Author: Peruri Mohana Satya
In this Blog, you will find:
Contents
What is SSO, and how is it useful?
What is Federated Authentication?
How to Integrate Confluent (SP) with Okta (IdP) for SSO
Conclusion
What is SSO, and How is it useful?
Single sign-on (SSO) allows users to authenticate securely and gain access to multiple third-party applications or websites using a fixed set of credentials (i.e., with the same username and password) within a single domain.
It is helpful for both customers as well as for organizations.
It enables reducing password fatigue for users as they are able to easily remember single credentials and get entry to applications inside within less time.
Similarly, For organizations, it provides a single interface for their employees to access multiple applications using a set of credentials and makes it easier for them to maintain their employee’s data, such as usernames and passwords, and improves security.
What is Federated Authentication?
Federated Identity Management (FIM), also known as Federated SSO, allows users to access applications across multiple domains using a single set of usernames and passwords. Here, user authentication is separated from user access by an external identity provider.
Okta, Google G Suite, and Microsoft Active Directory Federation Service (ADFS), are some of the popular identity vendors.
Okta acts as SAML (Security Assertion Markup Language) IdP and uses SSO to authenticate the users. Some of the primary capabilities of Okta are:
Create, Update, and deactivate users.
Sync Password
Group push
Automatic provisioning of users created in Okta to the target application.
Integration of Confluent with Okta for SSO
Below steps would illustrate the steps to be taken to integrate Confluent with Okta.
1. The below Image shows the sign-in page for Confluent Cloud from which you can sign in to your account. If you do not have an account, sign up to create a new one using the link below, you will receive an email to verify your email address. After verification, you can successfully log into your account.
https://confluent.cloud/signup
2. After login, you can see the confluent dashboard as shown. For SSO implementation, you can go to Administration -> Click on Single sign-on.
3. Next, the Single Sign-on page provides a description of SSO and how it is useful. To Enable SSO for the application, you can click on -> Enable SSO option, as shown in the below image.
4. Next, you need to set an SSO identifier. For that, you need to enter an identifier that should uniquely identify your organization. You can enter it in the SSO identifier block shown in the image.
Identifier includes only lowercase letters, numbers, and the special character, hyphen “(“-”)”. Once done, Click on Next.
(This Unique identifier is added to SSO login link URL, as shown below
https://confluent.cloud/login/sso/<sso-identifier> )
5. To configure the identity provider (Okta), you require information such as Assertion consumer service URL, Entity ID, SAML request binding, and Single logout URL that you can obtain from configuring the Identity provider page, as shown in the image. You can copy all the information and click on Next for further process.
6. Before moving to the Next step, First, set up an identity provider account (Okta).
7. Log in to your Okta account. If you do not have one, sign up for a free trial account using the link below. You will get an email for account activation. Click on activate, set Password, and log in. Below mentioned Image shows the Sign-Up page for Okta account creation.https://www.okta.com/free-trial/customer-identity/
8. After logging in, you can see the Okta dashboard, as shown below. Now Under applications, go to applications -> click on Create App Integration. Unlike other applications such as snowflake and tableau, you cannot find Confluent in the browse app catalog. Hence, you need to create it.
9. Next, you need to choose the sign-in option. As Confluent cloud supports SSO using SAML identity providers, you can select the sign-in method as SAML 2.0 and Click on Next.
SAML stands for Security Assertion Mark-Up Language, responsible for sharing authenticated information between the service provider and identity provider in the XML Format.
10. Next, To create SAML integration, you will be redirected to the general settings page, where you can enter the Application name, select App logo (optional), App visibility as shown in the image, and then Click on Next.
11. To Configure SAML, you need to provide information copied in step 5 from the service provider (confluent cloud). Hence, In the SSO Url block, provide the Assertion Consumer URL and SP entity Id in the Audience URI block.
12. Next, Select Name Id as the Email address and download the Okta certificate (which might be required to import in the service provider), and then ClickNext.
13. Next, In the feedback tab, you can mention why you have created the application as shown in the image and Click on finish.
14. Once done, you will be redirected to the application sign-on page. Keep open SAML set setup instructions page for further use.
Note: If you are not able to find the Okta certificate download option in step 12. You can download it from the Setup Instructions page.
15. Now, Go to Confluent and configure SSO settings using the information obtained from the IdP.
16. Now, as shown in the below image, you need to upload the Okta Certificate downloaded in step 12 and enter the SAML sign-on URL, which you can get from the SAML setup instructions page opened in step 14, and for email mapping, you can use the default option provided to ensure the email address is mapped to the SAML attribute. Then, Click On Submit.
17. Next, you can view the summary of SSO information provided for the integration of the service provider and Identity provider, as shown in the below image.
18. Similarly, In Okta, under the Confluent application general tab, you can view a summary of all information provided while configuring.
Creating Users and assigning them to the Confluent application in Okta
To allow users to access the application using SSO, first, you need to create users in Okta and assign those users to the respective target application. To do that, you can follow the below-mentioned steps.
19. On Okta home page, under directory -> click on people -> Add Person. Instead of adding users individually, under more actions, it also provides a facility to import all users from a CSV file simultaneously, which saves time. Below images represent this process.
20. Once users are added, they will receive an activation link where they can activate their account and set a password. Users need to activate it within seven days after that link expires.
21. Next, To assign a user to the target application, go to application -> click on applications -> go to confluent kafka -> under assignments -> assign the application to the people.
22. Check username, click save, and go back. Then, you can see the users who are successfully added to the application under the assignments tab.
23. For Successful login of users, one thing you need to ensure is users created in Okta must be assigned to the respective target application in Okta (Identity provider Side), as well as they must be users in the end application (Service provider side).
24. Okta has the Capability to automatically provision users created in Okta to target applications. To achieve this, you need to do additional configuration on both Idp side (Okta) as well as service provider side (Confluent Cloud).
25. If not, you need to create users manually in the target application.
26. To Create users in the confluent cloud, Navigate to administration -> click on account and access -> add users with their email addresses and role as shown below. Select add as SSO user and send an invite.
27. Once a user clicks on that link, they can enter their Okta credentials and access the respective target application, or the user can log in to their Okta Account and access the required application.
28. In the below image, you can see the Confluent application in the user-side Okta dashboard. Similarly, if you assign more applications to users in Okta, they can access all the assigned applications using a single set of credentials, i.e., using the same username and password.
Conclusion
Therefore, In this way, Single sign-on helps the users to authenticate to many services using single credentials. The identity provider (Okta) helps in providing an additional layer of security for authentication and automated management of users.
Note: Images used in this blog are taken from Okta and Confluent cloud applications.
References:
[1]. Single sign-on for Confluent Cloud [Confluent Documentation]. Retrieved from
https://docs.confluent.io/cloud/current/access-management/authenticate/sso/sso.html
[2]. Configuring External App Integration [Okta Documentation]. Retrieved from
https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Bookmark_App.htm