Use Single Sign-on with Azure Marketplace on Confluent Cloud

When you create a Confluent Cloud organization through Azure Marketplace:

• Confluent enables single sign-on (SSO) for your organization based on OpenID Connect (OIDC) using the associated Microsoft Entra ID as the identity provider. OIDC is an authentication protocol that is built on top of the OAuth 2.0 framework for user identities.
• When using SSO with Azure Marketplace, OIDC SSO does not require manual updates to signing certificates, unlike SAML-based SSO.
• When SSO is enabled for an organization, a default group mapping (all-sso-users) is applied to all SSO user accounts and binds them to two predefined RBAC roles that provide the essential minimum permissions needed to access your organization’s Confluent Cloud resources. Note the following:
  • The default user group mapping does not require any permissions or user group information from Azure because its membership is all SSO user accounts in Confluent Cloud.
  • Default user permissions in the all-sso-users group mapping can be customized, or additional group mappings can be added by the organization owner or administrator.
  • For more information, see Default user permissions.

On the Single sign-on page in the Confluent Cloud Console at https://confluent.cloud/settings/security/sso, you can:

• Verify that SSO is enabled for your organization. You should see the following message: “You have already enabled Single Sign-on (SSO) through your Azure Active Directory and you cannot change the configuration.”
• Get the Sign-On link for your organization. This is the URL that you can use to sign in to your Confluent Cloud organization using SSO.

Note: With SSO through Azure Marketplace, the user identification is the email address attribute in Microsoft Entra ID. If the email address attribute is not available, the user identification is the user principal name (UPN) attribute is used as the Confluent email address identifier.

Sign in to Confluent Cloud using Azure SSO

To sign in to Confluent Cloud using Azure SSO:

1. Go to the Sign-On link for your organization on the Single sign-on page in the Confluent Cloud Console at https://confluent.cloud/settings/security/sso.

2. Enter your Microsoft Entra ID credentials.

3. If this is your first time signing in to Confluent Cloud using Azure SSO, a Permissions requested dialog appears, requesting to:

   • Sign you in and read your profile
   • Read directory data

   These permissions allow Azure to send groups to Confluent Cloud for group mapping.

   Click Accept.

You are signed in to Confluent Cloud using Azure OIDC SSO.

Edit Azure Marketplace SSO settings

Prerequisites

• A local user account with OrganizationAdmin.
• SAML-based SSO is enabled for your organization. For more information, see Enable SAML Single Sign-on (SSO) on Confluent Cloud.

To edit Azure Marketplace SSO settings:

1. Go to the Single sign-on tab in the Confluent Cloud Console at https://confluent.cloud/settings/org/sso.

   You can also get to this tab by opening the sidebar menu and clicking Accounts & access > Single sign-on.

2. Click Edit SSO settings.

3. Update the settings as needed (for example, the SSO identifier).

4. Click Submit to save the changes.

Troubleshooting

Below are some common issues and their solutions:

• If you see “You do not have permission to view this content” on the Single sign-on tab, ensure that you have the OrganizationAdmin.
• If editing the SSO settings fails with 405, 503, or 409 errors, retry editing again. If you continute to see errors, contact Confluent Support.
• If you see “SSO with same name exists” on the Single sign-on tab, change the SSO identifier and try again.