Manage Trusted Domains on Confluent Cloud¶

A trusted domain is a domain that your Confluent Cloud organization trusts to authenticate users using their existing SSO credentials to the Confluent Support portal. Trusted domains are not necessary for SSO authentication to Confluent Cloud organizations. When you designate a domain as a trusted domain, your SSO users can use their existing SSO credentials to authenticate to your Confluent Cloud organization, the Confluent Support portal, and other Confluent Cloud organizations. You can also add multiple trusted domains (for example, acme.com, acme.io, and uk.acme.com) for your Confluent Cloud organization.

To use trusted domains on Confluent Cloud, add the email domains used with your SSO identity provider as trusted domains for your Confluent Cloud organization. The information below provides details on how to add and manage trusted domains for your Confluent Cloud organization.

Important

Early Access Program

Associating multiple Confluent Cloud organizations with the same trusted domains is an early access feature of Confluent Cloud. This feature should be used only for evaluation and non-production testing purposes or to provide feedback to Confluent, particularly as it becomes more widely available in follow-on preview editions. To allow more than one Confluent Cloud organization to send user invitations to trusted domain users, an administrator of the organization with the trusted domain should send an email message requesting “trusted domains for multiple Confluent Cloud organizations” to ccloud-api-access+iam-v2-early-access@confluent.io. Confluent requires the request to be made by a user account who has the OrganizationAdmin role in all the requested Confluent Cloud organizations as verification.

Early Access Program features are intended for evaluation use in development and testing environments only, and not for production use. Early Access Program features are provided: (a) without support; (b) “AS IS”; and (c) without indemnification, warranty, or condition of any kind. No service level commitment will apply to Early Access Program features. Early Access Program features are considered to be a Proof of Concept as defined in the Confluent Cloud Terms of Service. Confluent may discontinue providing preview releases of the Early Access Program features at any time in Confluent’s sole discretion.

Prerequisites¶

Confluent Cloud SSO is enabled for your Confluent Cloud organization.
Access to edit DNS configurations or the website for the domains you want to verify ownership and add as trusted domains. This typically means:
- For DNS TXT Record method: Administrative access to your domain’s DNS settings.
- For HTML File method: Administrative access to your domain’s web server or hosting platform.
Your organization can have up to 10 trusted domains configured at a time.

Add a trusted domain¶

To add a trusted domain to your Confluent Cloud organization, you need to verify that you own the email domain name by using domain verification. After you verify the ownership of the domain, users with email addresses from the trusted domain can authenticate to Confluent Cloud and the Confluent Support Portal using their SSO credentials.

To add a trusted domain to Confluent Cloud SSO to allow your users to authenticate to the Confluent Support Portal and remove email verification requirements when inviting SSO user accounts, complete the following steps:

Open the Confluent Cloud Console and under your user name, click Organization settings.

The Organization settings page displays.
In the Trusted domains section, click Add domain.

The Add domain dialog displays.
Enter the domain name to be added as a trusted domain, then click Create domain and continue.

The Verification method section displays.

Select a verification method (DNS TXT Record or HTML File) and follow the steps for that method.

Verification method	Description
DNS TXT record	(Preferred) If you can access the DNS records for the domain, you can add a TXT record, provided by Confluent, to the DNS configuration of your domain.
HTML file	Upload an HTML file that includes the verification code provided by Confluent. This method requires you to have access to the root directory of the domain.

Domain verification is required to ensure that you are the owner. The verification method you use does not affect the functionality of the trusted domain.

Sign in to your domain name host provider in a separate browser window.
Go to the DNS records for your domain.

The DNS records can be found in the domain settings or the DNS management section of your domain host provider.
Add a new TXT record with the following values:

Field Value

Record type TXT

Name/Host/Alias @

Value/Destination Enter the verification code provided by Confluent

Example of a verification code:
```
confluent-verification=b35a7fca2-becd-3c2e-adg6-26143db1853
```
Copy

Download or copy the HTML code displayed in the Confluent Cloud Console and save it as confluent-domain-verification.html.

Example of the HTML code:
```
<html>
  <head></head>
  <body>b35a7fca2-becd-3c2e-adg6-26143db1853</body>
</html>
```
Copy
Upload the HTML file (confluent-domain-verification.html) to the root directory of your domain at the following URL:
```
https://<your-domain-name>/.well-known/confluent-domain-verification.html
```
Copy
Important

Domain verification typically takes 5-15 minutes to complete after the file is properly uploaded. If verification fails after 15 minutes, check that the file is accessible and contains the correct verification code.

Click Verify domain.

If successfully verified, the domain is added as a trusted domain to the list of Trusted domains on the Organization settings page with the Status as “Verified”.

If the verification fails, an error message displays “Your domain verification has failed” and the domain is added to the Trusted domains list with the Status as “Not verified” and the option to click Verify domain again.

To verify the domain later, click Verify later. If you select this option, you are returned to the Organization settings page. Under Trusted domains, the domain name shows the status Not verified. To verify the domain later, click Verify domain when you are ready.
1. Open a web browser to the URL address above and verify that the HTML page includes your verification code.

If you successfully verified the domain, it is added to the Trusted domains listing and users with email addresses from trusted domains can use their SSO credentials to authenticate to multiple Confluent Cloud organizations and the Confluent Support Portal.

If the domain verification fails, see Troubleshoot domain verification.

You can limit invitations to only verified organizations with trusted domains by following the steps in Limit invitations to verified organizations.

Remove a trusted domain¶

If you no longer want to allow users with email addresses from a trusted domain to authenticate to Confluent Cloud using SSO, you can remove the domain from the list of Trusted domains. After you remove the domain, users with email addresses from the deleted domain can no longer authenticate to Confluent Cloud using SSO.

To remove a trusted domain from your SSO configuration in Confluent Cloud:

Open the Confluent Cloud Console and under your user name, click Organization settings.

The Organization settings page displays.
In the Trusted domains section, click the Remove icon next to the domain you want to remove.

The Delete domain dialog displays.
Enter the domain name to be removed, then click Confirm.

The domain is removed from the list of Trusted domains on the Organization settings page.

Limit invitations to verified organizations¶

By default, user accounts can receive and accept email invitations from any Confluent Cloud organization. If you have multiple Confluent Cloud organizations with the same trusted domains, you can limit user accounts of your trusted domains to only receive invitations from an organization associated with the trusted domain.

Note that to enable this restriction, you must have at least one verified trusted domain.

To limit your trusted domain users to only receive invitations from verified organizations:

Open the Confluent Cloud Console and under your user name, click Organization settings.

The Organization settings page displays.
In the Trusted domains section, enable Limit invitations to verified organizations.

The Limit invitations to verified organizations option is enabled.
Click Save.

The Limit invitations to verified organizations option is enabled.

Troubleshoot domain verification¶

If you encounter issues with domain verification, review the following common solutions or contact Confluent Support.

Ensure that the verification values are accurate¶

For the DNS TXT Record verification method, make sure the entire TXT verification code is used with the format: confluent-verification=xxxxxxxxxxxx.

For the HTML File verification method, make sure the filename matches confluent-domain-verification.html and is loaded at https://<your-domain-name>/.well-known/confluent-domain-verification.html.

Verify that Confluent Cloud SSO is working¶

If the SSO user account sign-in for the Confluent Support Portal fails, the Confluent Cloud SSO is not configured properly. The authentication for the Confluent Support Portal should match the authentication type of the user account in the Confluent Cloud Organization.

For help resolving SSO configuration issues, see Troubleshoot SSO Issues on Confluent Cloud and Enable SAML Single Sign-on (SSO) on Confluent Cloud.