Set up SAML authentication with Okta#
SAML ( Security Assertion Markup Language ) is a standard for exchanging authentication and authorization data between an identity provider and a service provider. To read more about SAML check the dedicated page.
The following is the procedure to setup SAML with Okta.
Prerequisite steps in Aiven#
Login to the Aiven Console
2. Under Projects in the top left, click the drop down arrow and then on See All Accounts
Click on the Account you want to edit or create a new one
Select the Authentication tab
5. Create a new Authentication Method, call it Okta (or similar) and then choose the team to add invited people to (or leave it blank)
Setup on Okta#
This is a two step process. We will first create the SAML SP-Initiated authentication flow, then create a bookmark app that will redirect to the Aiven console’s login page.
Login to the Admin portal and navigate to the Applications tab. Click on the Create a new app integration button. You should see the Create SAML Integration form
Select SAML 2.0 for the Sign on method, then click Next
Give the app a name (e.g. “Aiven SAML”), a logo and set it’s visibility for your Okta users, then click Next
Edit the app configuration setting the following values:
Single sign on URL
Audience URI (SP Entity ID)
https://console.aiven.io/when using the Aiven Console
https://console.gcp.aiven.io/when using Aiven GCP Marketplace Console
https://console.aws.aiven.io/when using Aiven AWS Marketplace Console
Default RelayStateis the homepage of the Aiven Console and is fundamental for IdP initiated sign-on to function correctly.
Single sign on URLand
Audience URI (SP Entity ID)values are visible in Aiven Console on the newly created Authentication method page.
The Attribute statements should have an entry with:
Finish. You will be redirect to your application in Okta.
Once the application is created, collect the application data to finish the setup in the Aiven Console. The application data can be found in the Sign On tab of the application on Okta, after clicking the View Setup Instructions.
The required information to finalize the setup to use Okta with Aiven are the following:
Identity Provider Signle Sign-On URL
Identity Provider Issuer
Assign users to the Okta application#
For your users to be able to login using SAML, you need to assign to the
Okta application you just created. To do that, go to the
tab of the application. Then click on the
Assign drop-down button and assign
individual users or groups to the application.
New users need to be assigned to the Aiven application in Okta for the login to be successful
Finish the configuration in Aiven#
Navigate to Aiven Console and finalize the configuration in the Authentication method page and set the following parameters for the new authentication method:
Enable IdP login and
Enable authentication method before clicking
Edit Method to save the settings.
Use the Account Link URL on the authentication configuration page to link your Okta account and Aiven profile. You can also invite other members of your team to login or signup to Aiven using Okta via the Signup link shown in the Authentication method page.
When launching Aiven SAML application getting the following error:
Authentication Failed Login failed. Please contact your account administrator for more details.
Check Okta authentication in Aiven console if Enable IdP login and Enable authentication method are enabled.
If you get the
Invalid RelayState, then you are attempting an IdP-initiated auth flow, for example by clicking the Aiven SAML app from the Okta UI. Previously, Aiven did not support IdP-initiated flows, but now it is possible if you set the
Default RelayState in Okta to the corresponding console of your account as defined in the setup Okta section.
The Okta password does not work#
Make sure to use the Account Link URL to add the Okta Authentication method to your Aiven profile.
Once linked, you should get the choice of multiple sign-in methods as well as see the other Authentication method in User Information -> Authentication section on the Aiven Console.