Set up advanced settings for an application

Enterprise Application Access (EAA) allows you to configure advanced settings that apply to your applications. These configurations are generally optional and available in the EAA Management Portal from Applications > Settings > Advanced Settings. The advanced settings available for an application vary based on application type and other configured services. Refer to the table for a list of all advanced settings.

When complete Deploy the application to put the advanced settings into effect.

Application advanced settings
Advanced settings section Field name Optional / mandatory What to do / Learn more
Rewrite group Rewrite group Optional Create application groups for rewrite rules in the EAA Management Portal from System > Application groups. Assign rewrite groups to the application from Application > [Your application name] > Settings > Advanced settingsRewrite group. To learn more, see URL rewrite rules
Authentication token login URL Optional If your application needs authentication tokens, enter the login URL. EAA will generate tokens for the URL.
Single sign-out logout URL Enter the URL that is triggered when a user logs out of an SSO application
User-facing Authentication Mechanism Mandatory Select the option to use when authenticating users on the front end. This option only applies when the directories configured for this application are AD/LDAP or the Cloud Directory. To learn more, see,
Application-facing authentication mechanism Optional Select the authentication mechanism in use by the application servers. If the application expects custom headers with HTTP requests for SSO, you can use the Custom Headers feature. To learn more, see: Enable single sign-on auto-login for RDP applications
App authentication domain When an application supports Kerberos protocol, it has a unique identity called service principal name (SPN) and a service account in the active directory domain or Kerberos Realm with which the SPN is associated. The application authentication domain specifies the active directory domain where the service account was created. If your service uses a computer account in the domain, then specify the domain name of the computer account here. To learn more, see:
Service Principal Name Kerberos protocol end points identify services using a unique service principal name (SPN). Microsoft recommends a specific naming format for SPN based on service type, host name, service port, and service domain. We use this to generate the service principal name based on your application parameters. If your application uses a different service principal name, edit this field to specify the configuration suitable for your application. To learn more, see Forward Kerberos ticket-granting ticket to application
Perform Kerberos Only on Login URL Enable this feature if your application is required to perform Kerberos authentication only on the login URL.
Forward Ticket Granting Ticket To App To learn more, see Forward Kerberos ticket-granting ticket to application
HTTP-only Cookie Select this to indicate whether or not cookies created for this application will only be used for HTTP content. For example, if your application uses a Java applet, you may want to disable this option.
Use Post-binding Authentication Select this if your application is unable to handle a HTTP-302 redirect to validate whether the logged-in user's session is still valid. You may also enable this option if this application may be presented to the user within an iFrame inside the browser.
Single Sign-on Cookie Domain If your application uses iFrames, it may make sense to use a common domain for SSO. For example, if your apps are named app1.company.com and app2.company.com, and they use iFrames, you might consider configuring the SSO domain as company.com.
Server load balancing Metric Select round-robin or ip-hash policy from the menu to determine how traffic is distributed across origin servers associated with the application. To learn more, see:
Enable session stickiness Use this feature to ensure that a given session always traverses the same connector when interacting with the application. With this option, the application always sees the same IP address for the session, which is required for state maintenance for some applications. To learn more, see:
Health check configuration Type Specify the type of health check to carry out against all the associated servers to verify service availability.
Rise Specify the number of consecutive, successful heartbeats that connector(s) must received before considering an application server to be healthy. The default is 2
Fall Specify the number of consecutive missed heartbeats before the connector(s) consider(s) an application server to be unreachable.
Timeout Specify the time that connector(s) must wait before considering a heartbeat attempt to have failed.
Interval Specify the interval between successive heartbeats.
Custom HTTP headers Custom header 1 Use this option to specify the specific headers to insert and forward to the origin application. If your Identity Provider (IdP) includes custom attributes for users to post authentication, select custom from the menu to map attributes provided by the IdP to those supported by the application. To learn more, see:
Enterprise connectivity parameters Floor Only update this value under the guidance of Support Floor specifies the minimum number of TLS sessions pre-created by a given connector to enable end-user access to enterprise applications.
Ceiling Only update this value under the guidance of Support Ceiling specifies the maximum number of TLS sessions pre-created by a given connector to enable end-user access to enterprise applications.
Step Only update this value under the guidance of Support Step specifies the incremental number of TLS sessions that will be launched by a given connector to enable end-user access to enterprise applications.
