User Accounts¶

重要

In order to create a more secure Confluent Cloud, the Authentication type for existing Local and SSO user accounts must be changed to SSO or Local. The deprecated Local and SSO authentication type will be removed on July 27, 2022 and all Local and SSO users will automatically be converted to Local users.

To change existing Local and SSO users:

In Confluent Cloud Console, go to the User accounts page at https://confluent.cloud/settings/org/accounts/users.
For each user account showing Local and SSO in the Type column:
1. Click on the user account in the Name column.
2. In the Authentication settings section, click Edit.

Note that after you select Local or SSO, the deprecated Local and SSO option is no longer available. For existing SSO organizations, there is no impact—all user types will stay as-is until July 2022. For new SSO organizations, after setting up SSO, all users will continue to remain local users and you must change the authentication type for the user to SSO.

User account types¶

Confluent Cloud provides two user account types (local and SSO) and three authentication methods (username/password, Google, and SSO), as summarized in the following table. Click on the account type to go directly to the relevant section below.

User account type	Authentication method	Description
Local	Username/password	A local user that authenticates using a username and password.
Local	Google (using Sign in with Google)	A local user account that authenticates using a user's Google account.
Local	GitHub (using Sign in with GitHub)	A local user account that authenticates using a user's GitHub account.
SSO	SSO	A user account that authenticates using single sign-on (SSO) with an organization's identity provider (IdP).

Note that Confluent Cloud user accounts have the following conditions and limitations:

Each user account represents one user and allows management of their access to Confluent Cloud.
User accounts are organization-level resources and there is a limit on the number of user accounts in an organization. An organization can have only one identity provider (IdP).
You can sign in to a user account using the Confluent Cloud Console or Confluent CLI. User accounts may own all types of API keys.
You can bind role-based access control (RBAC) roles to user accounts.
Kafka ACL はユーザーアカウントに適用できません。アクセスを必要最小限に制限しながら、Confluent Cloud の Kafka クラスターへのアクセスを許可するには、サービスアカウントを ACL とともに使用します。
Confluent Cloud Console または Confluent CLI コマンド confluent iam user invitation create を使用して、ユーザーアカウントの作成と管理を行うことができます。
A user account can be a member of one or more organizations. When a user is a member of multiple organizations, their authentication type is the same across all organizations. For details, see Manage multiple organizations.
If your email provider lets you can create multiple accounts or aliases by adding a plus sign (+) and a tag or word before the @ sign in an email address.

Local user accounts¶

Local user accounts are uniquely identified by their email address and authenticate using a username and password managed in Confluent Cloud.

You can create local user accounts that sign in to Confluent Cloud and authenticate using

Local user: username/password
Local user: Sign in with Google

Local user: username/password)¶

Create a local user (initial)¶

If you don't have a Confluent Cloud account, you can create a local user account authenticating using a username and password.

To create a local user on Confluent Cloud:

Go to the Confluent Cloud Console (https://confluent.cloud/signup).
The Welcome to Confluent Cloud page appears.
To sign up for a new account, click Sign up and try it for free.
On the Confluent Cloud page, you can sign up and start using the account in minutes by completing the form, fill in values for your full name, organization, country, email address, and password. Then click Start free. A verification link is sent to the email address.
Check your email account for a Welcome to Confluent Cloud! message.
In the message, click Verify email address. You will be redirected to Confluent Cloud to finish creating your Confluent Cloud account.
Click Submit. You are signed in to Confluent Cloud and can begin exploring and using the Confluent Cloud Console.

Add a local user account using the Confluent Cloud Console¶

If you have been granted the OrganizationAdmin, EnvironmentAdmin, or CloudClusterAdmin role, you can use the Confluent Cloud Console to add, or invite, a local user.

Go to the Confluent Cloud Console and sign in using a local user account that has been granted an OrganizationAdmin role.
Go to ADMINISTRATION > Accounts and access. The Accounts and access page appears listing User account.
Click Add user. The Add user page appears.
In Account, enter the email address for the user and, optionally, grant one or more role assignments.
Click Review to verify that the email address and role assignments are correct, and then click Create.

The new user is sent an email message to verify their account.

Local user: Sign in with Google¶

Users can create a local user account for Confluent Cloud using Google as their social identity provider (IdP). This simplifies user registration and sign-in and is a convenient alternative to mandatory account creation.

If your organization starts on Confluent Cloud using the "Sign in with Google" option, you can migrate later to use SAML-based single sign-on (SSO).

