Troubleshoot Group Mappings on Confluent Cloud

Common issues

If you are having trouble with group mappings, check the following list of common mistakes:

• Not confirming that groups are sent by the SSO identity provider.
• Selecting the wrong SAML attribute to check for user group information.
• Incorrectly setting the group mapping filter to a value different from the value sent in the SAML sign-in request.

SAML SSO organizations

Verify your identity provider is sending groups

To see if your identity provider is sending groups correctly, you can use Google Chrome Developer Tools and find the SAML option in the tab navigation on top of the panel. Sign in to your SAML SSO organization with your user account and click Show only SAML to see the POST SAML request.

1. Check that the attribute name matches the SAML Attribute that you have configured for group mappings.
2. View the list of groups being sent.

Verify your user account has the correct group permissions

You can verify that your user account has the correct group permissions by checking the access token (JWT) in your browser after signing in to Confluent Cloud Console using SSO. Then, you can use jwt.io or any JWT decoder to see the list of principals, which includes your user account principal and any group mapping principals.

Azure OIDC SSO (Azure Marketplace) organizations

Verify your identity provider is sending groups

If the Azure admininistrator is able to configure group mappings, then your Azure Marketplace organization successfully enabled sending groups by allowing the required Directory.Read.All permissions.

Verify your user account has the correct group permissions

You can use Google Chrome’s Developer Tools and click the Network tab. Then, find a check_jwt GET request. Because session JWT tokens have a two-minute lifetime and refresh faster than two minutes, these events should appear frequently while you have the tab open.

Look at the response and correlate the may_act principals to the group mapping principals.