Set up SAML with Microsoft Azure Active Directory#
SAML ( Security Assertion Markup Language ) is a standard for exchanging authentication and authorization data between an identity provider and a service provider. To read more about SAML check the dedicated page.
The following is the procedure to setup SAML with Microsoft Azure Active Directory.
Prerequisite steps in Aiven#
Login to the Aiven Console
Under Projects in the top left, click the drop down arrow and then on See All Accounts
Click on the Account you want to edit or create a new one
Select the Authentication tab
5. Create a new Authentication Method, call it Active Directory (or similar) and then choose the team to add invited people to (or leave it blank)
Setup on Microsoft Azure#
Log in to Microsoft Azure
Navigate to Enterprise applications either by using the tiles or the search bar
Use the left column navigation to go to All applications and click New application
Select the Add from the gallery search bar to search and use the Azure AD SAML Toolkit
Note
You can use anything you like for the App name, such as Aiven SAML
Click the Add button
Use the navigation to go back the Enterprise applications list
Warning
The newly created application might not be visible yet. In this case, select the All applications filter and apply it to be able to see the new application in the list.
Click on the new application name (as example Aiven SAML) to enter the configuration
Navigate to the Single sign-on configuration using the left column
Select SAML when ask to select a single sign-on method
You’ll need to edit the Basic SAML Configuration settings with the following data:
Parameter |
Value |
|---|---|
|
|
|
|
|
|
Once edited, click Save on top of the edition zone
Edit the User Attributes & Claims section
Click Add a new claim and create an attribute with the following data:
Parameter |
Value |
|---|---|
|
|
|
Select |
|
|
Download the Certificate (Base64) from the SAML Signing Certificate section
Assign users to be able to access the login method using the left column navigation to go to Users and groups and click Add user on top of the list
Select the users that will be able to log in to Aiven with your Microsoft Azure Active Directory and click on the Assign button at the bottom of the page when you’re done
Finish the configuration in Aiven#
The data you need to finish the setup on Aiven is found in the Single sign-on settings. We are interested in the Set up Aiven SAML section
In the Aiven Console, edit your authentication method and provide the
SAML IDP URLto theLogin URLfrom Microsoft AzureSet the
SAML Entity IDto theAzure AD Identifierfrom Microsoft AzurePaste the certificate you downloaded earlier into
SAML CertificateClick on Save
Make sure the authentication method is enabled, then use the:
Signup URL to invite new people
Account link URL for people already having an Aiven login
Troubleshooting#
Contact your administrator#
If you get an error message suggesting to “contact your administrator”, check the following:
Navigate to the Microsoft Azure Active Directory user profile for the users
Check whether the Contact Info => Email field is populated or blank
If it is blank, there are two possible solutions:
If the field Identity => User Principal Name is an email address.
Change the User Attributes & Claims to be
email = user.userprincipalnameand try the login/registration flows again.If all user accounts have the Contact Info => Alternate email populated
Change the User Attributes & Claims to be
email = user.othermail
If you still have login issues, you can use the SAML Tracer browser extension to check the process step by step. The errors shown in the tracker should help you to debug the issues. If it does not work, you can request help by sending an email at support@Aiven.io.