Requirements

You first need to create an Aiven account and an Aiven account authentication method. Account is a top level concept that can be associated with multiple different projects and with which you can make corporate level configuration like the authentication setup. For now, this can be done using the Aiven Command-line interface.

Creating the Aiven account

First check if your company has an account setup.

$ avn account list

If an ACCOUNT_ID does not exist, then proceed to creating one. 

$ avn account create --name "My account"

This command will return informations about your newly created account. You'll want to note the ACCOUNT_ID  as we will need it later. (NOTE: the "My account" in the above command is not the sign-in used at console.aiven.io. Instead, it is a Company level name, generally, that is used for SSO, among other things).  

You can then assign projects to an account with the following command:

$ avn project update --project $PROJECT_NAME --account-id $ACCOUNT_ID

Creating the Aiven account authentication method

$ avn account authentication-method create $ACCOUNT_ID --name "My SAML" --type saml

The command will return informations about the newly created account authentication method. You should note the AUTHENTICATION_METHOD_ID  as it will be needed later. The command also prints two URLs that are needed later.

It is possible to specify additional SAML attributes by passing one or more parameters like -c attribute_name=attribute_value . Currently supported optional attributes are saml_variant (default none, other options adfs ),  saml_signature_algorithm (default rsa-sha256 , other options rsa-sha1 , dsa-sha1 , rsa-sha384 and rsa-sha512 ), and saml_digest_algorithm (default sha256 , other options sha1 , sha384 and sha512 ).

Creating the Azure Application

When logged in Azure, go to "Enterprise applications" (either by using the using the tiles or the search bar), the use the left column navigation to go to "All applications" and click "New application".
Then use the "Add from the gallery" search bar to search and use the "Azure AD SAML Toolkit". You can use anything you like for the App name, such as "Aiven SAML" and click the "Add" button.

Use the navigation to go back the Enterprise applications list. The application might not be visible yet, and it's possible you have to select the "All applications" filter and apply it to be able to see it in the list. Once it's visible in the list, click it to go to its configuration.

Go to the "Single sign-on" configuration using the left column and select "SAML" when ask to select a single sign-on method.

You'll need to edit the "Basic SAML Configuration" settings with the following data:

  • Identifier (Entity ID) : replace the already configured value with https://api.aiven.io/v1/sso/saml/account/{account_id}/method/{account_authentication_method_id}/metadata 
  • Reply URL (Assertion Consumer Service URL) : replace the already configured value with https://api.aiven.io/v1/sso/saml/account/{account_id}/method/{account_authentication_method_id}/acs 
  • Sign on URL : set it to https://console.aiven.io 

Then click "Save" on top of the edition zone.

Next, edit the "User Attributes & Claims" section, click "Add a new claim" and create an attribute like so:

Finally, download the "Certficate (Base64)" from the "SAML Signing Certificate" section.

Assigning users to the Azure application

For your users to be able to login using SAML, you need to assign to the Azure application you just created. To do that, use the left column navigation to go to "Users and groups" and click "Add user" on top of the list. You can then select the users that will be able to log in to Aiven with your Azure AD and click on the "Assign" button at the bottom of the page when you're done.

Setting up the Azure Application in Aiven

Once the application is set up, you need to provide the application data to Aiven. These data can be found in the "Single sign-on" settings of the application on Azure. The data we're interrested in is in the "Set up Aiven SAML" section.

You can then run the following command using the data from the SAML setup page, considering:

  • $IDENTITY_PROVIDER_URL  is the value of "Login URL"
  • $IDENTITY_PROVIDER_ISSUER is the value of "Azure AD Identifier"
$ avn account authentication-method update $ACCOUNT_ID $ACCOUNT_AUTHENTICATION_METHOD_ID -c saml_idp_url=$IDENTITY_PROVIDER_URL -c saml_entity_id=$IDENTITY_PROVIDER_ISSUER -f saml_certificate=path/to/certificate.pem --enable

When this is done you can go to https://console.aiven.io/link_account?account_authentication_method_id=$ACCOUNT_AUTHENCATION_METHOD_ID to finalize linking your Azure account and Aiven profile. Note that this same URL can be used to invite other members of your team to login or signup to Aiven using Azure (remember that they will need to be assigned to the Aiven application in Azure for it to be possible).

Did this answer your question?