LogoLogo
WarpStream.comSlackDiscordContact UsCreate Account
  • Overview
    • Introduction
    • Architecture
      • Service Discovery
      • Write Path
      • Read Path
      • Life of a Request (Simplified)
    • Change Log
  • Getting Started
    • Install the WarpStream Agent / CLI
    • Run the Demo
    • "Hello World" for Apache Kafka
  • BYOC
    • Run the Agents Locally
    • Deploy the Agents
      • Object Storage Configuration
      • Kubernetes Known Issues
      • Rolling Restarts and Upgrades
    • Infrastructure as Code
      • Terraform Provider
      • Helm charts
      • Terraform Modules
    • Monitoring
      • Pre-made Datadog Dashboard
      • Pre-made Grafana Dashboard
      • Important Metrics and Logs
      • Recommended List of Alerts
      • Monitoring Consumer Groups
      • Hosted Prometheus Endpoint
    • Client Configuration
      • Tuning for Performance
      • Configure Clients to Eliminate AZ Networking Costs
        • Force Interzone Load Balancing
      • Configuring Kafka Client ID Features
      • Known Issues
    • Authentication
      • SASL Authentication
      • Mutual TLS (mTLS)
      • Basic Authentication
    • Advanced Agent Deployment Options
      • Agent Roles
      • Agent Groups
      • Protect Data in Motion with TLS Encryption
      • Low Latency Clusters
      • Network Architecture Considerations
      • Agent Configuration Reference
      • Reducing Infrastructure Costs
      • Client Configuration Auto-tuning
    • Hosted Metadata Endpoint
    • Managed Data Pipelines
      • Cookbooks
    • Schema Registry
      • WarpStream BYOC Schema Registry
      • Schema Validation
      • WarpStream Schema Linking
    • Port Forwarding (K8s)
    • Orbit
    • Enable SAML Single Sign-on (SSO)
    • Trusted Domains
    • Diagnostics
      • GoMaxProcs
      • Small Files
  • Reference
    • ACLs
    • Billing
      • Direct billing
      • AWS Marketplace
    • Benchmarking
    • Compression
    • Protocol and Feature Support
      • Kafka vs WarpStream Configuration Reference
      • Compacted topics
    • Secrets Overview
    • Security and Privacy Considerations
    • API Reference
      • API Keys
        • Create
        • Delete
        • List
      • Virtual Clusters
        • Create
        • Delete
        • Describe
        • List
        • DescribeConfiguration
        • UpdateConfiguration
      • Virtual Clusters Credentials
        • Create
        • Delete
        • List
      • Monitoring
        • Describe All Consumer Groups
      • Pipelines
        • List Pipelines
        • Create Pipeline
        • Delete Pipeline
        • Describe Pipeline
        • Create Pipeline Configuration
        • Change Pipeline State
      • Invoices
        • Get Pending Invoice
        • Get Past Invoice
    • CLI Reference
      • warpstream agent
      • warpstream demo
      • warpstream cli
      • warpstream cli-beta
        • benchmark-consumer
        • benchmark-producer
        • console-consumer
        • console-producer
        • consumer-group-lag
        • diagnose-record
        • file-reader
        • file-scrubber
      • warpstream playground
    • Integrations
      • Arroyo
      • AWS Lambda Triggers
      • ClickHouse
      • Debezium
      • Decodable
      • DeltaStream
      • docker-compose
      • DuckDB
      • ElastiFlow
      • Estuary
      • Fly.io
      • Imply
      • InfluxDB
      • Kestra
      • Materialize
      • MinIO
      • MirrorMaker
      • MotherDuck
      • Ockam
      • OpenTelemetry Collector
      • ParadeDB
      • Parquet
      • Quix Streams
      • Railway
      • Redpanda Console
      • RisingWave
      • Rockset
      • ShadowTraffic
      • SQLite
      • Streambased
      • Streamlit
      • Timeplus
      • Tinybird
      • Upsolver
    • Partitions Auto-Scaler (beta)
    • Serverless Clusters
Powered by GitBook
On this page
  • Adding a Trusted Domain
  • Verifying a Trusted Domain
  • Editing a Trusted Domain

Was this helpful?

  1. BYOC

Trusted Domains

PreviousEnable SAML Single Sign-on (SSO)NextDiagnostics

Last updated 27 days ago

Was this helpful?

Trusted Domains are used to restrict how users signup and login to the WarpStream Console. This includes disabling signups for new accounts using a certain email domain or requiring all authentication to be done via SSO.

Adding a Trusted Domain

To add a trusted domain navigate to your "Team" in the WarpStream Console sidebar and click on "Trusted Domains" in the top right. Once in the Trusted Domains UI you can use the "Add Domain" button to add the domain.

Once a domain is added, ownership must be verified before any enforcements can be put in place.

Verifying a Trusted Domain

Domain verification is done via TXT records. Every domain added to WarpStream will require a unique TXT record. In the Trusted Domains UI, under Operations and clicking verify will show the unique TXT record needed for this domain.

  1. Sign in to your domain name host provider in a separate browser window.

  2. Go to the DNS records for your domain.

  3. Add a new TXT record with the following values:

Field
Value

Record type

TXT

Name/Host/Alias

@

Value/Destination

Enter the verification code provided by the WarpStream Verify UI

Example of a verification code:

warpstream-verification=84IFEgv7xSyVKsYiWH2Rrg==

Editing a Trusted Domain

Once a domain is added you can edit the domain to add the following access restrictions:

When enabled these access restrictions are only enforced once a domain is verified.

  • Disable Signup

    • Users will not be able to signup for a new account with an email matching the trusted domain. They will only be able to signup if invited to an existing team by another user.

  • Require SSO

    • Users will not be able to signup or login via password with an email matching the trusted domain regardless if they were invited to an existing team. All users will be required to login via SSO.

    • If SSO is not properly configured for the team all users with an email matching the trusted domain will be locked out of the WarpStream Console. Please make sure SSO is properly setup and verified working before enabling this restriction.