Start with Aiven
1. Login to your Aiven account at console.aiven.io
2. Under Projects in the top left, click the drop down arrow and then on See All Accounts
3. Click on the Account you want to edit or create a new one
4. Select your new Account and then select the Authentication tab
5. Create a new Authentication Method, call it Onelogin and then choose the team to add invited people to (default is Account Owners)
Move to Onelogin
Creating the App
1. Login or create a new account at onelogin.com
2. Enter the Administration portal (top right link by your username)
3. Select Applications and then Add App. Search for SAML Test Connector IdP and choose SAML Test Connector (IdP w/ attr w/ sign response)
4. Change the Display Name to Aiven and add the logo for Krabby if you like. Now click Save
Configuring the App
1. Once it is saved, you should see a `Configuration` link on the left, click it. This is where things get a little different, so let's break down these terms:
- Relay State - This is the URL that you want the user to be redirected back to once they login
- Audience - This is a way of telling which Service Providers the SAML assertion is intended for
- Recipient - This is the same as the ACS URL and is linked to the `Subject` in the SAML assertion
- Assertion Consumer Service (ACS) URL - This is a URL that the SAML Assertion should be sent to
- Single Logout URL - This does exactly what it says but we do not use it so let's leave that blank
2. The relay state is not so important for us now, just that it is set. You can set it to console.aiven.io
3. The audience can be set to: The metadata URL you find in your Auth Method
4. The recipient can be set to: The ACS URL you find in your Auth Method
5. The ACS validator (feel free to modify) should be: [-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)
6. The ACS / Consumer URL can be found in the settings of the Authentication method we made in the Aiven Console.
Setting the Parameters
Aiven (or any other Service Provider) expects some information to come back that allows us to identify a user and log them in. While SAML is a standardised protocol, it is clear that the implementation varies greatly. How many apps have you worked on where the User has a Surname, or a LastName, or a last_name? Let's tell OneLogin how to work with Aiven.
1. Ignore all the existing parameters, click the blue + button and add email as the Field Name. Select the box to include it in the SAML Assertion and click `Next`.
2. Map the Value to Email and Save
1. Repeat these steps for first_name->First Name and last_name->Last Name
3. Save the changes to your App
Linking to Aiven
1. Click the SSO link on the left and change the signature algorithm to SHA256
2. Make a note of the Issuer URL and SAML 2 HTTP Endpoint for later
3. Click View Details of the certificate and copy the X.509 text or download the file.
4. Switch back to the Aiven Console and go to the Configuration page of your Authentication Method.
5. Scroll down to SAML Config and click Edit
6. The IDP URL is the Issuer URL from Onelogin, so paste that there.
7. The Entity ID is the SAML 2 HTTP Endpoint, so paste that there.
8. Make sure sha256 is selected for the algorithm and paste the contents of the certificate from Onelogin.
9. Save that and you are good to go! Make sure the Method is enabled and you can then use the Signup URL to invite new people and Account link for those that already have an Aiven login.
10. Final note: You will need to assign users in Onelogin before the connection will work. If you experience errors, try selecting Reapply entitlement Mappings under More Actions in the Settings of your Onelogin App.
Still having issues? While going through the process, use the SAML Tracer browser extension (https://addons.mozilla.org/firefox/addon/saml-tracer/). The errors shown in there should help you to debug the issue. If it does not work, drop us a message at support@aiven.io