Add IWA workflow to an Akamai IdP

To add desktop SSO or integrated windows authentication capability to your Akamai IdP follow these steps:

  1. Derive the service principal name (SPN) for the Akamai IdP. If using Akamai domain, it is the derived from FQDN. If using a custom domain, it is derived from the CNAME.
  2. The SPN should be registered to a unique service account in Active Directory (AD) controller. It should be in the domains of the users who will log in through the Akamai IdP portal.
  3. A keytab file should be generated for the service account created in your AD domains. If you have multiple domains or forests with different trusted relationships, you should create seperate keytab files for each of them.
  4. Upload the keytab file or files for all of the above domains into EAA admin portal.
  5. Enable the IWA in Akamai IdP with always or when-applicable options
  6. Select the keytab file or files for the Akamai IdP.
  7. Integrated windows authentication can be conditionally applied to devices (laptops) capable of responding to Kerberos challenge. The devices should have all of the capabilities:
    1. on-net (have a VPN connection or on a subnet specified in the IWA settings)
    2. able to reach Active Directory(s)
    3. support Kerberos SSO.
    4. Regular expressions may also be configured for device operating systems, device browsers to match User agent strings when Use IWA is configured as when-applicable.