Just-in-time User Provisioning on Confluent Cloud¶
Just-in-time (JIT) user provisioning automatically creates Confluent Cloud user accounts, then uses group mappings, to grant Confluent Cloud access to Confluent Cloud resources based on group memberships in your single sign-on (SSO) identity provider.
When a user from your SSO-enabled organization uses their SSO credentials to sign in to Confluent Cloud for the first time, Confluent Cloud automatically creates a user account with no predefined access to Confluent Cloud resources. If group mappings are available, the user is automatically granted Confluent Cloud role-based access control (RBAC) roles and permissions based on their group memberships in the organization’s user directory at your SSO identity provider.
JIT user provisioning and group mappings reduce your administrative workload and expedite user onboarding because you no longer must manually provision users by creating Confluent Cloud user accounts and configuring roles and permissions in advance.
Support for Azure Marketplace organizations¶
JIT user provisioning is disabled by default for Azure Marketplace organizations. To use JIT user provisioning for your Azure Marketplace organization, you need to enable JIT user provisioning using the REST API.
To use JIT user provisioning for your Azure Marketplace organization, you need to enable JIT user provisioning in Confluent Cloud and and update the Confluent Cloud application in Azure Portal.
Enable JIT user provisioning in Confluent Cloud using the REST API¶
To enable JIT user provisioning for your Azure Marketplace organization, use the
Organizations API to update the organization settings by making an HTTP PATCH
request to /org/v2/organizations/<org_uuid> with the jit_enabled field
set to true. The following curl command shows an example request:
curl --request PATCH --url 'https://api.confluent.cloud/org/v2/organizations/<org_uuid>' \
--header 'Authorization: Basic <user-credentials>' \
--header 'content-type: application/json' \
--data '{"jit_enabled": true}'
The response, in JSON format, returns the updated organization setting in JSON format.
For details about updating an organization using the Organizations API, see Update an Organization.
Update the Confluent Cloud application in Azure Portal¶
To use JIT user provisioning for your Azure Marketplace organization, you need to assign users and user groups to the Confluent Cloud application in Azure Portal and update the Confluent Cloud application properties.
Assign users and user groups to the Confluent Cloud application to ensure that only users and user groups who should be able to access Confluent Cloud can have their user accounts automatically created at first time SSO sign-in and that existing SSO users do not lose sign-in access.
On the Confluent Cloud enterprise application properties page, the following updates are recommended:
Ensure that the Enabled for users to sign-in? option is set to Yes.
This setting ensures that users can sign-in to Confluent Cloud using their SSO credentials.
Set Assignment required? option to Yes.
This setting ensures that only user accounts who should be able to access Confluent Cloud can have their user accounts automatically created at first time SSO sign-in.
Disable JIT user provisioning¶
RBAC role required: OrganizationAdmin.
To disable JIT user provisioning for users in your SSO identity provider, use
the Organizations API to update the organization settings by making an HTTP
PATCH request to /org/v2/organizations/<org_uuid> with the jit_enabled
field set to false. The following curl command shows an example request:
curl --request PATCH --url 'https://api.confluent.cloud/org/v2/organizations/<org_uuid>' \
--header 'Authorization: Basic <user-credentials>' \
--header 'content-type: application/json' \
--data '{"jit_enabled": false}'
The response, in JSON format, returns the updated organization setting in JSON format.
For details about updating an organization using the Organizations API, see Update an Organization.