Manage Single Sign-on (SSO) User Accounts on Confluent Cloud

RBAC role required: OrganizationAdmin or AccountAdmin.

After enabling single sign-on (SSO) for your organization, you can manage SSO user accounts in Confluent Cloud, including modifying default user permissions, adding new SSO users, and changing the authentication type of existing user accounts.

Default user permissions

Note

Starting on April 10, 2024, all SSO user accounts in new SSO-enabled organizations are assigned default user permissions. Existing SSO-enabled organizations can opt in by clicking Enable on the recommended action on the Confluent Cloud Console home page.

When SSO is enabled for an organization, a default group mapping (all-sso-users) is applied to all SSO user accounts. This mapping binds them to two predefined RBAC roles, providing the essential minimum permissions needed to access Confluent Cloud resources across all environments in the organization.

An SSO user account’s effective permissions are the combination of these default user permissions and any additional permissions granted through other group mappings. Organization administrators can modify the default user permissions included in the all-sso-users group mapping.

The default user permissions assigned to all SSO user accounts in an organization by the all-sso-users group mapping include the following roles:

FlinkDeveloper
The FlinkDeveloper role allows users to create, execute, and delete statements for Apache Flink within existing compute pools across any environment in the organization. For details about the permissions and allowed operations, see FlinkDeveloper.
DataDiscovery
The DataDiscovery role allows users to access Stream Governance tools for any environment in their organization. Users can view and manage data resources in Confluent Cloud, including Data Portal, Schema Registry, Stream Catalog, and Stream Lineage. For details about the permissions and allowed operations, see DataDiscovery.

Enable default user permissions

Required RBAC role: OrganizationAdmin

To enable the default user permissions for all SSO user accounts in your organization, you can either enable the option on the Confluent Cloud Console home page or manually create the group mapping in the Confluent Cloud Console.

The following steps create the default user permissions by enabling the option on the Confluent Cloud Console home page and letting Confluent Cloud automatically create the group mapping.

  1. Go to the Confluent Cloud Console.

  2. Under Recommended on the home page, find the Enable Flink and Data Portal for all users option.

  3. Click Enable to apply the default user permissions to all SSO user accounts in your organization.

    The Flink and Data Portal unlocked message appears stating:

    • Congratulations! A group permission to access Flink and the Data Portal has been created for all SSO users.
    • Users will stil need topic access to view data. You can modify access in the Group Permissions settings of Single sign-on.
  4. Click Okay to close the dialog, click Learn more to access the documentation, or click Manage access to go to the User group permissions section in the Single sign-on tab under Accounts & access.

    The User group permissions section in the Single sign-on tab displays the new default user permissions mapping with the following values:

    Column Value
    Name Default User Permissions
    Mapping all-sso-users
    Group mapping ID group-<auto-generated>
    Description User permissions given to all SSO user accounts in the organization, created by Confluent.

Verify that your new default user permissions mapping appears in the User group permissions list. The default user permissions are now enabled for all SSO user accounts in your organization. You can modify the default user permissions mapping or delete it, if required.

Modify the default user permissions

Required RBAC role: OrganizationAdmin

To modify the default user permissions assigned to all SSO user accounts in your organization, update the all-sso-users group mapping.

To change the default user permissions for all SSO user accounts:

  1. Go to the User group permissions section in your SSO settings at https://confluent.cloud/settings/org/sso.
  2. Update the group mapping for all-sso-users and save the changes.

All SSO user accounts are now assigned the updated default permissions.

Add an SSO user

The first user is automatically assigned the OrganizationAdmin role, which grants permission to add users. Only users with the OrganizationAdmin role can invite a user to a local user account.

All SSO users are assigned role bindings and permissions based on

Any role bindings manually added to the user account are in addition to the default user permissions and group mappings.

To add an SSO user to your SSO-enabled organization:

  1. Open the Confluent Cloud Console, open the sidebar menu, and click Accounts & access.
  2. On the Accounts & access page, click Add user. The Add user page appears.
  3. In the Account field, enter the email address of the user you want to add and then click Next.
  4. Select the resources and associated roles for the user, and then click Review. A summary of the new account and the access appears.
  5. Review the email address and access permissions, and then click Create user. The Accounts & access page reappears and displays the new user account Name, their ID, and their Status.
    • If the user already exists as an SSO user in another organization, the Status is Pending. The invited user receives an email message and after reviewing the invite request, they must accept the invitation to join the organization.
    • The email verification process is removed if the user is invited to an organization that has a trusted domain configured.
    • If the user does not already exist in another Confluent Cloud organization, they are invited automatically without an email verification and the Status displays as Active.

You have successfully created the user account. An email message is sent to the email address for the account and provides the unique organization-specific SSO URL (for example, https://confluent.cloud/login/sso/<sso-identifier>) for signing in to the organization on Confluent Cloud.

After the initial sign-in by the user, the user account on the Accounts and access page shows the Status as Active.

If a user does not have a Confluent Cloud account and attempts to sign in using the IdP, they will receive an “Invalid username” message.

Change the authentication type

Required RBAC role: OrganizationAdmin

If your organization has enabled SSO, you can change the authentication type of a user account from Local to SSO or vice versa.

To change the authentication type of an existing user account:

  1. In the Confluent Cloud Console, go to the User accounts page at https://confluent.cloud/settings/org/accounts/users.

  2. In the Name column, click the username of the user account you want to modify.

    The user account page opens displaying Details and Authentication settings.

  3. Click the Edit authentication settings icon.

    The Authentication type and Authentication settings dropdowns appear.

  4. Select the new authentication type: Local or SSO.

    When you select a different option than the current selection, Save Changes is enabled.

  5. Click Save Changes.

    The authentication type you selected is now active.