Integrate with Azure Active Directory

Learn how to use Azure Active Directory (Azure AD) as the identity provider (IdP) and EAA as the service provider (SP) to access an EAA application. This allows any application in EAA to use Azure AD as the single sign-on mechanism.

PREREQUISITE

Set up an Azure AD premium account.

You can use Azure AD as the identity provider and EAA as the service provider for accessing an application in EAA by following these steps:

STEP 1: Create an Azure identity provider in EAA.

STEP 2: Create an Akamai Enterprise Application Access gallery application in Azure AD environment.

STEP 3: Configure the authentication settings for the Azure IdP in EAA.

STEP 4: Assign the Azure IdP to an application in EAA.

STEP 5: Verify Azure AD integration with EAA.

Use Azure Active Directory as an identity provider and EAA as a service provider for accessing an EAA application

STEP 1: Create an Azure identity provider in EAA

You can create a third party identity provider (IdP) in EAA, to set up Azure as the authentication source. Then configure the general settings for your Azure identity provider.

  1. Log in to the Control Center (https://control.akamai.com/).
  2. Go to > ENTERPRISE SECURITY > Enterprise Application Access.
  3. From the top menu bar, select Identity > Identity Providers .
    The Identity Providers page appears.
  4. Click Add Identity Provider.
  5. Enter a custom name and optional description for the identity provider. For example, AzureAD.
  6. Select Microsoft Azure AD as the provider type from the menu.
  7. Click Create Identity Provider and configure.
    The Identity Provider configuration page appears.
  8. Complete the general settings:
    1. Identity intercept domain. Choose your own domain or an Akamai domain. If you select Use your domain, EAA provides a CNAME redirect for the application. Use this CNAME record in your public DNS zone. You will need to specify a self-signed certificate or upload a certificate. If you select Use Akamai Domain, provide a name for the IdP. It is of the format https://YOUR-IDP-NAME.login.go.akamai-access.com/., For example if YOUR-IDP-NAME is azureidp, then it is https://azureidp.login.go.akamai-access.com/.
    2. Akamai cloud zone. Select an EAA cloud zone that is closest to the user.
  9. To save the changes click Save and exit. Do not deploy the identity provider.
    Note: You can click Show installation for the overall steps setting up EAA as SP and Azure Active Directory as IdP.
    A new identity provider tile is created for this IdP, with no applications or directories associated with it.

Example

Here a new identity provider tile is created with the name AzureAD with no applications or directories associated with it. The IDP type is Microsoft Azure AD.

STEP 2: Create an Akamai Enterprise Application Access app in Azure Active Directory

You create an Akamai Enterprise Application Access app in Azure Active Directory (Azure AD) premium and use it as the login service for EAA. If you already have an Azure AD premium account, you can configure from 2.

  1. Get your Azure AD premium trail for a month.
  2. Create a new Akamai Enterprise Application Access app in Azure AD premium domain.
    1. Login to the Azure admin portal, as administrator using your Azure AD premium global administrator credentials.
    2. Select Azure Active Directory.
    3. Click Enterprise Applications.
    4. Click +New application, to add a new enterprise application.
    5. In the Add an application panel, under Add from gallery search box, enter Akamai in Azure marketplace. Select Akamai Enterprise Access Application, as your premium application, then click Add:
    6. You'll see Application Akamai Enterprise Application Access added successfully message.
    7. You'll see the Getting Started wizard for Akamai Enterprise Application Access application. Complete these mandatory steps:
    8. Select Assign a user for testing (required). Click +Add user. Enter some characters of the member or group in the search bar, and select the user or a group you created before. It appears in the selected members section.
    9. Click Select. You'll see Application assignment succeeded message.
    10. Select the Configure single sign-on (required) option.
    11. Select SAML as the Single sign-on method. The Akamai Enterprise Application Access - SAML-based Sign-On window opens.
    12. Click on the pencil icon in Basic SAML Configuration.
    13. Update the Identifier (Entity ID) and the Reply URL (Assertion Consumer URL) settings. It is of the format, https://YOUR-IDP-NAME.login.go.akamai-access.com/saml/sp/response. For this example if YOUR-IDP-NAME is azureidp (from STEP 1) then,

