Requirements

You first need to create an Aiven account and an Aiven account authentication method. Account is a top level concept that can be associated with multiple different projects and with which you can make corporate level configuration like the authentication setup. You can do this in Aiven Console.

Creating the Aiven account

Once you have logged into the Aiven Console, you should see your projects in the top left of your screen. Click the current project to open the project select and click See all projects. This should open a Projects & Accounts modal.

On the Projects & Accounts modal, click on Create account and you will be taken to a page where you provide a name, project(s) to link it to and the option to invite other admins.

Once created, you will see an overview of the account just created. A tab, called Authentication, will let you add a new method (in this case: SAML) and configure them.

Clicking on Add Authentication Method creates a dialog where you can name your method, specify the type and a default team you would want members to join.

Once you click Add , you will see the configuration URLs for your Identity Provider (do not worry about making a note of these, you can access them at any time).

For now, we are done with the Aiven side of this, let's move on to Okta and create our application.

Creating the Okta Application

The very first step is to make sure you are using the "Classic UI" in the Okta admin panel as the "Developer Console" view doesn't provide the features we're going to need. To do that, check the upper-left of the admin panel, and make sure "Classic UI" is selected.

Once you're in the Classic UI, go to the "Applications" tab and click on the "Add Application" button, then "Create New App". You should see the following form:

For the "Platform" field, keep the default ("Web") value, and select "SAML 2.0" for the "Sign on method", then click "Create".

In the following form, you can give the app a name (e.g. "Aiven"), logo and set it's visibility for your Okta users. Once this is done, click "Next".

Then comes the SAML configuration form. The following fields need to be set:

  • Single sign on URL : This value is visible in Aiven Console on the newly created Authentication method page. The URL format is https://api.aiven.io/v1/sso/saml/account/{account_id}/method/{account_authentication_method_id}/acs 
  • Audience URI (SP Entity ID) : This value is visible in Aiven Console on the newly created Authentication method page. The URL format is https://api.aiven.io/v1/sso/saml/account/{account_id}/method/{account_authentication_method_id}/metadata 
  • "Attribute statements" should have an entry where "name" is email  and "value" user.email  (see image below)

Once this is done, click "Next" then "Finish". You will be redirect to your application in Okta.

Assigning users to the Okta application

For your users to be able to login using SAML, you need to assign to the Okta application you just created. To do that, go to the "Assignments" tab of the application. Then click on the "Assign" button and assign individual users or groups to the application.

Setting up the Okta Application in Aiven

Once the application is created, you need to provide the application data to Aiven. These data can be found in the "Sign On" tab of the application on Okta, after clicking the "View Setup Instructions".

This will open a new tab where you will get the required information to finalize the setup to use Okta with Aiven. From this page, download the certificate file.

You can then go back to Aiven Console and finalize the configuration in the Authentication method page.

When this is done you can go to the Account link url to finalize linking your Okta account and Aiven profile. You can also invite other members of your team to login or signup to Aiven using Okta via the Signup link shown in the Authentication method page. Note: Remember that they will need to be assigned to the Aiven application in Okta for it to be possible.

Did this answer your question?