注釈

You cannot currently disable Google authentication to use username/password authentication.

Use Sign in with Google to authenticate¶

You can sign up for a Confluent Cloud local user account with Google and then you will be able to use Sign in with Google on every future visit.

To use Sign in with Google:

Go to Confluent Cloud Console (https://confluent.cloud/signup).
Click Sign up with Google.
On the Choose an account page, click on your Google account.
In the Finish creating your Confluent account section, enter values for your Full name, Organization, and Country. Submit is now enabled.
Click Submit. You are signed in to Confluent Cloud and can now begin exploring and using the Confluent Cloud Console.

After registering your Google account with Confluent Cloud, you can sign in to Confluent Cloud by going to the Confluent Cloud Console and clicking Sign in with Google.

Local user: Sign in with GitHub¶

Users can create a local user account for Confluent Cloud using GitHub as their social identity provider (IdP). As a convenient alternative to mandatory account creation, using Sign in with GitHub simplifies user registration and sign-in.

If your organization starts on Confluent Cloud using the "Sign in with GitHub" option, you can migrate later to use SAML-based single sign-on (SSO).

注釈

You cannot currently disable GitHub authentication to use username/password authentication.

Use Sign in with GitHub to authenticate¶

You can sign up for a Confluent Cloud local user account with GitHub and then you will be able to use Sign in with GitHub on every future visit. The primary email address on your GitHub account will be associated with your Confluent Cloud account.

To use Sign in with GitHub:

Go to Sign-up page for Confluent Cloud at https://confluent.cloud/signup <https://confluent.cloud/signup>.
Click Sign up with GitHub. The Sign in to GitHub to continue to Confluent Cloud dialog appears.
Complete the Username or email address and Password fields and then click Sign in. The Two-factor authentication dialog appears.
Verify that you are signing in using two-factor authentication and, optionally, select the option to Use this method for future logins.
In the Finish creating your Confluent account section, enter values for your Full name, Organization, and Country. Submit is now enabled.
Click Submit. You are signed in to Confluent Cloud and can now begin exploring and using the Confluent Cloud Console.

After registering your GitHub account with Confluent Cloud, you can sign in to Confluent Cloud by going to the Confluent Cloud Console and clicking Sign in with GitHub.

Single sign-on (SSO) user accounts¶

User accounts created after enabling single sign-on (SSO) for your organization provide access to Confluent Cloud using an existing SAML-based identity provider (IdP) and a unique SSO sign-in URL. For more information on enabling and using SSO with Confluent Cloud, see SSO in Confluent Cloud.

Add an SSO user¶

To add an SSO user to your Confluent Cloud account, the user must be a member of the same organization domain, which is determined by the domain name part of the email address that follows the @ symbol.

The organization domain is determined by the first user to create a Confluent Cloud account using email address that includes the domain name. The first user is automatically assigned the OrganizationAdmin role, which grants permission to add users.

注釈

SSO users cannot change their authentication method -- they must use SSO.

To add an SSO user to your organization:

Open the Confluent Cloud Console and go to ADMINISTRATION > Accounts & access.
On the Accounts & access page, click Add user.
In the Add user page, enter the following:
- Account: Enter the email address of the new user.
- Access (optional): Select a role for the invited user. Additional role assignments can be added, if necessary.
Click Review. A summary of the new account appears.
Click Create. The email message is sent to the user and the Accounts & access page appears. A Pending status appears for the new user until the invitation is accepted and the account creation is completed.

Users must sign in using the new organization-specific SSO URL. For example, https://confluent.cloud/login/sso/<sso-identifier>.

If a user does not have a Confluent Cloud account and attempts to sign in using the IdP, they will receive an "Invalid username" message.

注釈

When SSO is enabled, users do not have to verify their email address before logging into Confluent Cloud; if their IdP credentials are valid and they have a profile in Confluent Cloud, they can sign in.

After SSO is enabled for your organization, you can add local users.

Change the authentication type¶

Confluent Cloud user accounts can have an authentication type of either Local or SSO. For details, see User account types.

To change the authentication type of an existing user account:

In the Confluent Cloud Console, go to the User accounts page at https://confluent.cloud/settings/org/accounts/users.
In the Name column, click the username of the user account you want to modify.

The user account page opens displaying Details and Authentication settings.
Click the Edit authentication type icon.

The Authentication type dropdown appears.
Select the new authentication type: Local or SSO.

When you select a different option than the current selection, Save Changes is enabled.
Click Save Changes.

The authentication type you selected is now active.