Add Okta as an identity provider

Use Okta to give your organization users single sign-on (SSO) access to Aiven using SAML. Aiven also supports user provisioning for Okta with SCIM.

Supported features

• Identity provider (IdP) initiated SSO
• Service provider (SP) initiated SSO

For more information on the listed features, visit the Okta Glossary.

Step 1: Add the IdP in the Aiven Console

1. In the organization, click Admin.
2. Click Identity providers .
3. Click Add identity provider.
4. Select an identity provider and enter a name.
5. Select a verified domain to link this IdP to. Users see linked IdPs on the login page.

On the Configuration step are two parameters that you use to set up the SAML authentication in your IdP:

• Metadata URL
• ACS URL

Step 2: Configure SAML on Okta

1. In the Okta administrator console, go to Applications > Applications.
2. Click Browse App Catalog.
3. Search for and open the Aiven app.
4. Click Add Integration and Done.
5. On the Sign On tab, click Edit.
6. In the Advanced Sign-on Settings set the Metadata URL and ACS URL to the URLs copied from the Aiven Console.
7. Set the Default Relay State for the console you use:
   • For the Aiven Console: https://console.aiven.io
   • For the Aiven GCP Marketplace Console: https://console.gcp.aiven.io/
   • For the Aiven AWS Marketplace Console: https://console.aws.aiven.io/
8. Click Save.
9. In the SAML 2.0 section, click More details.
10. Copy the Sign on URL, Issuer, and the Signing Certificate. You'll use these to configure the IdP in Aiven.

Step 3: Finish the configuration in Aiven

Go back to the Aiven Console to complete setting up the IdP. If you saved your IdP as a draft, you can open the settings by clicking the name of the IdP.

1. In the IDP URL field, enter the Sign on URL from Okta.
2. In the Entity ID field, enter the Issuer from Okta.

3. Paste the certificate from the IdP into the Certificate field.

4. Click Next.

5. Configure the security options for this IdP and click Next.

   • Require authentication context: This lets the IdP enforce stricter security measures to help prevent unauthorized access, such as requiring multi-factor authentication.

   • Require assertion to be signed: The IdP checks for a digital signature. This security measure ensures the integrity and authenticity of the assertions by verifying that they were issued by a trusted party and have not been tampered with.

   • Sign authorization request sent to IdP: A digital signature is added to the request to verify its authenticity and integrity.

   • Extend active sessions: This resets the session duration every time the token is used.

   • Enable group syncing: This syncs the group membership from your IdP to the Aiven Platform.

     note

     • The Aiven Platform doesn't create groups with this feature. It only syncs the group membership between the groups in your IdP and the groups you create in Aiven. For user group provisioning, use SCIM.
     • User group membership automatically syncs when a user logs in.
     • The IdP is the single source of truth. If a group in the IdP doesn't exist in Aiven, it will be ignored. Likewise, if a user is added to a group in Aiven Console but not in the IdP, they will be removed from the Aiven group when the group membership syncs.

6. Optional: Select a user group to add all users who sign up with this IdP to.

7. Click Finish to complete the setup.

note

If you set up a SAML authentication method before and are now switching to a new IdP, existing users need to log in with the new account link URL to finish the setup.

Step 4: Optional: Configure user provisioning

You can automate user provisioning with Okta through System for Cross-domain Identity Management (SCIM). This means you can manage your users and their profiles in one place, Okta, and push those changes to the Aiven platform.

Aiven's integration with Okta supports these features:

• Push new users: Users created in Okta are automatically created as managed users in Aiven.
• Push profile updates: User profile updates in Okta are pushed to Aiven. Profiles for these users cannot be changed in Aiven.
• Push user deactivation: Users that are deactivated or removed in Okta are deactivated in Aiven. You can manually delete users in Aiven after they are deactivated.
• Push groups: Groups created or updated in Okta are created and updated in Aiven.
• Sync passwords: Automatically synchronizes users' Aiven passwords with their Okta passwords.

To configure user provisioning for Okta:

1. In Okta, click Applications and go to the Aiven application.
2. Click Provisioning.
3. Click Settings > Integration > Configure API Integration.
4. Select Enable API Integration.
5. In the Base URL field, paste the Base URL from the Aiven Console.
6. In the API Token field, paste the Access token from the Aiven Console.
7. Click Test API Credentials to confirm the connection is working and save the configuration.
   important

   Don't enable Import Groups. Aiven groups that aren't managed by SCIM cannot be imported to Okta.

8. Click Save.
9. Optional: On the Provisioning tab, click Edit to enable provisioning settings.
   Recommended settings

   Set the following for centralized and secure user management:

   • Enable Create users
   • Disable Set password when creating new users
   • Enable Update user attributes
   • Enable Deactivate users
   • Disable Sync password
10. Click Save.
11. Click Sign On.
12. In the Credentials Details section, for the Application username format select Email.
13. Click Save.

Related pages

• Troubleshooting for SAML IdPs