Requirements

You first need to create an Aiven account and an Aiven account authentication method. Account is a top level concept that can be associated with multiple different projects and with which you can make corporate level configuration like the authentication setup. You can do this in Aiven Console.

Creating the Aiven account

Once you have logged into the Aiven Console, you should see your projects in the top left of your screen. Click the current project to open the project select and click See all projects. This should open a Projects & Accounts modal.

On the Projects & Accounts modal, click on Create account and you will be taken to a page where you provide a name, project(s) to link it to and the option to invite other admins.

Once created, you will see an overview of the account just created. A tab, called Authentication, will let you add a new method (in this case: SAML) and configure them.

Clicking on Add Authentication Method creates a dialog where you can name your method, specify the type and a default team you would want members to join.

Once you click Add , you will see the configuration URLs for your Identity Provider (do not worry about making a note of these, you can access them at any time).

For now, we are done with the Aiven side of this, let's move on to Okta and create our application.

Creating the Okta Application

This is a two step process. We will first create the SAML SP-Initiated authentication flow, then create a bookmark app that will redirect to the Aiven console's login page.

Creating the SP-Initiated Authentication Application

Login to the "Admin" portal and navigate to the "Applications" tab. Click on the "Add Application" button, then "Create New App". You should see the following form:

For the "Platform" field, keep the default ("Web") value, and select "SAML 2.0" for the "Sign on method", then click "Create".

In the following form, you can give the app a name (e.g. "Aiven"), logo and set it's visibility for your Okta users. Once this is done, click "Next". Also, select "Do not display application icon ..." since Aiven does not currently support IdP-initiated SAML flows. We will fix this later with an Okta bookmark.

Then comes the SAML configuration form. The following fields need to be set:

  • Single sign on URL : This value is visible in Aiven Console on the newly created Authentication method page. The URL format is https://api.aiven.io/v1/sso/saml/account/{account_id}/method/{account_authentication_method_id}/acs 
  • Audience URI (SP Entity ID) : This value is visible in Aiven Console on the newly created Authentication method page. The URL format is https://api.aiven.io/v1/sso/saml/account/{account_id}/method/{account_authentication_method_id}/metadata 
  • "Attribute statements" should have an entry where "name" is email  and "value" user.email  (see image below)

Once this is done, click "Next" then "Finish". You will be redirect to your application in Okta.

Assigning users to the Okta application

For your users to be able to login using SAML, you need to assign to the Okta application you just created. To do that, go to the "Assignments" tab of the application. Then click on the "Assign" button and assign individual users or groups to the application.

Setting up the Okta Application in Aiven

Once the application is created, you need to provide the application data to Aiven. These data can be found in the "Sign On" tab of the application on Okta, after clicking the "View Setup Instructions".

This will open a new tab where you will get the required information to finalize the setup to use Okta with Aiven. From this page, download the certificate file.

You can then go back to Aiven Console and finalize the configuration in the Authentication method page.

When this is done use the "Account Link URL" on the authentication config page to link your Okta account and Aiven profile. You can also invite other members of your team to login or signup to Aiven using Okta via the Signup link shown in the Authentication method page. Note: Remember that they will need to be assigned to the Aiven application in Okta for it to be possible.

Create the Aiven Console Chicklet

To simplify end users' experience, we will also create an Aiven Console chicklet.

Login to the Okta Admin portal and navigate to the "Applications" tab. Click "Add Application" and search for "Bookmark App".

After selecting the search result, click "Add" and configure the Label and URL to https://console.aiven.io/login. Make sure that you keep the app visible to end users.

After clicking "Done" you can edit the bookmark app to optionally add the Aiven logo.

Assigning users to the Okta application

For your users to be able to login using SAML, you need to assign to the Okta application you just created. To do that, go to the "Assignments" tab of the application. Then click on the "Assign" button and assign individual users or groups to the application.

Troubleshooting

Invalid RelayState

If you get this error, it means that you are attempting an IdP-initiated auth flow, i.e. you clicked the Aiven SAML app from the Okta UI. At this time, Aiven does not support IdP-initiated flows, but instead requires that users initiate the flow from Aiven's Console after linking accounts. You can use an Okta "Bookmark App" to simplify this for end users.

My Okta Password Does Not Work

Make sure that you use the "Account Link URL" to add the Okta Authentication method to your Aiven profile. Once linked, you should get the choice of multiple sign-in methods as well as see the other Authentication method in you user profile.

I need Help

Thank you for your patience while we develop this feature (and many others) for the Aiven platform. Our support team is always on hand to help. When the feature has been released, we will update this article but please contact us if you would like to be alerted when this is available.

Did this answer your question?