Use Single Sign-on with Azure Marketplace on Confluent Cloud¶
When you create a Confluent Cloud organization through Azure Marketplace:
- Confluent enables single sign-on (SSO) for your organization based on OpenID Connect (OIDC) using the associated Microsoft Entra ID as the identity provider. OIDC is an authentication protocol that is built on top of the OAuth 2.0 framework for user identities.
- When using SSO with Azure Marketplace, OIDC SSO does not require manual updates to signing certificates, unlike SAML-based SSO.
- When SSO is enabled for an organization, a default group mapping (
all-sso-users
) is applied to all SSO user accounts and binds them to two predefined RBAC roles that provide the essential minimum permissions needed to access your organization’s Confluent Cloud resources. Note the following:- The default user group mapping does not require any permissions or user group information from Azure because its membership is all SSO user accounts in Confluent Cloud.
- Default user permissions in the
all-sso-users
group mapping can be customized, or additional group mappings can be added by the organization owner or administrator. - For more information, see Default user permissions.
On the Single sign-on page in the Confluent Cloud Console at https://confluent.cloud/settings/security/sso, you can:
- Verify that SSO is enabled for your organization. You should see the following message: “You have already enabled Single Sign-on (SSO) through your Azure Active Directory and you cannot change the configuration.”
- Get the Sign-On link for your organization. This is the URL that you can use to sign in to your Confluent Cloud organization using SSO.
Note: With SSO through Azure Marketplace, the user identification is the email address attribute in Microsoft Entra ID. If the email address attribute is not available, the user identification is the user principal name (UPN) attribute is used as the Confluent email address identifier.
Sign in to Confluent Cloud using Azure SSO¶
To sign in to Confluent Cloud using Azure SSO:
Go to the Sign-On link for your organization on the Single sign-on page in the Confluent Cloud Console at https://confluent.cloud/settings/security/sso.
Enter your Microsoft Entra ID credentials.
If this is your first time signing in to Confluent Cloud using Azure SSO, a Permissions requested dialog appears, requesting to:
- Sign you in and read your profile
- Read directory data
These permissions allow Azure to send groups to Confluent Cloud for group mapping.
Click Accept.
You are signed in to Confluent Cloud using Azure OIDC SSO.