Certificate-based user authentication with optional MFA at IdP

Learn more about how a user can login to an Akamai IdP using a valid certificate, without the need to login with username and password credentials.

When the user logs into the Akamai IdP portal, they are prompted with username and password in the login form. When you Enable certificate-based user validation in Akamai IdP without MFA, a user with a valid certificate can login to the IdP portal and is not presented with the login form to enter their username and password.

If MFA is enabled in the IdP and a first-time user (who is not registered for MFA with the native application) accesses the IdP, the user will be prompted with a login form with prepopulated username derived from the certificate. They will need to provide the password to be validated as the trusted user. Then the user can set up MFA. The next time, the user logs into the IdP portal, they are presented with the MFA challenge, without prompting for credentials, since that information is derived from the certificate. This quickens the login process for end users of the organization.

When applications later on use this IdP and desire to have SSO to the end application, follow this steps based on the application facing authentication mechanism for the EAA application:
  • If you have set application-facing authentication mechanism as Kerberos for your EAA application you will need to configure Kerberos constrained delegation, see Kerberos-constrained delegation
  • If you have set application-facing authentication mechanism as NTLM for your EAA application or auto-login for RDP application, the user will be prompted for password once for each user login session.
When applications later on use this IdP and desire to have SSO to the end application there are some nuances to the application facing authentication mechanism as follows,
  • With Kerberos constrained delegation as the application facing authentication mechanism, the SSO experience requires constrained delegation and to add a link to point to the Kerberos Constrained Delegation session. See Kerberos-constrained delegation.
  • With Kerberos without constrained delegation keytab setup or NTLM as the application facing authentication mechanism, the password only page prompts the user once for every login session in order to SSO to the application.