Manage SSO Access to Confluent Support Portal on Confluent Cloud

You can use Confluent Cloud Single Sign-On (SSO) authentication to let your users sign in to both Confluent Cloud and the Confluent Support using their existing SSO credentials. To enable this, you need to add any email domains used with your SSO identity provider as trusted domains for your Confluent Cloud Organization.

Prerequisites

  • Confluent Cloud SSO is enabled.
  • Access to edit DNS configurations or the website for the domains you want to verify ownership and add as a trusted domains.

Limitations

  • You can currently only use one Confluent Cloud Organization to represent your organization. If you have multiple Confluent Cloud Organizations, choose one to represent your organization. SSO users included in this Confluent Cloud Organization can use their SSO credentials to sign in to Confluent Cloud and the Confluent Support Portal.

Add a trusted domain

To add a trusted domain to your Confluent Cloud Organization, you need to verify that you own the email domain name by using domain verification. After you verify the ownership of the domain, users with email addresses from the trusted domain can authenticate to Confluent Cloud and the Confluent Support Portal using their SSO credentials.

To add a trusted domain to Confluent Cloud SSO to allow your users to authenticate to the Confluent Support Portal and remove email verification requirements when inviting SSO user accounts, complete the following steps:

  1. Open the Confluent Cloud Console and under your user name, click Organization settings.

    The Organization settings page displays.

  2. In the Trusted domains section, click Add domain.

    The Add domain dialog displays.

  3. Enter the domain name to be added as a trusted domain, then click Create domain and continue.

    The Verification method section displays.

  4. Select a verification method (DNS TXT Record or HTML File) and follow the steps for that method.

    Verification method Description
    DNS TXT Record (Preferred) If you can access the DNS records for the domain, you can add a TXT record, provided by Confluent, to the DNS configuration of your domain.
    HTML File Upload an HTML file that includes the verification code provided by Confluent. This method requires you to have access to the root directory of the domain.

    Domain verification is required to ensure that you are the owner. The verification method you use does not affect the functionality of the trusted domain.

    1. Sign in to your domain name host provider in a separate browser window.

    2. Go to the DNS records for your domain.

      The DNS records can be found in the domain settings or the DNS management section of your domain host provider.

    3. Add a new TXT record with the following values:

      Field Value
      Record type TXT
      Name/Host/Alias @
      Value/Destination Enter the verification code provided by Confluent

      Example of a verification code:

      confluent-verification=b35a7fca2-becd-3c2e-adg6-26143db1853
      
  5. Click Verify domain.

    If successfully verified, the domain is added as a trusted domain to the list of Trusted domains on the Organization settings page with the Status as “Verified”.

    If the verification fails, an error message displays “Your domain verification has failed” and the domain is added to the Trusted domains list with the Status as “Not verified” and the option to click Verify domain again.

    To verify the domain later, click Verify later. If you select this option, you are returned to the Organization settings page. Under Trusted domains, the domain name shows the status Not verified. To verify the domain later, click Verify domain when you are ready.

    1. Open a web browser to the URL address above and verify that the HTML page includes your verification code.

If you successfully verified the domain, it is added to the Trusted domains listing and users with email addresses from the trusted domain can use SSO to authenticate to Confluent Cloud and the Confluent Support Portal.

If the domain verification fails, see Troubleshoot domain verification.

Remove a trusted domain

If you no longer want to allow users with email addresses from a trusted domain to authenticate to Confluent Cloud using SSO, you can remove the domain from the list of Trusted domains. After you remove the domain, users with email addresses from the deleted domain can no longer authenticate to Confluent Cloud using SSO.

To remove a trusted domain from your SSO configuration in Confluent Cloud:

  1. Open the Confluent Cloud Console and under your user name, click Organization settings.

    The Organization settings page displays.

  2. In the Trusted domains section, click the Remove icon next to the domain you want to remove.

    The Delete domain dialog displays.

  3. Enter the domain name to be removed, then click Confirm.

Troubleshoot domain verification

If you encounter issues with domain verification, review the following common solutions or contact Confluent Support.

Ensure that the verification values are accurate

For the DNS TXT Record verification method, make sure the entire TXT verification code is used with the format: confluent-verification=xxxxxxxxxxxx.

For the HTML File verification method, make sure the filename matches confluent-domain-verification.html and is loaded at https://<your-domain-name>/.well-known/confluent-domain-verification.html.

Verify that Confluent Cloud SSO is working

If the SSO user account sign-in for the Confluent Support Portal fails, the Confluent Cloud SSO is not configured properly. The authentication for the Confluent Support Portal should match the authentication type of the user account in the Confluent Cloud Organization.

For help resolving SSO configuration issues, see Troubleshoot SSO Issues on Confluent Cloud and Enable SAML Single Sign-on (SSO) on Confluent Cloud.