Just-in-time User Provisioning on Confluent Cloud

Just-in-time (JIT) user provisioning automatically creates Confluent Cloud user accounts, then uses group mappings, to grant Confluent Cloud access to Confluent Cloud resources based on group memberships in your single sign-on (SSO) identity provider.

When a user from your SSO-enabled organization uses their SSO credentials to sign in to Confluent Cloud for the first time, Confluent Cloud automatically creates a user account with no predefined access to Confluent Cloud resources. If group mappings are available, the user is automatically granted Confluent Cloud role-based access control (RBAC) roles and permissions based on their group memberships in the organization’s user directory at your SSO identity provider.

JIT user provisioning and group mappings reduce your administrative workload and expedite user onboarding because you no longer must manually provision users by creating Confluent Cloud user accounts and configuring roles and permissions in advance.

Enable JIT user provisioning

RBAC role required: OrganizationAdmin.

JIT user provisioning is enabled by default for most Confluent Cloud organizations. If JIT user provisioning has been disabled, or if your organization has it disabled by default (see Support for Azure Marketplace organizations), you can enable it using either the Confluent Cloud Console or the REST API.

Enable JIT user provisioning in the Confluent Cloud Console

In the Confluent Cloud Console, go to the SSO settings page for your organization.
Toggle Just-in-time (JIT) user provisioning to the on position.

The toggle takes effect immediately for subsequent SSO sign-ins.

Enable JIT user provisioning using the REST API

To enable JIT user provisioning, use the Organizations API to update the organization settings by making an HTTP PATCH request to /org/v2/organizations/<org_uuid> with the jit_enabled field set to true. The following curl command shows an example request:

curl --request PATCH --url 'https://api.confluent.cloud/org/v2/organizations/<org_uuid>' \
 --header 'Authorization: Basic <user-credentials>' \
 --header 'content-type: application/json' \
 --data '{"jit_enabled": true}'

The response, in JSON format, returns the updated organization setting in JSON format.

For details about updating an organization using the Organizations API, see Update an Organization.

Support for Azure Marketplace organizations

JIT user provisioning is disabled by default for Azure Marketplace organizations. To use JIT user provisioning for your Azure Marketplace organization, you need to enable JIT user provisioning in Confluent Cloud (see Enable JIT user provisioning) and update the Confluent Cloud application in Azure Portal.

Update the Confluent Cloud application in Azure Portal

To use JIT user provisioning for your Azure Marketplace organization, you need to assign users and user groups to the Confluent Cloud application in Azure Portal and update the Confluent Cloud application properties.

Assign users and user groups to the Confluent Cloud application to ensure that only users and user groups who should be able to access Confluent Cloud can have their user accounts automatically created at first time SSO sign-in and that existing SSO users do not lose sign-in access.
On the Confluent Cloud enterprise application properties page, the following updates are recommended:
- Ensure that the Enabled for users to sign-in? option is set to Yes.
  This setting ensures that users can sign-in to Confluent Cloud using their SSO credentials.
- Set Assignment required? option to Yes.
  This setting ensures that only user accounts who should be able to access Confluent Cloud can have their user accounts automatically created at first time SSO sign-in.

Disable JIT user provisioning

RBAC role required: OrganizationAdmin.

You can disable JIT user provisioning using either the Confluent Cloud Console or the REST API.

Disable JIT user provisioning in the Confluent Cloud Console

In the Confluent Cloud Console, go to the SSO settings page for your organization.
Toggle Just-in-time (JIT) user provisioning to the off position.

The toggle takes effect immediately for subsequent SSO sign-ins.

Disable JIT user provisioning using the REST API

To disable JIT user provisioning for users in your SSO identity provider, use the Organizations API to update the organization settings by making an HTTP PATCH request to /org/v2/organizations/<org_uuid> with the jit_enabled field set to false. The following curl command shows an example request:

curl --request PATCH --url 'https://api.confluent.cloud/org/v2/organizations/<org_uuid>' \
 --header 'Authorization: Basic <user-credentials>' \
 --header 'content-type: application/json' \
 --data '{"jit_enabled": false}'

The response, in JSON format, returns the updated organization setting in JSON format.

For details about updating an organization using the Organizations API, see Update an Organization.