      Identifier (Entity ID): https://azureidp.login.go.akamai-access.com/saml/sp/response

      Reply URL: https://azureidp.login.go.akamai-access.com/saml/sp/response

    14. Click Save. You'll see Save Single Sign-on configuration message:
    15. The User Attributes & Claims tile is pre-populated with all of the attributes and claims that is understood by EAA. You can leave it as-is.
    16. In the SAML Signing Certificate tile, click Download next to Federation Metadata XML, to download the federation metadata metadata.xml to be uploaded in EAA.
    17. In the Set up Akamai Enterprise Application Access tile, copy the Login URL and Logout URL by clicking on the blue symbol. You will need this for configuration of the identity provider in EAA.

STEP 3: Configure authentication settings for the Azure identity provider in EAA

Complete the authentication settings for the Azure identity provider (IdP) in EAA. Update your EAA Azure IdP with authentication information like relying party URLs.

  1. Go back to the Azure IdP you created in EAA in STEP 1 and complete authentication configuration settings.
    1. URL Enter your Azure login URL: http://login.microsoftonline.com.
    2. Logout URL. It is prepopulated with this value: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 Modify it, if you need to point it to a different logout URL.
    3. Sign SAML request (optional). If Azure requires a signed SAML request in a SP-initiated SAML flow, select this checkbox to send the signed SAML assertion to Azure.
    4. Encrypted SAML response. If Azure sends encrypted SAML responses to EAA when EAA is the SP, select this checkbox to use certificates to encrypt responses.
    5. Upload IdP metadata file. Download the metadata.xml file for the EAA SAML SP endpoint from the AzureAD dashboard then click Choose file.
  2. Leave the session settings for Session idle expiry, Limit session life, and Max session duration at their default values.
  3. Leave the DIRECTORIES, CUSTOMIZATION, ADVANCED SETTINGS as-is. Optionally, you can add your own directory, if you want to do shadow authorization with an on-premise Active Directory. Optionally, you can also perform login portal customization, and also perform other advanced settings for the identity provider.
  4. Click Save and exit.
  5. For the changes to go into effect, Deploy the identity provider.
    Now the Azure AD identity provider acts as an intercept between the EAA gallery app in Azure AD and the application behind EAA.

STEP 4: Assign the Azure identity provider to an application.

Assign the Azure identity provider to the application.

  1. Log in to Control Center (https://control.akamai.com/).
  2. Go to > ENTERPRISE SECURITY > Enterprise Application Access.
  3. From the top menu bar, click Applications.
  4. Locate the application card you want to assign an IdP to.
  5. Click Settings > Authentication.
    • For a new application, click Assign Identity Provider.
    • For an existing application, click Change Identity Provider.
  6. Select the Azure IdP (IdP type: Microsoft Azure AD) and assign it to the application. For this example, it is AzureAD identity provider you created in STEP 3.
  7. To Set up services for an application, click Save and go to Services. If you are finished configuring your application, click Save and exit.
  8. For the changes to go into effect, deploy the application.

What you should see

For this example, if you check the AzureAD identity provider, an application is added and deployed successfully.

This will allow Azure as the user facing authentication mechanism for any application associated with this identity provider.

STEP 5: Verification of Azure AD integration with EAA

Verify the set up by logging into the Office 365 portal or by using the EAA User login portal.

Verification using Office 365 portal.

Log into the Azure Active Directory portal. You are redirected to the Microsoft Office 365 portal.

1. Click All Apps.

2. Click Akamai Enterprise Application Access application.

3. You are redirected to the Akamai User login portal, which will display the apps in EAA:

Verification using EAA login portal

1. Click the EAA login portal URL link in the identity provider card. You are redirected to the Office 365 portal for authentication.

2. After successful login, you are allowed to access the application in EAA.