Start with Aiven
1. Login to your Aiven account at console.aiven.io
Projects in the top left, click the drop down arrow and then on
See All Accounts
3. Click on the Account you want to edit or create a new one
4. Select your new Account and then select the
5. Create a new Authentication Method, call it
Onelogin and then choose the team to add invited people to (default is
Move to Onelogin
Creating the App
1. Login or create a new account at onelogin.com
2. Enter the
Administration portal (top right link by your username)
Applications and then
Add App. Search for
SAML Test Connector IdP and choose
SAML Test Connector (IdP w/ attr w/ sign response)
4. Change the Display Name to
Aiven and add the logo for Krabby if you like. Now click
Configuring the App
1. Once it is saved, you should see a `Configuration` link on the left, click it. This is where things get a little different, so let's break down these terms:
- Relay State - This is the URL that you want the user to be redirected back to once they login
- Audience - This is a way of telling which Service Providers the SAML assertion is intended for
- Recipient - This is the same as the ACS URL and is linked to the `Subject` in the SAML assertion
- Assertion Consumer Service (ACS) URL - This is a URL that the SAML Assertion should be sent to
- Single Logout URL - This does exactly what it says but we do not use it so let's leave that blank
2. The relay state is not so important for us now, just that it is set. You can set it to
3. The audience can be set to: The metadata URL you find in your Auth Method
4. The recipient can be set to: The ACS URL you find in your Auth Method
5. The ACS validator (feel free to modify) should be:
6. The ACS / Consumer URL can be found in the settings of the Authentication method we made in the Aiven Console.
Setting the Parameters
Aiven (or any other Service Provider) expects some information to come back that allows us to identify a user and log them in. While SAML is a standardised protocol, it is clear that the implementation varies greatly. How many apps have you worked on where the
User has a
Surname, or a
LastName, or a
last_name? Let's tell OneLogin how to work with Aiven.
1. Ignore all the existing parameters, click the blue
+ button and add
Field Name. Select the box to include it in the SAML Assertion and click `Next`.
2. Map the
1. Repeat these steps for
>First Name and
Save the changes to your App
Linking to Aiven
1. Click the
SSO link on the left and change the signature algorithm to
2. Make a note of the
Issuer URL and
SAML 2 HTTP Endpoint for later
View Details of the certificate and copy the
X.509 text or download the file.
4. Switch back to the Aiven Console and go to the Configuration page of your Authentication Method.
5. Scroll down to
SAML Config and click
IDP URL is the
Issuer URL from Onelogin, so paste that there.
Entity ID is the
SAML 2 HTTP Endpoint, so paste that there.
8. Make sure sha256 is selected for the algorithm and paste the contents of the certificate from Onelogin.
9. Save that and you are good to go! Make sure the Method is enabled and you can then use the
Signup URL to invite new people and
Account link for those that already have an Aiven login.
10. Final note: You will need to assign users in Onelogin before the connection will work. If you experience errors, try selecting
Reapply entitlement Mappings under
More Actions in the
Settings of your Onelogin App.
Still having issues? While going through the process, use the
SAML Tracer browser extension (https://addons.mozilla.org/firefox/addon/saml-tracer/). The errors shown in there should help you to debug the issue. If it does not work, drop us a message at firstname.lastname@example.org