Skip to main content
Aiven provides flexible authentication options for accessing your organization, from password-based login to enterprise SSO with SAML identity providers. Configure authentication policies to control how users access your resources and enforce security requirements.

Authentication methods

Users can access Aiven using multiple authentication methods:

Password

Email and password
  • Traditional username/password
  • Optional two-factor authentication (2FA)
  • Can be disabled organization-wide

Third-Party

Social login providers
  • Google
  • Microsoft
  • GitHub
  • Can be disabled organization-wide

SAML SSO

Identity providers
  • Okta, Auth0, Azure AD, Google Workspace
  • FusionAuth, JumpCloud, OneLogin
  • Custom SAML 2.0 providers
  • Organization-managed

Tokens

API access
  • Personal tokens for organization users
  • Application tokens for automation
  • Linked to authentication method
  • Can be restricted by IP address

Authentication policies

Authentication policies control how all users in your organization can access Aiven resources. Policies are set at the organization level by organization admins.

Configuring authentication policy

1

Navigate to policy settings

Click AdminAuthentication policy
2

Select allowed methods

Enable or disable authentication methods for your organization
3

Configure additional settings

Set 2FA requirements, IP restrictions, token policies
4

Save changes

Policy takes effect immediately for all users
Changing authentication policy can immediately prevent users from accessing the organization. Test with a single user before applying organization-wide.

Password authentication

Strongest password securityWhen enabled:
  • Users must set up 2FA to access organization resources
  • Works with authenticator apps (Google Authenticator, Authy, 1Password)
  • Does not affect SSO or identity provider logins
  • Personal tokens continue to work
Users must enable 2FA through the Aiven Console in their user profile settings.

Third-party authentication

Allow or block social login providers:
Third-party authentication is convenient but doesn’t provide the same level of control as enterprise identity providers. For production organizations, consider using SAML SSO instead.

SSO with identity providers

Control whether users can access your organization through SSO:
Default setting
  • Users who belong to multiple Aiven organizations can log in using any of those organizations’ identity providers
  • More flexible for users
  • Less secure for organizations

Personal tokens

Control whether organization users can create personal tokens:
  • Enabled - Users can generate tokens for API/CLI access
  • Disabled for managed users - Only non-managed users can create tokens (they still can’t use them to access your organization)
  • Disabled for all - No personal tokens allowed; use application users instead
Application users and their tokens are not affected by this setting. Application tokens always work regardless of authentication policy.

Token authentication method enforcement

Ensure tokens conform to your authentication policy:
  • Enabled - Tokens can only be used if they were created with an allowed authentication method
  • Disabled - Tokens work regardless of how they were created
Example scenario:

IP address restrictions

Limit access to trusted networks:
Applies to:
  • Aiven Console access
  • API calls
  • CLI commands
  • Personal tokens
  • Application tokens
Be careful when setting IP restrictions. You can lock yourself out if you don’t include your current IP address.

SAML identity providers

Connect your organization to enterprise identity providers for single sign-on:

Supported identity providers

Okta

Popular enterprise IdP with detailed setup guide

Azure AD

Microsoft’s identity platform with setup guide

Google Workspace

Google’s enterprise IdP with setup guide

Auth0

Flexible identity platform with setup guide

OneLogin

Cloud-based IdP with setup guide

JumpCloud

Directory platform with setup guide

FusionAuth

Customer identity platform with setup guide

Custom SAML

Any SAML 2.0 compatible identity provider

Setting up an identity provider

1

Start IdP configuration in Aiven

AdminIdentity providersAdd identity provider
  • Choose IdP type
  • Enter name
  • Note the Metadata URL and ACS URL provided by Aiven
2

Configure SAML application in your IdP

In your identity provider (Okta, Azure AD, etc.):
  • Create new SAML application
  • Set ACS URL (Assertion Consumer Service URL)
  • Set Entity ID / Audience
  • Configure attribute mapping (email, first name, last name)
  • Assign users to the application
3

Complete setup in Aiven

Return to Aiven Console:
  • Enter IdP URL from your identity provider
  • Enter Entity ID from your identity provider
  • Upload IdP certificate or enter certificate content
  • Save configuration
4

Link users (if needed)

Users with email addresses on verified domains are automatically linked.For other users:
  • Signup URL - New users create Aiven account linked to IdP
  • Account link URL - Existing users link their Aiven account to IdP
5

