Register an identity provider

The Authorization Server integrates with identity providers (IdPs) to authenticate client apps’ users. You first give an identity provider details about the Authorization Server and with the information you get back, you register the IdP in OAuth Management. If desired, you can edit a registered IdP at any point in the future.

Note: If the client apps that you plan to register will only use the client credentials flow, you may skip this task. IdPs do not take part in the client credentials flow.
Try the API: You can also complete this task by using the OAuth Management API. Run the Register an identity provider operation. Learn more about Akamai’s APIs.

How to

  1. Provide the necessary details about the Authorization Server to the IdP that you want to register.
    The details depend on specific IdP requirements but usually include an application name and a redirect URI. You can choose whatever application name you like, but be aware that resource owners see this name on the first consent page when they give the Authorization Server permissions to use their basic details. You will receive a redirect URI when you complete the IdP registration.

    Third-party IdPs can be divided into three types:

    • Social media. Examples: Facebook, Google.
    • On-premise. Examples: ForgeRock, PingFederate.
    • Identity-as-a-service (IDaaS). Examples: Auth0, Okta.
  2. Note the details that the IdP provided in response to your request.
    These details should include a client ID, a client secret, an IdP type and authentication method, OAuth endpoints, and available client scopes.
  3. Go to > CDN > API definitions > OAuth management.
  4. Select the Identity providers tab.
  5. Click Register IdP.
  6. In the Register identity provider window, in the Identity provider name field, enter the name under which you want to register the IdP with Akamai.
    Resource owners see the identity provider name on the login page when they choose the IdP to authenticate with.
  7. In the Client ID field, enter the Authorization Server client ID provided by the IdP.
    The client ID uniquely identifies the Authorization Server at the IdP.
  8. In the Client secret field, enter the Authorization Server client secret provided by the IdP.
    The client secret allows the Authorization Server to exchange an IdP-issued authorization code for an access token.
  9. From the Client authentication method menu, select the method that the IdP uses to authenticate requests.
    • If the IdP uses the basic HTTP authentication method, where credentials are included in a standard HTTP request, select BASIC.
    • If the IdP uses the POST authentication method, where credentials are included in a POST request body, select POST.
  10. From the Identity provider type menu, specify the standard that the IdP uses for authentication.
  11. In the Authorization endpoint field, enter the URL to be used by the Authorization Server to obtain authorization from the IdP.
  12. In the Token endpoint field, enter the URL to be used by the Authorization Server to exchange an authorization code for an access token.
  13. Do one of these steps:
    If...Then...
    If you selected OAUTH2 for the Identity provider type, do these steps:
    1. In the User info endpoint field, enter the URL provided by the IdP to be used by the Authorization Server to validate an access token against the information present at the IdP.
    2. In the User name attribute field, enter the attribute name returned by the User info endpoint that contains a user name as its value.
    If you selected OIDC for the Identity provider type, in the JWKS URL field, enter the URL to a JSON web key set that contains a set of public keys to use for verification of JSON web tokens.
  14. In the Identity provider scopes field, enter the client scopes that the IdP uses.
    Scopes represent a set of permissions that a resource owner grants to the Authorization Server so that their credentials can be verified with an IdP. The first consent page that a resource owner encounters during the OAuth process contains this set of scopes. Note that they serve a different purpose than the client scopes you define in API Definitions.
  15. Verify that all the details are correct and click Register.
    The new IdP is registered with Akamai and appears on the Identity providers tab. All APIs that you registered in API Gateway with your current Control Center account can now use the IdP for resource owner identification. You can copy the redirect URI and provide it to the IdP to finish the registration of the Authorization Server.
    Registered IdP

Next steps

Configure OAuth 2.0 scopes