Skip to main content

Add Okta as an identity provider

Use Okta to give your organization users single sign-on (SSO) access to Aiven.

Prerequisite steps in Aiven Console

Add Okta as an identity provider in the Console.

Configure SAML on Okta

Create the SAML SP-Initiated authentication flow and create a bookmark app that will redirect to the Aiven Console's login page:

  1. Log in to the Okta administrator console.

  2. Go to the Applications tab.

  3. Click Create a new app integration.

  4. Select SAML 1.0 for the Sign on method and click Next.

  5. Enter a name for the app and add a logo.

  6. Set its visibility for your Okta users and click Next.

  7. Set the following values in the app configuration:

    ParameterValue
    Single sign on URLACS URL
    AudienceURI (SPEntityId)Metadata URL
    Default RelayState
    important

    The Default RelayState is the homepage of the Aiven Console and is fundamental for IdP initiated sign on to function correctly.

  8. Add an entry to Attribute statements with:

    ParameterValue
    nameemail
    valueuser.email
  9. Click Next and click Finish. You are redirected to your application in Okta.

  10. Click the View Setup Instructions for the application.

  11. Go to the Sign On tab and copy the application data to be used in the final configuration in Aiven:

    • Identity Provider Signle Sign-On URL
    • Identity Provider Issuer
    • X.509 Certificate
  12. Go to the Assignments tab.

  13. Click Assign to assign users or groups to the Okta application.

note

New users need to be assigned to the Aiven application in Okta for the login to be successful.

Finish the configuration in Aiven

Go back to the Aiven Console to configure the IdP and complete the setup.

Troubleshooting

Authentication failed

When launching the Aiven SAML application, you get the following error:

Authentication Failed
Login failed. Please contact your account administrator for more details.

Ensure IdP initiated login is enabled.

Invalid RelayState

The Invalid RelayState error means you are attempting an IdP-initiated auth flow. This happens, for example, when you click the Aiven SAML app in Okta.

Set the Default RelayState in Okta to the corresponding console of your account as defined in the Configure SAML on Okta section.

The Okta password does not work

Make sure to use the Account Link URL to add the Okta IdP to your Aiven user account. You can list the authentication methods in User information > Authentication.