Enable Single sign-on (SSO) for Confluent Cloud¶

In the Confluent Cloud Console, open the sidebar menu and click Single sign-on. The Single Sign-on page at https://confluent.cloud/settings/security/sso.
On the Single sign-on page, click Enable SSO. The Set SSO identifier page displays.
In the SSO identifier field, enter the unique SSO identifier that will be used to identify your organization. The value you enter is appended to the Single Sign-on URL, like this:
```
https://confluent.cloud/login/sso/<sso-identifier>
```
Your SSO identifier should only include lowercase letters, numbers, and the - character.
Click Next. The Configure identity provider page appears.
Copy and paste the generated values for each of the following settings into the SAML settings of your identity provider:

Assertion consumer service URL
The endpoint where the identity provider will send an SSO token after authenticating a user.

https://login.confluent.io/login/callback?connection=<my-sso-identifier>

Entity ID
The unique identifier for Confluent Cloud.

urn:auth0:confluent:<my-sso-identifier>

SAML request binding
The communication method used to send messages to the identity provider.

HTTP-Redirect
Click Continue after you have updated the SAML setting on your identity provider. The Configure SSO settings page appears.
On the Configure SSO settings page, provide the following information:

Upload signing certificate
Browse to and select the signing certificate.

SAML sign-on URL
Enter the identity provider sign-on URL, which must be reachable by the user's web browser.

Email mapping
To map an email address to a SAML attribute, select one of the following values from the dropdown list, or manually enter a value:

https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
[Default] The email address of the user.

https://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
The unique name of the user.

https://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
The SAML name identifier of the user.

When SAML-enabled applications process a SAML assertion, by default the SAML NameID is used to determine the username of the user that is signing in. For the SAML name identifier (NameID), Confluent Cloud supports the following formats:

nameid-format:emailAddress
[Recommended] The Subject Name ID value from the identity provider uses the email address format.

The email address must match the email address specified in the Confluent Cloud user profile.

URI: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

nameid-format:persistent
The Subject Name ID from the identity provider is a persistent opaque identifier that is specific to the combination of the identity provider and Confluent Cloud.

The SAML response assertion must include the email address as a saml:Attribute.

URI: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

nameid-format:unspecified
The Subject Name ID value from the identity provider can be any format.

The SAML response assertion must include the email address as a saml:Attribute.

URI: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Click Save. You have successfully enabled SSO for Confluent Cloud.

Verify your SSO configuration¶

To verify your SSO configuration, go to your new sign-in URL using the sign-on link displayed in the Single Sign-On (SSO) summary (confluent.cloud/login/sso/<sso-identifier>, which in this workflow example is https://confluent.cloud/login/sso/big-company). You are redirected to your organization's sign-on page. After entering your IdP login credentials, you are redirected back to the Confluent Cloud application.

Interactions with the application are almost identical to the non-SSO experience. The major difference is that you are unable to change your password in the Confluent Cloud user interface or using the "Reset Password" flow, because your password is now managed by your IdP.