Integrate with Azure Active Directory
Learn how to use Azure Active Directory (Azure AD) as the identity provider (IdP) and EAA as the service provider (SP) to access an EAA application. This allows any application in EAA to use Azure AD as the single sign-on mechanism.
You can use Azure AD as the identity provider and EAA as the service provider for accessing an application in EAA by following these steps:
STEP 1: Create an Azure identity provider in EAA.
STEP 2: Create an Akamai Enterprise Application Access gallery application in Azure AD environment.
STEP 3: Configure the authentication settings for the Azure IdP in EAA.
STEP 4: Assign the Azure IdP to an application in EAA.
STEP 5: Verify Azure AD integration with EAA.
STEP 1: Create an Azure identity provider in EAA
- Log in to the Control Center (https://control.akamai.com/).
- Go to .
From the top menu bar, select
. The Identity Providers page appears.
- Click Add Identity Provider.
- Enter a custom name and optional description for the identity provider. For example, AzureAD.
- Select Microsoft Azure AD as the provider type from the menu.
Click Create Identity Provider and
The Identity Provider configuration page appears.
Complete the general settings:
- Identity intercept domain. Choose your own domain or an Akamai domain. If you select Use your domain, EAA provides a CNAME redirect for the application. Use this CNAME record in your public DNS zone. You will need to specify a self-signed certificate or upload a certificate. If you select Use Akamai Domain, provide a name for the IdP. It is of the format https://YOUR-IDP-NAME.login.go.akamai-access.com/., For example if YOUR-IDP-NAME is azureidp, then it is https://azureidp.login.go.akamai-access.com/.
- Akamai cloud zone. Select an EAA cloud zone that is closest to the user.
To save the changes click
exit. Do not deploy the identity provider.
Note: You can click Show installation for the overall steps setting up EAA as SP and Azure Active Directory as IdP.A new identity provider tile is created for this IdP, with no applications or directories associated with it.
Here a new identity provider tile is created with the name AzureAD with no applications or directories associated with it. The IDP type is Microsoft Azure AD.
STEP 2: Create an Akamai Enterprise Application Access app in Azure Active Directory
- Get your Azure AD premium trail for a month.
Create a new Akamai Enterprise Application Access app in Azure AD premium
- Login to the Azure admin portal, as administrator using your Azure AD premium global administrator credentials.
- Select Azure Active Directory.
- Click Enterprise Applications.
- Click +New application, to add a new enterprise application.
In the Add an
application panel, under Add from
gallery search box, enter Akamai in
Azure marketplace. Select Akamai Enterprise
Access Application, as your premium application, then
You'll see Application Akamai
Enterprise Application Access added successfully
You'll see the
Started wizard for Akamai Enterprise
Application Access application. Complete these mandatory
Select Assign a user for
testing (required). Click +Add
user. Enter some characters of the member or group in the
search bar, and select the user or a group you created before. It
appears in the selected members section.
- Click Select. You'll see Application assignment succeeded message.
Select the Configure single
sign-on (required) option.
- Select SAML as the Single sign-on method. The Akamai Enterprise Application Access - SAML-based Sign-On window opens.
- Click on the pencil icon in Basic SAML Configuration.
Update the Identifier (Entity
ID) and the Reply URL (Assertion
Consumer URL) settings. It is of the format, https://YOUR-IDP-NAME.login.go.akamai-access.com/saml/sp/response.
For this example if YOUR-IDP-NAME is azureidp
(from STEP 1) then,
Identifier (Entity ID): https://azureidp.login.go.akamai-access.com/saml/sp/response
Reply URL: https://azureidp.login.go.akamai-access.com/saml/sp/response
You'll see Save Single Sign-on configuration message:
- The User Attributes & Claims tile is pre-populated with all of the attributes and claims that is understood by EAA. You can leave it as-is.
- In the SAML Signing Certificate tile, click Download next to Federation Metadata XML, to download the federation metadata metadata.xml to be uploaded in EAA.
In the Set up Akamai
Enterprise Application Access tile, copy the Login URL
and Logout URL
by clicking on the blue symbol. You will need this for
configuration of the identity provider in EAA.
STEP 3: Configure authentication settings for the Azure identity provider in EAA
Go back to the Azure IdP you
created in EAA in STEP 1 and complete authentication configuration
- URL Enter your Azure login URL: http://login.microsoftonline.com.
- Logout URL. It is prepopulated with this value: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 Modify it, if you need to point it to a different logout URL.
- Sign SAML request (optional). If Azure requires a signed SAML request in a SP-initiated SAML flow, select this checkbox to send the signed SAML assertion to Azure.
- Encrypted SAML response. If Azure sends encrypted SAML responses to EAA when EAA is the SP, select this checkbox to use certificates to encrypt responses.
- Upload IdP metadata file. Download the metadata.xml file for the EAA SAML SP endpoint from the AzureAD dashboard then click Choose file.
- Leave the session settings for Session idle expiry, Limit session life, and Max session duration at their default values.
- Leave the DIRECTORIES, CUSTOMIZATION, ADVANCED SETTINGS as-is. Optionally, you can add your own directory, if you want to do shadow authorization with an on-premise Active Directory. Optionally, you can also perform login portal customization, and also perform other advanced settings for the identity provider.
- Click Save and exit.
For the changes to go into
effect, Deploy the identity provider.
Now the Azure AD identity provider acts as an intercept between the EAA gallery app in Azure AD and the application behind EAA.
STEP 4: Assign the Azure identity provider to an application.
- Log in to Control Center (https://control.akamai.com/).
- Go to .
- From the top menu bar, click Applications.
- Locate the application card you want to assign an IdP to.
- For a new application, click Assign Identity Provider.
- For an existing application, click Change Identity Provider.
- Select the Azure IdP (IdP type: Microsoft Azure AD) and assign it to the application. For this example, it is AzureAD identity provider you created in STEP 3.
- To Set up services for an application, click Save and go to Services. If you are finished configuring your application, click Save and exit.
- For the changes to go into effect, deploy the application.
What you should see
This will allow Azure as the user facing authentication mechanism for any application associated with this identity provider.
STEP 5: Verification of Azure AD integration with EAA
Verify the set up by logging into the Office 365 portal or by using the EAA User login portal.
Verification using Office 365 portal.
Log into the Azure Active Directory portal. You are redirected to the Microsoft Office 365 portal.
1. Click All Apps.
2. Click Akamai Enterprise Application Access application.
3. You are redirected to the Akamai User login portal, which will display the apps in EAA:
Verification using EAA login portal
1. Click the EAA login portal URL link in the identity provider card. You are redirected to the Office 365 portal for authentication.
2. After successful login, you are allowed to access the application in EAA.