Enable Group Mapping on Confluent Cloud¶
Required RBAC role: OrganizationAdmin.
Confluent Cloud uses user groups that are already configured with the SSO identity provider, to map permissions to SSO users in Confluent Cloud. Membership in groups are only controlled by the identity provider, giving you a single source of truth.
Before you can map the SSO user groups in your SSO identity provider to Confluent Cloud RBAC roles, ensure that your SSO identity provider is configured to send group information in the SAML SSO assertion to Confluent Cloud.
To configure group mappings, you need to create a group mapping in Confluent Cloud and configure the SSO identity provider to send the group mapping to Confluent Cloud. The following tabs provide steps for configuring group mappings for two SSO identity providers: Azure Entra ID (Azure Active Directory) and Okta.
Enable group mapping¶
The following tabs provide steps for configuring group mappings for two SSO identity providers: Azure Entra ID (Azure Active Directory) and Okta.
After you configure a group mapping, the group mapping is enabled for the organization.
To disable a group mapping, you must delete the group mapping. For details, see Delete a group mapping.
Locate the Confluent Cloud application.
Go to Azure Portal, select Azure Active Directory > Enterprise applications. Search for the Confluent Cloud application.
In the navigation bar, select Single sign-on under Manage.
In Attributes & Claims, click Add a group claim. The Group Claim dialog appears.
For the question Which groups associated with the user should be returned in the claim?:
- If your organizations uses Groups to bulk assign applications to users, select Groups assigned to the application.
- If you want to filter the group Display name to only include groups to be sent Confluent Cloud for group mapping, select All Groups and use the Advanced options to filter the groups.
For Source Attribute:
- Select Group ID to use the unique group identifier. If selected,
the group mappings you create in Confluent Cloud are the identifier strings
(for example,
9efcf0ab-9227-411d-bbea-0481e862c115). - Select Cloud-only group display names to use the group name for more meaningful names.
- Select Group ID to use the unique group identifier. If selected,
the group mappings you create in Confluent Cloud are the identifier strings
(for example,
Create group permission mappings in Confluent Cloud.
Configure the SAML group attribute.
Set the value to
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsor the customer claim or attribute that contains the group information.
You have now configured group mappings for Azure Entra ID. You can now create mappings.
Open the Confluent Cloud Console and go to the Single sign-on page and review the SSO settings.
You are already enabled for Azure Marketplace SSO and the following settings are already configured:
- Sign-on Link: The link to the Azure Marketplace SSO sign-in page.
- Azure AD Tenant ID: The tenant ID for your Azure AD organization.
- Single logout URL: The URL to redirect users to after they sign out of Confluent Cloud.
Under User group permissions, enable Share user groups from Azure Directory with Confluent Cloud. A confirmation dialog appears.
In the Confirm enable dialog, enter “CONFIRM” to confirm that you want to enable the sharing of user groups from your Azure Marketplace organization with Confluent Cloud.
After you enable this setting, Confluent Cloud can receive group information from Azure Marketplace SSO, but you must grant permissions in Microsoft Entra ID (Azure AD) to Confluent Cloud before you can create and manage group mappings.
Go to Grant permissions to Confluent Cloud (Azure Marketplace SSO) and follow the steps to grant permissions to Confluent Cloud to read the group information from Microsoft Entra ID (Azure AD).
After you grant permissions to Confluent Cloud, you can create group mappings by following the steps in Create a group mapping using the Confluent Cloud Console, the Confluent CLI, or the Confluent Cloud APIs.
Open your Okta administrator console and select the Confluent Cloud application.
In the General tab, scroll to SAML Settings and send Group Attribute Statements.
In the second Configure SAML step in the SAML Integration settings, scroll to Group Attribute Statements (optional) and enter groups for the Name and set Matches regex to
.*. This ensures all user groups are sent when a SAML SSO request is sent to Confluent Cloud.If you only want to send a specific set of groups, rather than all groups that a user is a member of, change the filter to match only the groups you want sent to Confluent Cloud. You can also send a different user attribute than groups for other use cases.
Test that groups are sent correctly by clicking Preview the SAML Assertion.
The preview shows the SAML assertion sent to Confluent Cloud when a user signs in. In the SAML attribute with
Name="groups", verify that the groups to be sent are listed.Click Next and Finish to save the changes.
Open the Confluent Cloud Console and go to the Single sign-on page.
Create group permission mappings.
- Set the SAML group attribute to
groupsor the custom claim or attribute that contains the group information. - Create mappings for each group, using filters that match the group names being sent by Okta. To create group mappings, see Create group mappings.
- Set the SAML group attribute to
Grant permissions to Confluent Cloud (Azure Marketplace SSO)¶
After enabling the sharing of user group details with Confluent Cloud in the Confluent Cloud Console
steps above for Azure Marketplace SSO, Confluent Cloud requires an Azure administrator to
grant the Directory.Read.All permission to the Confluent Cloud enterprise application
in Microsoft Entra ID (Azure AD) for Confluent Cloud to receive the user groups details
from Microsoft Entra ID.
To grant the Directory.Read.All permission to the Confluent Cloud enterprise application
in Azure Portal, you need to sign in to Confluent Cloud as an Azure admininstrator and
grant the permission to the Confluent Cloud enterprise application in a pop-up dialog.
Important
Before enabling group mapping, set the authentication type for the OrganizationAdmin role (of the Azure administrator) as a local user in Confluent Cloud. This is required to prevent being locked out of Confluent Cloud. For details on setting the authentication type, see Change the authentication type.
Sign in to Confluent Cloud as an Azure administrator¶
Go to the Confluent Cloud SSO sign-in page at https://confluent.cloud/login/sso.
Enter your Azure administrator credentials.
If this is your first time signing in to Confluent Cloud after enabling user groups sharing above, a Permissions requested dialog appears, requesting to:
- Sign you in and read your profile
- Maintain access to data you have given it access to
- Consent on behalf of your organization (this is required to grant the
Directory.Read.Allpermission to the Confluent Cloud enterprise application)
These permissions allow Azure to send groups to Confluent Cloud for group mapping.
After selecting the “Consent on behalf of your organization” option, click Accept.
You have successfully granted the Directory.Read.All permission to the
Confluent Cloud enterprise application.
- Azure SSO users can now sign in to Confluent Cloud using Azure SSO. When SSO is enabled
for an organization, a default group mapping (
all-sso-users) is applied to all SSO user accounts and binds them to two predefined RBAC roles that provide the essential minimum permissions needed to access your organization’s Confluent Cloud resources. For more information, see Default user permissions. - Azure administrators with the OrganizationAdmin role in Confluent Cloud can now start creating group mappings in Confluent Cloud for your Azure SSO users. For details, see Create a group mapping.
Next steps¶
After enabling group mapping for, you can:
- Use the Confluent Cloud Console, Confluent CLI, or Confluent Cloud APIs to create, read, update, and delete group mappings for ACLs and RBAC role bindings. For details, see Manage Group Mappings on Confluent Cloud.
- Update the default user permissions for SSO users in Confluent Cloud. For details, see Default user permissions.