Add Okta as an identity provider
Use Okta to give your organization users single sign-on (SSO) access to Aiven.
Prerequisite steps in Aiven Console
Add Okta as an identity provider in the Console.
Configure SAML on Okta
Create the SAML SP-Initiated authentication flow and create a bookmark app that will redirect to the Aiven Console's login page:
-
Log in to the Okta administrator console.
-
Go to the Applications tab.
-
Click Create a new app integration.
-
Select SAML 1.0 for the Sign on method and click Next.
-
Enter a name for the app and add a logo.
-
Set its visibility for your Okta users and click Next.
-
Set the following values in the app configuration:
Parameter Value Single sign on URL
ACS URL AudienceURI (SPEntityId)
Metadata URL Default RelayState
https://console.aiven.io/
when using the Aiven Consolehttps://console.gcp.aiven.io/
when using Aiven GCP Marketplace Consolehttps://console.aws.aiven.io/
when using Aiven AWS Marketplace Console
importantThe
Default RelayState
is the homepage of the Aiven Console and is fundamental for IdP initiated sign on to function correctly. -
Add an entry to Attribute statements with:
Parameter Value name
email
value
user.email
-
Click Next and click Finish. You are redirected to your application in Okta.
-
Click the View Setup Instructions for the application.
-
Go to the Sign On tab and copy the application data to be used in the final configuration in Aiven:
Identity Provider Signle Sign-On URL
Identity Provider Issuer
X.509 Certificate
-
Go to the Assignments tab.
-
Click Assign to assign users or groups to the Okta application.
New users need to be assigned to the Aiven application in Okta for the login to be successful.
Finish the configuration in Aiven
Go back to the Aiven Console to configure the IdP and complete the setup.
Troubleshooting
Authentication failed
When launching the Aiven SAML application, you get the following error:
Authentication Failed
Login failed. Please contact your account administrator for more details.
Ensure IdP initiated login is enabled.
Invalid RelayState
The Invalid RelayState
error means you are attempting an
IdP-initiated auth flow. This happens, for example, when you click the
Aiven SAML app in Okta.
Set the Default RelayState
in Okta to the
corresponding console of your account as defined in the Configure SAML
on Okta section.
The Okta password does not work
Make sure to use the Account Link URL to add the Okta IdP to your Aiven user account. You can list the authentication methods in User information > Authentication.