Add Okta as an identity provider#

Use Okta to give your organization users single sign-on (SSO) access to Aiven.

Prerequisite steps in Aiven Console#

Add Okta as an identity provider in the Console.

Configure SAML on Okta#

This is a two step process. First, you create the SAML SP-Initiated authentication flow and then you create a bookmark app that will redirect to the Aiven Console’s login page.

  1. Log in to the Okta administrator console.

  2. Go to the Applications tab.

  3. Click Create a new app integration.

  4. Select SAML 2.0 for the Sign on method, then click Next.

  5. Enter a name for the app and add a logo.

  6. Set it’s visibility for your Okta users and click Next.

  7. Set the following values in the app configuration:

    Parameter

    Value

    Single sign on URL

    ACS URL

    Audience URI (SP Entity ID)

    Metadata URL

    Default RelayState

    https://console.aiven.io/ when using the Aiven Console

    https://console.gcp.aiven.io/ when using Aiven GCP Marketplace Console

    https://console.aws.aiven.io/ when using Aiven AWS Marketplace Console

    Important

    The Default RelayState is the homepage of the Aiven Console and is fundamental for IdP initiated sign on to function correctly.

  8. Add an entry to Attribute statements with:

    Parameter

    Value

    name

    email

    value

    user.email

  9. Click Next and then click Finish. You are redirected to your application in Okta.

  10. Click the View Setup Instructions for the application.

  11. Go to the Sign On tab and copy the application data to be used in the final configuration in Aiven:

    • Identity Provider Signle Sign-On URL

    • Identity Provider Issuer

    • X.509 Certificate

  12. Go to the Assignments tab.

  13. Click Assign to assign users or groups to the Okta application.

Note

New users need to be assigned to the Aiven application in Okta for the login to be successful.

Finish the configuration in Aiven#

Go back to the Aiven Console to configure the IdP and complete the setup.

Troubleshooting#

Authentication failed#

When launching the Aiven SAML application, you get the following error:

Authentication Failed

Login failed.  Please contact your account administrator for more details.

Check that IdP initiated login is enabled.

Invalid RelayState#

If you get the Invalid RelayState error, then you are attempting an IdP-initiated auth flow. This happens, for example, when you click the Aiven SAML app in Okta. Set the Default RelayState in Okta to the corresponding console of your account as defined in the Configure SAML on Okta section.

The Okta password does not work#

Make sure to use the Account Link URL to add the Okta IdP to your Aiven user account. You can see a list of authentication methods in User information > Authentication.