Manage Your SSO Identity Provider on Confluent Cloud

You can manage your single sign-on (SSO) identity provider for Confluent Cloud by enabling, disabling, or switching to a new SSO identity provider.

Switch your SAML SSO identity provider

When you switch to a new SSO identity provider:

  • you must disable SSO with your current provider and then enable SSO with the new provider.
  • While you switch to a new SSO identity provider, your existing SSO accounts no longer have access to Confluent Cloud until you enable SSO with the new provider.
  • Users that need to sign in to Confluent Cloud during the migration process need to switch the authentication type to password. If a user does not have a Confluent Cloud password, they must select Forgot Password? to create a Confluent Cloud password to authenticate.

For assistance with switching to a new SSO provider and managing updates to your group mappings, contact Confluent Support.

Steps to switch your SSO identity provider

To switch to a new SSO identity provider, complete the following steps:

  1. Sign in to the Confluent Cloud Console and go to the Single sign-on page at https://confluent.cloud/login/sso/.

    The Single sign-on page displays.

  2. Click Disable.

    When you disable SSO, the SSO user accounts associated with your organization cannot authenticate using your identity provider.

  3. Click Enable.

    Follow the instructions in Enable SSO using Confluent Cloud Console to enable SSO with your new provider.

Warning

When you enable SSO using a new SSO identity provider, all SSO user accounts in the new SSO-enabled organization are assigned Default user permissions based on the default group mapping for “Default User Permissions” (all-sso-users). If you do not want the default group mapping to apply to your SSO user accounts, you can delete the default group mapping or modify it based on your requirements. For more information, see Manage Group Mappings on Confluent Cloud.

Migrate group mappings

After you enable SAML SSO with your new identity provider, review your SSO group mappings and ensure they work with your new SSO provider. For more information, see Manage Group Mappings on Confluent Cloud or contact Confluent Support.

Disable SSO

To disable SSO:

  1. In Confluent Cloud Console, open the sidebar menu and click ADMINISTRATION -> Single sign-on.

    The Single sign-on page displays.

  2. Scroll to the bottom of the Single sign-on page and click Disable.

When SSO is disabled, the SSO user accounts associated with your organization cannot authenticate using your identity provider, and must select Forgot Password? to create a Confluent Cloud password to authenticate.

To re-enable SSO, you must repeat the steps in Enable SAML Single Sign-on (SSO) on Confluent Cloud.