Manage User Identity Providers on Confluent Cloud

User identities can be authenticated using local user accounts or using single sign-on (SSO) user accounts. You can use SSO to authenticate users to Confluent Cloud using their existing organizational credentials instead of relying on local user accounts. Single Sign-on (SSO) allows users to access Confluent Cloud resources using their existing organizational credentials. This integration enhances security and simplifies user management.

SAML single sign-on (SSO) identity provider

Use single sign-on (SSO) for Confluent Cloud to manage your Confluent Cloud users and authenticate them using your existing identity provider instead of using Confluent Cloud local user accounts and passwords. Enabling SSO in Confluent Cloud lets you manage your users in one place and allows users to sign in to Confluent Cloud using their existing SSO credentials. Using SSO improves your security and lets you use multi-factor authentication (MFA), if provided by your identity provider.

For details, see Manage SAML SSO.

Azure Marketplace SSO

If you created your Confluent Cloud organization using the Azure Marketplace, the OIDC-based Azure Marketplace SSO is used for authentication.

See Manage Azure Marketplace SSO.

Group mapping

A group mapping is a collection or set of rules that lets you map user groups in your SSO identity provider to the predefined RBAC roles in Confluent Cloud. When an SSO user signs in to Confluent Cloud, Confluent Cloud automatically assigns the Confluent Cloud RBAC roles you have mapped to the user’s groups.

Create a group mapping for each set of Confluent Cloud RBAC roles that you want to assign to a user based on the user’s group memberships in your SSO identity provider. Your organization might have groups with different sets of permissions based on teams, Confluent Cloud environments, or read/write/admin access. You can create a group mapping for each set of permissions.

See Map SSO user groups to RBAC roles.

Just-in-time user provisioning

Just-in-time (JIT) user provisioning automatically creates Confluent Cloud user accounts, then uses group mappings, to grant Confluent Cloud access to Confluent Cloud resources based on group memberships in your single sign-on (SSO) identity provider.

See Just-in-time user provisioning.

SSO access to Confluent Support Portal

You can use Confluent Cloud Single Sign-On (SSO) authentication to let your users sign in to both Confluent Cloud and the Confluent Support using their existing SSO credentials. To enable this, you need to add any email domains used with your SSO identity provider as trusted domains for your Confluent Cloud Organization.

See Manage SSO access to Confluent Support Portal.