You first need to create an Aiven account and an Aiven account authentication method. Account is a top level concept that can be associated with multiple different projects and with which you can make corporate level configuration like the authentication setup. For now, this can be done using the Aiven Command-line interface.
Creating the Aiven account
$ avn account create --name "My account"
This command will return informations about your newly created account. You'll want to note the
ACCOUNT_ID as we will need it later.
You can then assign projects to an account with the following command:
$ avn project update --project $PROJECT_NAME --account-id $ACCOUNT_ID
Creating the Aiven account authentication method
$ avn account authentication-method create $ACCOUNT_ID --name "My SAML" --type saml
The command will return informations about the newly created account authentication method. You should note the
AUTHENTICATION_METHOD_ID as it will be needed later. The command also prints two URLs that are needed later.
It is possible to specify additional SAML attributes by passing one or more parameters like
-c attribute_name=attribute_value . Currently supported optional attributes are
saml_variant (default none, other options
rsa-sha256 , other options
rsa-sha512 ), and
sha256 , other options
Creating the Okta Application
The very first step is to make sure you are using the "Classic UI" in the Okta admin panel as the "Developer Console" view doesn't provide the features we're going to need. To do that, check the upper-left of the admin panel, and make sure "Classic UI" is selected.
Once you're in the Classic UI, go to the "Applications" tab and click on the "Add Application" button, then "Create New App". You should see the following form:
For the "Platform" field, keep the default ("Web") value, and select "SAML 2.0" for the "Sign on method", then click "Create".
In the following form, you can give the app a name (e.g. "Aiven"), logo and set it's visibility for your Okta users. Once this is done, click "Next".
Then comes the SAML configuration form. The following fields need to be set:
Single sign on URL: This value was printed by the command used to create the Aiven authentication method. The URL format is
Audience URI (SP Entity ID): This value was printed by the command used to create the Aiven authentication method. The URL format is
- "Attribute statements" should have an entry where "name" is
user.email(see image below)
Once this is done, click "Next" then "Finish". You will be redirect to your application in Okta.
Assigning users to the Okta application
For your users to be able to login using SAML, you need to assign to the Okta application you just created. To do that, go to the "Assignments" tab of the application. Then click on the "Assign" button and assign individual users or groups to the application.
Setting up the Okta Application in Aiven
Once the application is created, you need to provide the application data to Aiven. These data can be found in the "Sign On" tab of the application on Okta, after clicking the "View Setup Instructions".
This will open a new tab where you will get the required information to finalize the setup to use Okta with Aiven. From this page, download the certificate file.
You can then run the following command using the data from the SAML setup page, considering:
$IDENTITY_PROVIDER_URLis the value of the "Identity Provider Single Sign-On URL" field
$IDENTITY_PROVIDER_ISSUERis the value of the "Identity Provider Issuer" field
$ avn account authentication-method update $ACCOUNT_ID $ACCOUNT_AUTHENTICATION_METHOD_ID -c saml_idp_url=$IDENTITY_PROVIDER_URL -c saml_entity_id=$IDENTITY_PROVIDER_ISSUER -f saml_certificate=path/to/certificate.pem --enable
When this is done you can go to https://console.aiven.io/link_account?account_authentication_method_id=$ACCOUNT_AUTHENCATION_METHOD_ID to finalize linking your Okta account and Aiven profile. Note that this same URL can be used to invite other members of your team to login or signup to Aiven using Okta (remember that they will need to be assigned to the Aiven application in Okta for it to be possible).