Add Microsoft Azure Active Directory as an identity provider

Use Microsoft Azure Active Directory (AD) to give your organization users single sign-on (SSO) access to Aiven.

Step 1: Add the IdP in the Aiven Console

1. In the organization, click Admin.
2. Click Identity providers.
3. Click Add identity provider.
4. Select an identity provider and enter a name.
5. Select a verified domain to link this IdP to. Users see linked IdPs on the login page.

On the Configuration step are two parameters that you use to set up the SAML authentication in your IdP:

• Metadata URL
• ACS URL

Step 2: Configure SAML on Microsoft Azure

Set up an Azure application

1. Log in to Microsoft Azure.

2. Go to Enterprise applications.

3. Click All applications.

4. Click New application.

5. Click the Add from the gallery search bar and use the Azure AD SAML Toolkit.

6. Click Add.

7. Go back to the Enterprise applications list.

   note

   The newly created application might not be visible. You can use the All applications filter to see the new application.

8. Click the name of the new application.

9. Click Single sign-on.

10. Select SAML as the single sign-on method.

11. Add the following parameters to the Basic SAML Configuration:

    Parameter	Value
    Identifier (Entity ID)	https://api.aiven.io/v1/sso/saml/account/{account_id}/method/{account_authentication_method_id}/metadata
    Reply URL (Assertion Consumer Service URL)	https://api.aiven.io/v1/sso/saml/account/{account_id}/method/{account_authentication_method_id}/acs
    Sign on URL	https://console.aiven.io

12. Click Save.

Create a claim and add users

1. In the User Attributes & Claims, click Add a new claim.

2. Create an attribute with the following:

   Parameter	Value
   Name	email
   Source	Attribute
   Source Attribute	user.mail

3. Download the Certificate (Base64) from the SAML Signing Certificate section.

4. Go to Users and groups and click Add user.

5. Select the users that will use Azure AD to log in to Aiven.

6. Click Assign.

Step 3: Finish the configuration in Aiven

Go back to the Aiven Console to complete setting up the IdP. If you saved your IdP as a draft, you can open the settings by clicking the name of the IdP.

1. In the IDP URL field, enter the Login URL from Azure.
2. In the Entity ID field, enter the Azure AD Identifier from Azure.

3. Paste the certificate from the IdP into the Certificate field.

4. Optional: Paste or upload a JSON file with configuration details for your IdP.

5. Click Next.

6. Configure the security options for this IdP and click Next.

   • Require authentication context: This lets the IdP enforce stricter security measures to help prevent unauthorized access, such as requiring multi-factor authentication.

   • Require assertion to be signed: The IdP checks for a digital signature. This security measure ensures the integrity and authenticity of the assertions by verifying that they were issued by a trusted party and have not been tampered with.

   • Sign authorization request sent to IdP: A digital signature is added to the request to verify its authenticity and integrity.

   • Extend active sessions: This resets the session duration every time the token is used.

   • Enable group syncing: This syncs the group membership from your IdP to the Aiven Platform.

     note

     • The Aiven Platform doesn't create groups with this feature. It only syncs the group membership between the groups in your IdP and the groups you create in Aiven. For user group provisioning, use SCIM.
     • User group membership automatically syncs when a user logs in.
     • The IdP is the single source of truth. If a group in the IdP doesn't exist in Aiven, it will be ignored. Likewise, if a user is added to a group in Aiven Console but not in the IdP, they will be removed from the Aiven group when the group membership syncs.

7. Optional: Select a user group to add all users who sign up with this IdP to.

8. Click Finish to complete the setup.

note

If you set up a SAML authentication method before and are now switching to a new IdP, existing users need to log in with the new account link URL to finish the setup.

Troubleshooting

If you get an error message to contact your administrator:

1. Go to the Microsoft Azure AD user profile for the users.
2. In Contact Info, check whether the Email field is blank.

If it is blank, there are two possible solutions:

• In User Principal Name, if the Identity field is an email address, try changing the User Attributes & Claims to email = user.userprincipalname.
• In Contact Info, if none of the Alternate email fields are blank, try changing the User Attributes & Claims to email = user.othermail.