You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Redpanda Cloud ensures the highest level of authentication for both users and services.
6
+
Redpanda Cloud provides secure authentication for both users accessing the platform and services connecting to your clusters.
6
7
7
8
== User authentication
8
9
9
-
Redpanda provides user authentication to your Redpanda organization through email or single sign-on.
10
+
Redpanda provides user authentication to your Redpanda organization through email/password or single sign-on.
10
11
11
12
=== Email
12
13
@@ -26,6 +27,7 @@ CAUTION: Deleting an SSO connection also deletes all users attached to it.
26
27
27
28
To integrate with Okta, follow the https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_OIDC.htm[Okta documentation^] to create an application within Okta for Redpanda. The Redpanda callback location (that is, the redirect location where Okta sends the user) is the following:
To integrate with Azure Entra ID, follow the https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc[Microsoft documentation^] to create an OIDC enterprise (web) application:
44
+
To integrate with Microsoft Entra ID, create a Web application registration that uses the OIDC Authorization Code flow with PKCE:
43
45
44
-
. In the https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id[Entra App Gallery^], on the Create your own application page:
45
-
.. Select *Register an application to integrate with Microsoft Entra ID*.
46
-
.. For the name of your app, enter `Redpanda Cloud`.
47
-
.. Click *Create*.
48
-
. On the Register an application page:
49
-
.. For Supported account types, select *Accounts in this organizational directory only (Redpanda only - Single tenant)*.
50
-
.. For Redirect URI, select *Web* platform with the Callback URL found in Redpanda Cloud. In Redpanda Cloud, navigate to *Users*: *Single sign-on*, and click *Add connection*. Copy the *Callback URL*, and paste it into the Azure *Redirect URI* field.
46
+
. In the https://entra.microsoft.com/[Microsoft Entra admin center^], go to *App registrations* and click *New registration*.
47
+
.. Name: `Redpanda Cloud`.
48
+
.. Supported account types: *Accounts in this organizational directory only (Single tenant)*.
49
+
.. Redirect URI: select *Web*, and paste the Callback URL from Redpanda Cloud. To find the Callback URL, go to *Users* > *Single sign-on* in Redpanda Cloud and click *Add connection*. Copy the *Callback URL*.
50
+
+
51
+
IMPORTANT: The platform type must be *Web*. Because Redpanda Cloud uses the OIDC Authorization Code flow with PKCE and a server-side callback, the app must be configured as Web (not SPA or mobile).
51
52
.. Click *Register*.
52
-
. On the Azure Enterprise applications page, you can now search for the Redpanda Cloud app to assign usersaccess to Redpanda Cloud.
53
-
. On the Azure app for Redpanda Cloud, click *Endpoints*, and copy the *OpenID Connect metadata document URL* endpoint.
54
-
. In Redpanda Cloud, on *Users*: *Single sign-on*, paste that endpoint address into the *Discovery URI* field. Then, complete the SSO configuration:
53
+
. After registration, a corresponding Enterprise application (service principal) appears under *Enterprise applications*. If your organization restricts access, assign users/groups to this Enterprise application to allow access to Redpanda Cloud.
54
+
. On the application registration for Redpanda Cloud, click *Endpoints* and copy the *OpenID Connect metadata document* URL.
55
+
. In Redpanda Cloud, on the *Users*: *Single sign-on* page, paste that endpoint address into the *Discovery URI* field. Then, complete the SSO configuration:
55
56
.. For *Client ID*, copy and paste the *Application (client) ID* from the Azure app for Redpanda Cloud.
56
57
.. For *Client secret*, copy and paste the secret you get from adding a client secret on the Certificates & secrets page for the Azure app for Redpanda Cloud.
57
-
.. For *Realm*, enter your Azure Entra ID tenant domain name.
58
+
.. For *Realm*, enter your Microsoft Entra ID tenant domain name.
58
59
.. Click *Save*.
