Single Sign-On (SSO) for Confluent Control Center

You can enable Single Sign-On (SSO) for Confluent Control Center to offload the management of your Confluent Control Center users and authentication to a supported OIDC identity provider and enforce additional security controls, like multi-factor authentication (MFA).

After enabling SSO for Confluent Control Center, your Control Center users go to the Confluent Control Center page and click Log in via SSO to sign in to Confluent Control Center using their SSO user credentials.

To enable SSO for Confluent Control Center, you must configure Control Center to use an OpenID Connect (OIDC) identity. SSO for Confluent Cloud is supported using SAML. Note that SSO for Confluent Control Center cannot be used for Confluent Platform deployments where Confluent Control Center is self-managed, but Kafka clusters are fully managed by Confluent.

You can enable SSO for Confluent Control Center using one of the following methods:

• For manual configuration:

  • Configure Single Sign-on (SSO) using OIDC.

• For automated configuration:

  Confluent recommends using Confluent Ansible and Confluent for Kubernetes (CFK) to automate the configuration of SSO for Confluent Control Center on Confluent Platform. For more information, see:

  • Confluent Ansible: Configure single sign-on authentication for Control Center
  • CFK: Configure single sign-on authentication for Confluent Control Center