Test

Test the SSO flow before rolling out to all users

IdP configuration example (Okta)

Domain verification for SSO

Verify your email domain to automatically link users:
1

Add domain

AdminDomainsAdd domain → Enter “company.com”
2

Add DNS record

Add the provided TXT record to your DNS:
3

Verify

Click Verify in Aiven Console after DNS propagates
4

Link to IdP

Associate the verified domain with your identity provider
Benefits of verified domains:
  • Users automatically linked to IdP when logging in
  • No need to send signup/link URLs
  • Users become managed users
  • Better visibility and control

IdP security best practices

1

Enable IdP-initiated login only if needed

Logging in from IdP dashboard is less secure than from Aiven Console
2

Rotate certificates regularly

Update IdP certificates before expiration
3

Require authentication policy with IdP only

Force all users to use SSO by disabling other authentication methods
4

Use short session durations

Configure your IdP with session timeouts appropriate for your security needs
5

Enable MFA in your IdP

Enforce multi-factor authentication in your identity provider
6

Monitor IdP access logs

Regularly review authentication logs in both Aiven and your IdP

Authentication tokens

Tokens provide programmatic access to the Aiven API, CLI, and Terraform Provider:

Token types

Automatic temporary tokens
  • Created when you log in to Console or CLI
  • Automatically revoked on logout
  • Short-lived (hours)
  • Cannot be manually created

Creating personal tokens

1

Navigate to profile

Click your profile icon → Tokens
2

Generate token

Click Generate tokenConfigure:
  • Description (e.g., “Laptop CLI access”)
  • Max age (session duration)
  • Allowed IP ranges (optional but recommended)
3

Save token

Copy the token immediately - it cannot be retrieved later
4

Use token

Token security best practices

1

Use application users for automation

Never use personal tokens for CI/CD, Terraform, or monitoring - use application users
2

Set appropriate expiration

  • Personal tokens: 30-90 days
  • Application tokens: 90 days, rotate regularly
3

Restrict by IP address

4

Use environment variables

Never hardcode tokens in code or commit them to version control
5

Rotate tokens regularly

Revoke and regenerate tokens every 90 days
6

Audit token usage

Review active tokens monthly and revoke unused ones
7

Secure token storage

Use secret managers (HashiCorp Vault, AWS Secrets Manager) for token storage
Tokens provide full access to your account. Treat them like passwords. If a token is compromised, revoke it immediately.

Token authentication with authentication policies

Tokens are linked to the authentication method used when they were created:
Application tokens are never affected by authentication policies. They always work regardless of policy settings.

Troubleshooting

Cause: New policy doesn’t allow your authentication methodSolution:
  1. Contact organization admin to temporarily enable your auth method
  2. Log in using allowed method (e.g., IdP if password is disabled)
  3. Link new authentication method to your account
Cause: Misconfiguration in IdP or AivenSolution:
  1. Use SAML Tracer browser extension
  2. Verify ACS URL and Entity ID match between IdP and Aiven
  3. Check certificate is not expired
  4. Verify users are assigned to SAML app in IdP
  5. Check attribute mapping (email, firstName, lastName)
Cause: Attempting to log in from IdP dashboard (IdP-initiated login)Solution:
  1. Log in from Aiven Console instead (SP-initiated login)
  2. Or enable IdP-initiated login in Aiven Console
  3. Or set default relay state/start URL in IdP to Aiven Console URL
Cause: Authentication policy changed with token enforcement enabledSolution:
  1. Log in with allowed authentication method
  2. Create new token (will be linked to allowed method)
  3. Update applications with new token
Cause: User account not linked to IdPSolution:
  1. Get Account Link URL from IdP settings in Aiven Console
  2. Follow link and log in with existing Aiven password
  3. Authenticate with IdP to complete linking
  4. Check linked authentication methods in profile
Cause: IP restriction or auth policy changeSolution:
  1. Contact another organization admin to adjust policy
  2. If no other admins, contact Aiven support
  3. Use VPN to access from allowed IP range

API reference

Next steps

Users & Permissions

Manage users and grant appropriate access

Security

Learn about Aiven’s security architecture

Organizations

Set up your organization structure

Monitoring & Logs

Monitor authentication events and audit logs