Start with Aiven
1. Login to your Aiven account at console.aiven.io

2. Under Projects
in the top left, click the drop down arrow and then on See All Accounts

3. Click on the Account you want to add your authentication method to (or create a new one)

4. Select the Authentication
tab

5. Create a new Authentication Method (in this example we will call it Centrify) and then choose the default team to add invited people to

Configure Centrify
Creating the App
1. Login to your Centrify instance
2. In the Sidebar, select Web Apps
under the Apps
section and then Add Web Apps
. Select the Custom
tab when the popup appears, select SAML
and click Add
.

3. You will be redirected to a new page and you can name your app. Aiven SAML
is the name used in this example. Save the app and we will move on to configuration
Note: If you are not redirected, then close the popup and refresh the page. Select the SAML app that should now be showing in the list

4. Centrify allows for auto configuration but we will be following the Manual Configuration
process here. Once you have saved your app, click Trust
in the side menu.

5. Under Identity Provider Configuration
, select Manual Configuration
and expand both the IDP
and Certificate
. You will need to make a note of the IDP
URL and the contents of the certificate file for later.
Setting the Parameters
Aiven (or any other Service Provider) expects some information to come back that allows us to identify a user and log them in. While SAML is a standardised protocol, it is clear that the implementation varies greatly. How many apps have you worked on where the User
has a Surname
, or a LastName
, or a last_name
? Let's tell Centrify how to work with Aiven.
1. Select the SAML Response
option in the side menu
2. Under Attributes
, click Add
and set the Attribute Name
to email
and the Attribute Value
to LoginUser.Email
3. Save the changes and the setup for Centrify is almost done

Adding Users
Users can be added under the Permissions
option in the side menu. Note that the Admin account you are using cannot use this web app so make sure to create users to test this workflow, if you have not already. Using the admin account will fail
Linking to Aiven
1. Select your Centrify
authentication method and make a note of the Metadata
and ACS
URL for your Centrify settings
2. Configure the SAML settings and set the IDP URL
to the Single Sign On URL
found in the Trust
settings of the SAML app you created in Centrify.
2. The Entity ID
is the IDP Entity ID / Issuer
also found in the Trust
settings.
3. In the Certificate
field, copy the contents of the certificate you downloaded (open it with a Text Editor)

Final Steps with Centrify
5. In the Trust
settings of your Centrify web app, scroll down to Service Provider
configuration and select Manual Configuration
6. Copy the Metadata URL
from the Aiven Console to SP Entity ID
7. Optionally, you can set the RelayState
to https://console.aiven.io
8. Click Save
and the setup is complete
Testing the Process

In the Aiven Console, open the Account link URL
in a tab (ideally without sessions for Aiven or Centrify stored in the browser). First, you will need to sign in with your Aiven account and then click Link Profile
. There you will log in with your (non-admin) Centrify user. Once you are logged in, you can select Centrify
as your authentication method next time you login.
If the user does not have an Aiven account, then use the Signup URL
instead of Account link URL
.

Still having issues? While going through the process, use the SAML Tracer
browser extension (https://addons.mozilla.org/firefox/addon/saml-tracer/). The errors shown in there should help you to debug the issue. If it does not work, drop us a message at support@aiven.io