Idle Connection Timeout Only update this value under the guidance of Support This value governs when an idle TLS session launched by a given Connector is timed out and restarted.
Application server read timeout Only update this value under the guidance of Support This value governs the maximum time that an application server may need to fulfill a user request. By default, the field is set to 60 seconds.
HTTP Strict Transport Security (HSTS) Configure the lifetime for HSTS policy enforcement on the client browser.To learn more, see: Configure HSTS for an application
CDN CDN enabled Select this option if the application is being used as a front end by the EAA Cloud service as well as a Content Delivery Network (CDN). When enabled, your traffic is delivered from the CDN instead of the EAA Data POP. When you select CDN enabled additional options appear. To learn more, see: Integrate EAA with Kona Site Defender and Akamai Ion
Akamai Performance Package Enable CDN enabled to see this field. Select this option to start integration with the Akamai ION product to improve world-wide performance of this application.To learn more, see: Integrate EAA with Kona Site Defender and Akamai Ion
Edge Cookie Encryption Key Enable Akamai Performance Package to see this field. Select this auto-generated key to encrypt the token generated by the Akamai edge node. It helps the Akamai edge validate the user session for caching purposes. Use this as the encryption key within your cookie authorization rule in your Akamai ION configuration. To learn more, see: Integrate EAA with Kona Site Defender and Akamai Ion
SureRoute Test Object Enable Akamai Performance Package to see this field. This auto-generated URL is the test object URL for SureRoute. Copy the URL and paste it to your SureRoute Test Object configuration in Akamai ION. To learn more, see: Integrate EAA with Kona Site Defender and Akamai Ion
Akamai Edge enforcement Enable CDN enabled to see this field. When you integrate EAA with Kona Site Defender (KSD), Ion, or Dynamic Site Accelerator (DSA) with EAA, your traffic is delivered from the CDN instead of an EAA Data POP. You must grant permission for EAA to see the real client IP and verify the Edge signature. Enable this feature to only authorize traffic from your CDN web properties with an Edge signature and to pass the real client IP on to EAA. To learn more, see: Integrate EAA with Kona Site Defender and Akamai Ion
G2O key Enable Akamai Edge Enforcement to see this field. This auto-generated Ghost to Origin (G2O) key is for use in your Kona Site Defender (KSD), Ion, or Dynamic Site Accelerator (DSA) integration. To learn more, see: Integrate EAA with Kona Site Defender and Akamai Ion
G2O nonce Enable Akamai Edge Enforcement to see this field. This auto-generated Ghost to Origin (G2O) nonce is for use in your Kona Site Defender (KSD), Ion, or Dynamic Site Accelerator (DSA) integration. To learn more, see: Integrate EAA with Kona Site Defender and Akamai Ion
Miscellaneous Proxy buffer size Only update this configuration under the guidance of Support. The proxy buffer size denotes the maximum request size that our service will expect to receive for this application. This settings sets new "proxy_buffers" and "proxy_buffer_size" directives, which controls how large a response EAA will accept from the proxied upstream server. There are separate directives which control the maximum request header size which are not exposed through the UI but can be set by support on the backend.
Enable CORS Select this option to let HTTP applications secured by the Enterprise Application Access service make Cross-Origin Resource Sharing (CORS) calls to other applications.
Allowed Hosts If the Cross-Origin Resource Sharing (CORS) option is enabled, you can provide a space-delimited list of hosts that can access this HTTP application, for example, http://external_site.company.com https://other_site.company2.com.
Allowed headers If the Cross-Origin Resource Sharing (CORS) option is enabled, you can control which headers may be sent to the protection application by providing a space delimited list, for example, Accept Accept-Language Content-Language Content-Type.
Allowed methods If the CORS option is enabled, you can control which HTTP methods may be sent to the protection application by providing a space-delimited list, for example, GET POST.
Allow credentials in request If the Cross-Origin Resource Sharing (CORS) option is enabled, you can use this option to allow for requests that are being made with credentials.
Max Age for Pre-flight Request Use this option to specify the duration (in seconds) for which an allowed host’s pre-flight request is cached and trust is maintained by the secured application. The default is 24 hours (86,400 seconds).
Enable Websocket Support Select this option to indicate that this application uses WebSockets for HTTP transport. To learn more, see:
Use SSLv3 Select this option to indicate that the application can interact with the EAA connector using SSLv3 or not.
Log Access Events Select this option to indicate that you want Akamai to track access activity of all end users connecting to configured applications.
Hide Application from Login Portal Select this option to indicate that you want to hide this application from the user Login Portal. To learn more, see: Hide an application in the Login Portal from end-users
Forward Proxy Select this option if your organization uses a forward proxy for Internet-bound traffic.
Dynamic IP For Application Server Select this option if your application server's IP address may change periodically. When this option is enabled, the connector will resolve the IP address for the application server prior to every request.
Use Sticky Cookies For Connectors Select this option to ensure that requests always get routed to the same connector. To learn more, see: