Managing user access in a modern Pulsar deployment means integrating with your organization's identity system (IdP). With Single Sign-On (SSO) and external group mapping, you can simplify authentication and enforce role-based access from your existing provider.
To get started, you need to configure Streamvisor so it can communicate with your OAuth provider. Using Keycloak as an example, you need to provide the following properties:
STREAMVISOR_SSO_OAUTH_PROVIDERS_KEYCLOAK_CLIENTID=<client ID>
STREAMVISOR_SSO_OAUTH_PROVIDERS_KEYCLOAK_ISSUERURI=http://localhost:7777/realms/master
STREAMVISOR_SSO_OAUTH_PROVIDERS_KEYCLOAK_SCOPES=openid,profile,email
# For external group mapping, you also need to provide the name of the groups claim
STREAMVISOR_SSO_OAUTH_PROVIDERS_KEYCLOAK_GROUPSCLAIM=rolesThis tells Streamvisor how to authenticate users and which claim to use for extracting group information.
If you have already done this, you can skip this step. Otherwise, you want to now set up your users and groups inside your identity management system.
If you want to map external groups, make sure that your OAuth tokens are configure to include the group membership in the same claim name you configured in the previous step.
If your data needs to evolve, you can update the schema. Pulsar will check if the schemas are compatible to keep your consumers safe.
To update, return to the Schema tab and click on the Edit Schema button.
In the editor, modify the existing definition to fit your needs, then click on Confirm to submit your changes.
The new schema version will become visible on the page.
To get started, open the Groups page. This is your main starting point for all operations regarding access management or permissions.
Once you are on the Groups page, you'll see a list of groups. After selecting a group, you will be led to the detail page for it. Here you can see all the information, like the groups description, group permissions, group members, and external mappings.
To set up the external mapping, scroll to the bottom to the External Groups section and expand it. Next, click on Add External Groups and a dialog will open. In this dialog, add the names of all groups from your OAuth provider that you want to map into this Streamvisor group. Make sure the names exactly match the ones that are sent as part of your groups claim.
Now click Confirm to submit your changes.
Your users are now able to log into Streamvisor using SSO and will be automatically assigned to the right groups.
Setting up SSO and external group mapping in Pulsar makes access management smoother, safer and more scalable. By relying on your existing identity provider, you reduce friction for your team and ensure consistent security practices. Try it out next time you need to onboard developers, audit access, or just want to streamline your Pulsar security setup!
