Single Sign-On (SSO) for Confluent Control Center on Confluent Platform

SSO lets Control Center users authenticate once through an identity provider instead of maintaining separate Control Center credentials. You can enable SSO for Control Center to offload user and authentication management to a supported OpenID Connect (OIDC) identity provider. SSO also lets you enforce additional security controls, such as multi-factor authentication (MFA).

After enabling SSO for Control Center, your Control Center users go to the Control Center page and click Log in via SSO to sign in to Control Center using their SSO user credentials.

Considerations:

• To enable SSO for Control Center in Confluent Platform, you must configure Control Center to use an OIDC identity. Confluent Cloud supports SSO for Control Center using Security Assertion Markup Language (SAML) and requires a different configuration for the identity provider.

• To use SSO with Control Center your installation must use Confluent Platform version 7.5 or later.

• SSO for Control Center using OIDC cannot be used with both on-premises Confluent Platform clusters where your Control Center is self-managed, and Confluent Cloud clusters, which use SAML for SSO.

Configuration methods

Choose the configuration method that fits your environment:

• For manual configuration:

  • Configure single sign-on (SSO) using OIDC

  • Configure OIDC SSO for the Confluent CLI

• For automated configuration:

  Confluent recommends using Confluent Ansible and Confluent for Kubernetes (CFK) to automate the configuration of SSO for Control Center on Confluent Platform. For more information, see:

  • Confluent Ansible: Configure single sign-on authentication for Control Center

  • CFK: Configure single sign-on authentication for Confluent Control Center

If you encounter issues enabling SSO, see Troubleshoot SSO for Control Center using OIDC on Confluent Platform.