Skip to main content

Add Microsoft Azure Active Directory as an identity provider

Use Microsoft Azure Active Directory (AD) to give your organization users single sign-on (SSO) access to Aiven.

Prerequisite steps in Aiven Console

Add Azure as an identity provider in the Console.

Configure SAML on Microsoft Azure

Set up an Azure application

  1. Log in to Microsoft Azure.

  2. Got to Enterprise applications.

  3. Select All applications.

  4. Click New application.

  5. Select the Add from the gallery search bar and use the Azure AD SAML Toolkit.

  6. Click Add.

  7. Go back to the Enterprise applications list.


    The newly created application might not be visible yet. You can use the All applications filter to see the new application.

  8. Click the name of the new application. The configuration opens.

  9. Select Single sign-on configuration.

  10. Select SAML as the single sign-on method.

  11. Add the following parameters to the Basic SAML Configuration:

    Identifier (Entity ID){account_id}/method/{account_authentication_method_id}/metadata
    Reply URL (Assertion Consumer Service URL){account_id}/method/{account_authentication_method_id}/acs
    Sign on URL
  12. Click Save.

Create a claim and add users

  1. In the User Attributes & Claims, click Add a new claim.

  2. Create an attribute with the following data:

    Source Attributeuser.mail
  3. Download the Certificate (Base64) from the SAML Signing Certificate section.

  4. Go to Users and groups and click Add user.

  5. Select the users that will use Azure AD to log in to Aiven.

  6. Click Assign.

Finish the configuration in Aiven

Go back to the Aiven Console to configure the IdP and complete the setup.


If you get an error message suggesting you contact your administrator, try these steps:

  1. Go to the Microsoft Azure AD user profile for the users.
  2. In Contact Info, check whether the Email field is blank.

If it is blank, there are two possible solutions:

  • In User Principal Name, if the Identity field is an email address, try changing the User Attributes & Claims to email = user.userprincipalname.
  • In Contact Info, if none of the Alternate email fields are blank, try changing the User Attributes & Claims to email = user.othermail.

If you still have login issues, you can use the SAML Tracer browser extension to check the process step by step. If this doesn't work, get in touch with our support team at