Start with Aiven
1. Login to your Aiven account at console.aiven.io

2. Under Projects
in the top left, click the drop down arrow and then on See All Accounts

3. Click on the Account you want to edit or create a new one

4. Select your new Account and then select the Authentication
tab

5. Create a new Authentication Method, call it Onelogin
and then choose the team to add invited people to (default is Account Owners
)

Move to Onelogin
Creating the App
1. Login or create a new account at onelogin.com
2. Enter the Administration
portal (top right link by your username)
3. Select Applications
and then Add App
. Search for SAML Test Connector IdP
and choose SAML Test Connector (IdP w/ attr w/ sign response)

4. Change the Display Name to Aiven
and add the logo for Krabby if you like. Now click Save

Configuring the App
1. Once it is saved, you should see a `Configuration` link on the left, click it. This is where things get a little different, so let's break down these terms:
- Relay State - This is the URL that you want the user to be redirected back to once they login
- Audience - This is a way of telling which Service Providers the SAML assertion is intended for
- Recipient - This is the same as the ACS URL and is linked to the `Subject` in the SAML assertion
- Assertion Consumer Service (ACS) URL - This is a URL that the SAML Assertion should be sent to
- Single Logout URL - This does exactly what it says but we do not use it so let's leave that blank
2. The relay state is not so important for us now, just that it is set. You can set it to console.aiven.io
3. The audience can be set to: The metadata URL you find in your Auth Method
4. The recipient can be set to: The ACS URL you find in your Auth Method
5. The ACS validator (feel free to modify) should be: [-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)
6. The ACS / Consumer URL can be found in the settings of the Authentication method we made in the Aiven Console.
Setting the Parameters
Aiven (or any other Service Provider) expects some information to come back that allows us to identify a user and log them in. While SAML is a standardised protocol, it is clear that the implementation varies greatly. How many apps have you worked on where the User
has a Surname
, or a LastName
, or a last_name
? Let's tell OneLogin how to work with Aiven.
1. Ignore all the existing parameters, click the blue +
button and add email
as the Field Name
. Select the box to include it in the SAML Assertion and click `Next`.
2. Map the Value
to Email
and Save
1. Repeat these steps for first_name
->First Name
and last_name
->Last Name
3. Save
the changes to your App

Linking to Aiven
1. Click the SSO
link on the left and change the signature algorithm to SHA256
2. Make a note of the Issuer URL
and SAML 2 HTTP Endpoint
for later
3. Click View Details
of the certificate and copy the X.509
text or download the file.
4. Switch back to the Aiven Console and go to the Configuration page of your Authentication Method.
5. Scroll down to SAML Config
and click Edit
6. The IDP URL
is the Issuer URL
from Onelogin, so paste that there.
7. The Entity ID
is the SAML 2 HTTP Endpoint
, so paste that there.
8. Make sure sha256 is selected for the algorithm and paste the contents of the certificate from Onelogin.
9. Save that and you are good to go! Make sure the Method is enabled and you can then use the Signup
URL to invite new people and Account link
for those that already have an Aiven login.
10. Final note: You will need to assign users in Onelogin before the connection will work. If you experience errors, try selecting Reapply entitlement Mappings
under More Actions
in the Settings
of your Onelogin App.

Still having issues? While going through the process, use the SAML Tracer
browser extension (https://addons.mozilla.org/firefox/addon/saml-tracer/). The errors shown in there should help you to debug the issue. If it does not work, drop us a message at support@aiven.io