Enable Group Mapping on Confluent Cloud

Required RBAC role: OrganizationAdmin.

Confluent Cloud uses user groups that are already configured with the SSO identity provider, to map permissions to SSO users in Confluent Cloud. Membership in groups are only controlled by the identity provider, giving you a single source of truth.

Before you can map the SSO user groups in your SSO identity provider to Confluent Cloud RBAC roles, ensure that your SSO identity provider is configured to send group information in the SAML SSO assertion to Confluent Cloud.

To configure group mappings, you need to create a group mapping in Confluent Cloud and configure the SSO identity provider to send the group mapping to Confluent Cloud. The following tabs provide steps for configuring group mappings for two SSO identity providers: Azure Entra ID (Azure Active Directory) and Okta.

Enable group mapping

The following tabs provide steps for configuring group mappings for two SSO identity providers: Azure Entra ID (Azure Active Directory) and Okta.

After you configure a group mapping, the group mapping is enabled for the organization.

To disable a group mapping, you must delete the group mapping. For details, see Delete a group mapping.

  1. Locate the Confluent Cloud application.

    Go to Azure Portal, select Azure Active Directory > Enterprise applications. Search for the Confluent Cloud application.

  2. In the navigation bar, select Single sign-on under Manage.

  3. In Attributes & Claims, click Add a group claim. The Group Claim dialog appears.

  4. For the question Which groups associated with the user should be returned in the claim?:

    • If your organizations uses Groups to bulk assign applications to users, select Groups assigned to the application.
    • If you want to filter the group Display name to only include groups to be sent Confluent Cloud for group mapping, select All Groups and use the Advanced options to filter the groups.
  5. For Source Attribute:

    • Select Group ID to use the unique group identifier. If selected, the group mappings you create in Confluent Cloud are the identifier strings (for example, 9efcf0ab-9227-411d-bbea-0481e862c115).
    • Select Cloud-only group display names to use the group name for more meaningful names.
  6. Create group permission mappings in Confluent Cloud.

    1. Configure the SAML group attribute.

      Set the value to http://schemas.microsoft.com/ws/2008/06/identity/claims/groups or the customer claim or attribute that contains the group information.

You have now configured group mappings for Azure Entra ID. You can now create mappings.

Grant permissions to Confluent Cloud (Azure Marketplace SSO)

After enabling the sharing of user group details with Confluent Cloud in the Confluent Cloud Console steps above for Azure Marketplace SSO, Confluent Cloud requires an Azure administrator to grant the Directory.Read.All permission to the Confluent Cloud enterprise application in Microsoft Entra ID (Azure AD) for Confluent Cloud to receive the user groups details from Microsoft Entra ID.

To grant the Directory.Read.All permission to the Confluent Cloud enterprise application in Azure Portal, you need to sign in to Confluent Cloud as an Azure admininstrator and grant the permission to the Confluent Cloud enterprise application in a pop-up dialog.

Important

Before enabling group mapping, set the authentication type for the OrganizationAdmin role (of the Azure administrator) as a local user in Confluent Cloud. This is required to prevent being locked out of Confluent Cloud. For details on setting the authentication type, see Change the authentication type.

Sign in to Confluent Cloud as an Azure administrator

  1. Go to the Confluent Cloud SSO sign-in page at https://confluent.cloud/login/sso.

  2. Enter your Azure administrator credentials.

  3. If this is your first time signing in to Confluent Cloud after enabling user groups sharing above, a Permissions requested dialog appears, requesting to:

    • Sign you in and read your profile
    • Maintain access to data you have given it access to
    • Consent on behalf of your organization (this is required to grant the Directory.Read.All permission to the Confluent Cloud enterprise application)

    These permissions allow Azure to send groups to Confluent Cloud for group mapping.

  4. After selecting the “Consent on behalf of your organization” option, click Accept.

You have successfully granted the Directory.Read.All permission to the Confluent Cloud enterprise application.

  • Azure SSO users can now sign in to Confluent Cloud using Azure SSO. When SSO is enabled for an organization, a default group mapping (all-sso-users) is applied to all SSO user accounts and binds them to two predefined RBAC roles that provide the essential minimum permissions needed to access your organization’s Confluent Cloud resources. For more information, see Default user permissions.
  • Azure administrators with the OrganizationAdmin role in Confluent Cloud can now start creating group mappings in Confluent Cloud for your Azure SSO users. For details, see Create a group mapping.

Next steps

After enabling group mapping for, you can:

  • Use the Confluent Cloud Console, Confluent CLI, or Confluent Cloud APIs to create, read, update, and delete group mappings for ACLs and RBAC role bindings. For details, see Manage Group Mappings on Confluent Cloud.
  • Update the default user permissions for SSO users in Confluent Cloud. For details, see Default user permissions.