guidesSeptember 29, 20255 min read

Integrate SSO with Apache Kafka (AWS MKS)

This guide explains how to integrate SSO with Apache Kafka using Hoop.dev Hoop.dev emerges as a transformative solution for secure access management in cloud-native environments, particularly when integrated with Amazon Managed Streaming for Apache Kafka (MSK). This guide provides a detailed walkthrough for implementing Hoop.dev as an access gateway for AWS MSK, complete with practical examples for fundamental Kafka operations. By combining Hoop.dev's zero-trust security model with AWS MSK's fu

Free White Paper

AWS IAM Policies + Cross-Domain SSO: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Andrios Robert

This guide explains how to integrate SSO with Apache Kafka using Hoop.dev

Hoop.dev emerges as a transformative solution for secure access management in cloud-native environments, particularly when integrated with Amazon Managed Streaming for Apache Kafka (MSK). This guide provides a detailed walkthrough for implementing Hoop.dev as an access gateway for AWS MSK, complete with practical examples for fundamental Kafka operations. By combining Hoop.dev's zero-trust security model with AWS MSK's fully managed Kafka service, organizations achieve robust data protection while maintaining operational efficiency in distributed systems1 12.

How to integrate SSO with Apache Kafka+ Hoop.dev

Create a Hoop.dev account and get your authentication token
Create a connection to access with SSO using the Hoop CLI
Invite your team to access the connection with SSO using the Hoop CLI

If you don't need a tutorial and just want to get started, please consider reading the quickstart docs instead.

Apache Kafka support in Hoop.dev

You can use Hoop.dev with Hoop CLI as shown in the examples below, or alternatively use the Hoop.dev Web Editor if your prefer.

Hoop.dev gets out of the way and users experience the interface of any service as they are. The only changes are to make things more secure and easier to use. For instance: users don't have to run 10 steps in 3 systems to get a temporary credentials anymore, instead they use a single command, and security is more robust.

Why Hoop.dev?

SSO integration require a lot more engineering time, resources and ongoing maintenance than you would first expect.

When first integrating a new service you need to understand the specifics of how to configure SSO for such service. Some services will require a paid or enterprise license only to let you do that. Or sometimes the service might not offer SSO integration. When you manage to setup the initial integration, you have to automate the internal profiles of your service to the profiles of your IDP. The authorization process is time consuming and as you evolve to finer-grained permissions you have to revisit all your SSO integrations.

This is where Hoop.dev comes in. With Hoop you can remove all this complexity from both first integration and ongoing maintenance. In under five minutes you setup a new connection with zero changes to your service and we take care of all the above and more.

Integrating SSO

Hoop.dev offers a CLI and Web interface for interacting with the connections. This guide will show how to use them.

You can also refer to the documentation for all the information needed to start using Hoop.dev

Main concepts

Hoop.dev has three important entities you will be interacting with:

connection: these are the services you'll manage. They have have credentials, attached policies, and a few other properties.
policy: policies are the rules you set for how users interact with a connection. Each connection can have multiple policies and each session for that connection will have a set of policies applied on the begging and during the session time.
session: these are the interactions of your users with the connections. They can be behave differently depending on the policies configured for the connection.

Install dependencies

Install the Hoop CLI to easily connect to your service via Hoop.

MacOS: Top this brew formula and install the CLI

brew tap hoophq/hoopcli https://github.com/hoophq/hoopcli

brew install hoop

Linux: Run this shell script to install the CLI (check the code here)

curl -s -L https://releases.hoop.dev/release/install-cli.sh | sh

Authenticate your CLI with your Hoop.dev account. You can signup for an account here.

Continue reading? Get the full guide.

AWS IAM Policies + Cross-Domain SSO: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

hoop login

Get your authentication token

Before you can start the Hoop proxy agent you need to get an authentication token. You can get it running the following command:


hoop admin create agent demo

The authentication token will look something like this: grpcs://demo:xagt-SV9N48TQiD2TozyHFCAE4XsoKa21YF1GKLsvflAWSnV@use.hoop.dev:8443?mode=standard

Run the Hoop.dev agent

To start the Hoop.dev process on your local computer, export your authentication token as an environment variable named HOOP_DSN and then use the CLI start the long-running process.

The agent can run on any platform, from Linux VMs to container platforms like Kubernetes. Check out the installation guides for details on how to deploy to other platforms.

export HOOP_DSN=grpcs://demo:xagt-SV9N48TQiD2TozyHFCAE4XsoKa21YF1GKLsvflAWSnV@use.hoop.dev:8443?mode=standard

hoop start agent

Create a connection per profile

Connections are what users connect to. A connection represents one of the profiles, like or , for a given service. Each of your users will have access to one or more connections. The easiest way to create a new connection is when a new service is setup.

You'll need the connection name when using a connection. You can either find it in the web dashboard where all the connections you can access are easily visible, or list them with the CLI.

To create a connection you'll provide the connection name, the agent name (created in the previous step), and the credentials Hoop will use to access the service on the backend. Remember: these credentials are kept in the vault and are never exposed to the user.

Setup the connection with the Kafka CLI operation you want to perform

Connect with SSO (sessions)

We will now use this Kubernetes cluster with Hoop.dev CLI. You previously signed in with Google or Github, and this connection will use the same authentication. You can customize the default Google or Github federation with your own IDP with this guide.

Execute the operation with SSO

Helping your team access with SSO

In addition to securing your own connections to a service, Hoop.dev provides several resources to make it easy to manage your team when accessing these services. On top of that they'll get a great developer experience while using it.

We offer an intuitive and easy to use internal developer platform to easily connect to any service which you can share with internal user directly. Simply invite them in the settings and they'll be able to use it.

We also offer easy to use docs for how to easily connect to any service which you can share with internal user directly.

Finally, the Web editor provides users with a consistent interface on the web with modern IDE experience without the need to interact with CLI tools.

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demo More posts