Authentication methods
Users can access Aiven using multiple authentication methods:Password
- Traditional username/password
- Optional two-factor authentication (2FA)
- Can be disabled organization-wide
Third-Party
- Microsoft
- GitHub
- Can be disabled organization-wide
SAML SSO
- Okta, Auth0, Azure AD, Google Workspace
- FusionAuth, JumpCloud, OneLogin
- Custom SAML 2.0 providers
- Organization-managed
Tokens
- Personal tokens for organization users
- Application tokens for automation
- Linked to authentication method
- Can be restricted by IP address
Authentication policies
Authentication policies control how all users in your organization can access Aiven resources. Policies are set at the organization level by organization admins.Configuring authentication policy
Navigate to policy settings
Select allowed methods
Configure additional settings
Save changes
Password authentication
- With 2FA Required
- Without 2FA
- Disabled
- Users must set up 2FA to access organization resources
- Works with authenticator apps (Google Authenticator, Authy, 1Password)
- Does not affect SSO or identity provider logins
- Personal tokens continue to work
Third-party authentication
Allow or block social login providers:SSO with identity providers
Control whether users can access your organization through SSO:- Any organization's IdP
- Only your organization's IdP
- Users who belong to multiple Aiven organizations can log in using any of those organizations’ identity providers
- More flexible for users
- Less secure for organizations
Personal tokens
Control whether organization users can create personal tokens:- Enabled - Users can generate tokens for API/CLI access
- Disabled for managed users - Only non-managed users can create tokens (they still can’t use them to access your organization)
- Disabled for all - No personal tokens allowed; use application users instead
Token authentication method enforcement
Ensure tokens conform to your authentication policy:- Enabled - Tokens can only be used if they were created with an allowed authentication method
- Disabled - Tokens work regardless of how they were created
IP address restrictions
Limit access to trusted networks:- Aiven Console access
- API calls
- CLI commands
- Personal tokens
- Application tokens
SAML identity providers
Connect your organization to enterprise identity providers for single sign-on:Supported identity providers
Okta
Azure AD
Google Workspace
Auth0
OneLogin
JumpCloud
FusionAuth
Custom SAML
Setting up an identity provider
Start IdP configuration in Aiven
- Choose IdP type
- Enter name
- Note the Metadata URL and ACS URL provided by Aiven
Configure SAML application in your IdP
- Create new SAML application
- Set ACS URL (Assertion Consumer Service URL)
- Set Entity ID / Audience
- Configure attribute mapping (email, first name, last name)
- Assign users to the application
Complete setup in Aiven
- Enter IdP URL from your identity provider
- Enter Entity ID from your identity provider
- Upload IdP certificate or enter certificate content
- Save configuration
Link users (if needed)
- Signup URL - New users create Aiven account linked to IdP
- Account link URL - Existing users link their Aiven account to IdP
Test
IdP configuration example (Okta)
Domain verification for SSO
Verify your email domain to automatically link users:Add domain
Add DNS record
Verify
Link to IdP
- Users automatically linked to IdP when logging in
- No need to send signup/link URLs
- Users become managed users
- Better visibility and control
IdP security best practices
Enable IdP-initiated login only if needed
Rotate certificates regularly
Require authentication policy with IdP only
Use short session durations
Enable MFA in your IdP
Monitor IdP access logs
Authentication tokens
Tokens provide programmatic access to the Aiven API, CLI, and Terraform Provider:Token types
- Session tokens
- Personal tokens
- Application tokens
- Created when you log in to Console or CLI
- Automatically revoked on logout
- Short-lived (hours)
- Cannot be manually created
Creating personal tokens
Navigate to profile
Generate token
- Description (e.g., “Laptop CLI access”)
- Max age (session duration)
- Allowed IP ranges (optional but recommended)
Save token
Use token
Token security best practices
Use application users for automation
Set appropriate expiration
- Personal tokens: 30-90 days
- Application tokens: 90 days, rotate regularly
Restrict by IP address
Use environment variables
Rotate tokens regularly
Audit token usage
Secure token storage
Token authentication with authentication policies
Tokens are linked to the authentication method used when they were created:Troubleshooting
Cannot log in after authentication policy change
Cannot log in after authentication policy change
- Contact organization admin to temporarily enable your auth method
- Log in using allowed method (e.g., IdP if password is disabled)
- Link new authentication method to your account
SAML authentication failed
SAML authentication failed
- Use SAML Tracer browser extension
- Verify ACS URL and Entity ID match between IdP and Aiven
- Check certificate is not expired
- Verify users are assigned to SAML app in IdP
- Check attribute mapping (email, firstName, lastName)
Invalid relay state error
Invalid relay state error
- Log in from Aiven Console instead (SP-initiated login)
- Or enable IdP-initiated login in Aiven Console
- Or set default relay state/start URL in IdP to Aiven Console URL
Token stopped working
Token stopped working
- Log in with allowed authentication method
- Create new token (will be linked to allowed method)
- Update applications with new token
IdP password doesn't work
IdP password doesn't work
- Get Account Link URL from IdP settings in Aiven Console
- Follow link and log in with existing Aiven password
- Authenticate with IdP to complete linking
- Check linked authentication methods in profile
Locked out of organization
Locked out of organization
- Contact another organization admin to adjust policy
- If no other admins, contact Aiven support
- Use VPN to access from allowed IP range