Requirements

You first need to create an Aiven account and an Aiven account authentication method. Account is a top level concept that can be associated with multiple different projects and with which you can make corporate level configuration like the authentication setup. For now, this can be done using the Aiven Command-line interface.

Creating the Aiven account

$ avn account create --name "My account"

This command will return informations about your newly created account. You'll want to note the ACCOUNT_ID  as we will need it later.

You can then assign projects to an account with the following command:

$ avn project update --project $PROJECT_NAME --account-id $ACCOUNT_ID

Creating the Aiven account authentication method

$ avn account authentication-method create $ACCOUNT_ID --name "My SAML" --type saml

The command will return informations about the newly created account authentication method. You should note the AUTHENTICATION_METHOD_ID  as it will be needed later. The command also prints two URLs that are needed later.

It is possible to specify additional SAML attributes by passing one or more parameters like -c attribute_name=attribute_value . Currently supported optional attributes are saml_variant (default none, other options adfs ),  saml_signature_algorithm (default rsa-sha256 , other options rsa-sha1 , dsa-sha1 , rsa-sha384 and rsa-sha512 ), and saml_digest_algorithm (default sha256 , other options sha1 , sha384 and sha512 ).

Creating the Okta Application

The very first step is to make sure you are using the "Classic UI" in the Okta admin panel as the "Developer Console" view doesn't provide the features we're going to need. To do that, check the upper-left of the admin panel, and make sure "Classic UI" is selected.

Once you're in the Classic UI, go to the "Applications" tab and click on the "Add Application" button, then "Create New App". You should see the following form:

For the "Platform" field, keep the default ("Web") value, and select "SAML 2.0" for the "Sign on method", then click "Create".

In the following form, you can give the app a name (e.g. "Aiven"), logo and set it's visibility for your Okta users. Once this is done, click "Next".

Then comes the SAML configuration form. The following fields need to be set:

  • Single sign on URL : This value was printed by the command used to create the Aiven authentication method. The URL format is https://api.aiven.io/v1/sso/saml/account/{account_id}/method/{account_authentication_method_id}/acs 
  • Audience URI (SP Entity ID) : This value was printed by the command used to create the Aiven authentication method. The URL format is https://api.aiven.io/v1/sso/saml/account/{account_id}/method/{account_authentication_method_id}/metadata 
  • "Attribute statements" should have an entry where "name" is email  and "value" user.email  (see image below)

Once this is done, click "Next" then "Finish". You will be redirect to your application in Okta.

Assigning users to the Okta application

For your users to be able to login using SAML, you need to assign to the Okta application you just created. To do that, go to the "Assignments" tab of the application. Then click on the "Assign" button and assign individual users or groups to the application.

Setting up the Okta Application in Aiven

Once the application is created, you need to provide the application data to Aiven. These data can be found in the "Sign On" tab of the application on Okta, after clicking the "View Setup Instructions".

This will open a new tab where you will get the required information to finalize the setup to use Okta with Aiven. From this page, download the certificate file.

You can then run the following command using the data from the SAML setup page, considering:

  • $IDENTITY_PROVIDER_URL  is the value of the "Identity Provider Single Sign-On URL" field
  • $IDENTITY_PROVIDER_ISSUER  is the value of the "Identity Provider Issuer" field
$ avn account authentication-method update $ACCOUNT_ID $ACCOUNT_AUTHENTICATION_METHOD_ID -c saml_idp_url=$IDENTITY_PROVIDER_URL -c saml_entity_id=$IDENTITY_PROVIDER_ISSUER -f saml_certificate=path/to/certificate.pem --enable

When this is done you can go to https://console.aiven.io/link_account?account_authentication_method_id=$ACCOUNT_AUTHENCATION_METHOD_ID to finalize linking your Okta account and Aiven profile. Note that this same URL can be used to invite other members of your team to login or signup to Aiven using Okta (remember that they will need to be assigned to the Aiven application in Okta for it to be possible).

Did this answer your question?