Start with Aiven
1. Login to your Aiven account at console.aiven.io
2. Under Projects in the top left, click the drop down arrow and then on See All Accounts
3. Click on the Account you want to add your authentication method to (or create a new one)
4. Select the Authentication tab
5. Create a new Authentication Method (in this example we will call it Centrify) and then choose the default team to add invited people to
Configure Centrify
Creating the App
1. Login to your Centrify instance
2. In the Sidebar, select Web Apps under the Apps section and then Add Web Apps. Select the Custom tab when the popup appears, select SAML and click Add.
3. You will be redirected to a new page and you can name your app. Aiven SAML is the name used in this example. Save the app and we will move on to configuration
Note: If you are not redirected, then close the popup and refresh the page. Select the SAML app that should now be showing in the list
4. Centrify allows for auto configuration but we will be following the Manual Configuration process here. Once you have saved your app, click Trust in the side menu.
5. Under Identity Provider Configuration, select Manual Configuration and expand both the IDP and Certificate. You will need to make a note of the IDP URL and the contents of the certificate file for later.
Setting the Parameters
Aiven (or any other Service Provider) expects some information to come back that allows us to identify a user and log them in. While SAML is a standardised protocol, it is clear that the implementation varies greatly. How many apps have you worked on where the User has a Surname, or a LastName, or a last_name? Let's tell Centrify how to work with Aiven.
1. Select the SAML Response option in the side menu
2. Under Attributes, click Add and set the Attribute Name to email and the Attribute Value to LoginUser.Email
3. Save the changes and the setup for Centrify is almost done
Adding Users
Users can be added under the Permissions option in the side menu. Note that the Admin account you are using cannot use this web app so make sure to create users to test this workflow, if you have not already. Using the admin account will fail
Linking to Aiven
1. Select your Centrify authentication method and make a note of the Metadata and ACS URL for your Centrify settings
2. Configure the SAML settings and set the IDP URL to the Single Sign On URL found in the Trust settings of the SAML app you created in Centrify.
2. The Entity ID is the IDP Entity ID / Issuer also found in the Trust settings.
3. In the Certificate field, copy the contents of the certificate you downloaded (open it with a Text Editor)
Final Steps with Centrify
5. In the Trust settings of your Centrify web app, scroll down to Service Provider configuration and select Manual Configuration
6. Copy the Metadata URL from the Aiven Console to SP Entity ID
7. Optionally, you can set the RelayState to https://console.aiven.io
8. Click Save and the setup is complete
Testing the Process
In the Aiven Console, open the Account link URL in a tab (ideally without sessions for Aiven or Centrify stored in the browser). First, you will need to sign in with your Aiven account and then click Link Profile. There you will log in with your (non-admin) Centrify user. Once you are logged in, you can select Centrify as your authentication method next time you login.
If the user does not have an Aiven account, then use the Signup URL instead of Account link URL.
Still having issues? While going through the process, use the SAML Tracer browser extension (https://addons.mozilla.org/firefox/addon/saml-tracer/). The errors shown in there should help you to debug the issue. If it does not work, drop us a message at support@aiven.io