Authentication in Confluent Platform

By default, Confluent Platform is installed without authentication. Confluent Platform supports the following authentication mechanisms and protocols for Confluent Server brokers.

SASL

SASL (Simple Authentication Security Layer) is a framework that provides developers of applications and shared libraries with mechanisms for authentication, data integrity-checking, and encryption. The following topics explain how to configure SASL in Confluent Platform.

• SASL using JAAS
• SASL/GSSAPI (Kerberos)
• SASL/OAUTHBEARER
• SASL/PLAIN
• SASL/PLAIN (using LDAP)
• SASL/SCRAM
• Delegation Tokens (SASL/SSL)

Mutual TLS (mTLS)

With mTLS (mutual TLS) authentication, both Kafka clients and servers use TLS certificates to verify each other’s identities to ensure that traffic is secure and trusted in both directions. The following topics explain how to configure mTLS in a Confluent Platform cluster.

• SSL/TLS

HTTP Basic Authentication

You can use HTTP Basic Authentication to authenticate with the Admin REST APIs using a username and password pair, which are presented to the REST Proxy server using the Authorization HTTP header.

• HTTP Basic Auth

Single Sign-on (SSO) for Confluent Control Center

You can use to offload the management of your Control Center users and authenticate to an OIDC-compliant identity provider (Microsoft Entra ID (Azure Active Directory), Okta, Keycloak, and others). By using SSO, you can manage your users in one place and use the same credentials to provide a seamless experience across Confluent Control Center and Confluent Cloud. The following topics explain how to configure OIDC SSO for Confluent Control Center.

• OIDC SSO for Confluent Control Center