Assign permission step appears.
In the Assign permission step, click Add role assignment.
A list of available roles appears.
Select FlinkDeveloper and click Add.
In the sidebar, verify that the FlinkDeveloper role is in the Roles assigned list.
Click Add role assignment again and add the DataDiscovery role.
In the sidebar, verify that the DataDiscovery role is in the Roles assigned list.
Click Next.
Review the group mapping details and the assigned roles.
Click Save.
Verify that your new default user permissions mapping appears in the User group permissions list. The default user permissions are now enabled for all SSO user accounts in your organization. You can modify the default user permissions mapping or delete it, if required.
Modify the default user permissions¶
Required RBAC role: OrganizationAdmin
To modify the default user permissions assigned to all SSO user accounts in your
organization, update the all-sso-users group mapping.
To change the default user permissions for all SSO user accounts:
- Go to the User group permissions section in your SSO settings at https://stag.cpdev.cloud/settings/org/sso.
- Update the group mapping for
all-sso-usersand save the changes.
All SSO user accounts are now assigned the updated default permissions.
Add an SSO user¶
To add an SSO user to your Confluent Cloud account, the user must be a member of
the same organization domain, which is determined by the domain name part
of the email address that follows the @ symbol.
The organization domain is determined by the first user to create a Confluent Cloud account using email address that includes the domain name. The first user is automatically assigned the OrganizationAdmin role, which grants permission to add users. Only users with the OrganizationAdmin role can invite a user to a local user account.
Note
SSO users cannot change their authentication method – they must use SSO.
To add an SSO user to your SSO-enabled organization:
- Open the Confluent Cloud Console, open the sidebar menu, and click Accounts & access.
- On the Accounts & access page, click Add user. The Add user page appears.
- In the Account field, enter the email address of the user you want to add and then click Next.
- Select the resources and associated roles for the user, and then click Review. A summary of the new account and the access appears.
- Review the email address and access permissions, and then click Create user.
The Accounts & access page reappears and displays the new user account Name,
their ID, and a Status of
Pending.
You have successfully created the user account. An email message is sent to the
email address for the account and provides the unique organization-specific SSO
URL (for example, https://confluent.cloud/login/sso/<sso-identifier>) for
signing in to the organization on Confluent Cloud.
After the initial sign-in by the user, the user account on the Accounts and
access page shows the Status as Active.
If a user does not have a Confluent Cloud account and attempts to sign in using the IdP, they will receive an “Invalid username” message.
Change the authentication type¶
Required RBAC role: OrganizationAdmin
If your organization has enabled SSO, you can change the authentication type of a user account from Local to SSO or vice versa.
To change the authentication type of an existing user account:
In the Confluent Cloud Console, go to the User accounts page at https://confluent.cloud/settings/org/accounts/users.
In the Name column, click the username of the user account you want to modify.
The user account page opens displaying Details and Authentication settings.
Click the Edit authentication settings icon.
The Authentication type and Authentication settings dropdowns appear.
Select the new authentication type: Local or SSO.
When you select a different option than the current selection, Save Changes is enabled.
Click Save Changes.
The authentication type you selected is now active.