59
-
.. On the Redpanda Cloud SSO page, edit your new Entra ID connection to enable SSO.
60
+
.. On the Redpanda Cloud Users: Single sign-on page, edit your new Entra ID connection to enable single sign-on.
60
61
+
61
62
Users with an email address with that realm (domain) can now access your Redpanda Cloud account.
62
63
+
63
-
NOTE: You can continue to configure your Azure Enterprise app page for Redpanda Cloud, but there is no need to configure JWT-based claims or API permissions.
64
+
[NOTE]
65
+
====
66
+
67
+
* No additional claims required: Redpanda Cloud only relies on standard OIDC claims provided by your IdP. You do not need to configure optional claims or group claims in ID/Access tokens.
68
+
* No API permissions required: You do not need Microsoft Graph or any other API permissions. Microsoft Graph `User.Read` may be listed (some tenants add it during app creation), but Redpanda Cloud performs OIDC sign-in only and does not call Microsoft Graph.
69
+
* First-login consent only: On first sign-in, users are prompted to consent to the standard OIDC scopes `openid`, `profile`, and `email`. After the first consent, users should not be prompted again unless consent is revoked or the app configuration changes.
70
+
====
71
+
72
+
===== Tips for Integrating Entra ID
73
+
74
+
If users are repeatedly prompted for consent or cannot sign in:
75
+
76
+
* Ensure the app is configured as Web with the exact Redirect URI from Redpanda Cloud.
77
+
* Remove any extra API permissions (for example, `Microsoft Graph: User.Read`).
78
+
* Avoid adding non-standard claims or scopes.
79
+
64
80
65
81
== Service authentication
66
82
@@ -212,7 +228,7 @@ NOTE: If you enable mTLS authentication, you cannot disable it later.
212
228
213
229
==== Create a new cluster with mTLS enabled
214
230
215
-
. Follow the steps to to create a resource group and network for xref:manage:api/cloud-byoc-controlplane-api.adoc#create-a-resource-group[BYOC] or xref:manage:api/cloud-dedicated-controlplane-api.adoc#create-a-resource-group[Dedicated], if you haven't already. You'll need the resource group ID and network ID to create a cluster in the next step.
231
+
. Follow the steps to create a resource group and network for xref:manage:api/cloud-byoc-controlplane-api.adoc#create-a-resource-group[BYOC] or xref:manage:api/cloud-dedicated-controlplane-api.adoc#create-a-resource-group[Dedicated], if you haven't already. You'll need the resource group ID and network ID to create a cluster in the next step.
216
232
217
233
. Make a link:/api/doc/cloud-controlplane/operation/operation-clusterservice_createcluster[`POST /v1/clusters`] request to create a new cluster with mTLS enabled.
@@ -375,7 +391,7 @@ You can choose to enable mTLS and SASL simultaneously for the Kafka API, and mTL
375
391
376
392
==== Create a new cluster with both mTLS and SASL enabled
377
393
378
-
. Follow the steps to to create a resource group and network for xref:manage:api/cloud-byoc-controlplane-api.adoc#create-a-resource-group[BYOC] or xref:manage:api/cloud-dedicated-controlplane-api.adoc#create-a-resource-group[Dedicated], if you haven't already done so. You'll need the resource group ID and network ID to create a cluster in the next step.
394
+
. Follow the steps to create a resource group and network for xref:manage:api/cloud-byoc-controlplane-api.adoc#create-a-resource-group[BYOC] or xref:manage:api/cloud-dedicated-controlplane-api.adoc#create-a-resource-group[Dedicated], if you haven't already done so. You'll need the resource group ID and network ID to create a cluster in the next step.
379
395
380
396
. Make a link:/api/doc/cloud-controlplane/operation/operation-clusterservice_createcluster[`POST /v1/clusters`] request to create a new cluster with both mTLS and SASL or Basic authentication enabled.
0 commit comments