Configure bypass MFA criteria for an Akamai identity provider

You can bypass the use of MFA for any Akamai identity provider, for different predefined criteria like when the user is within the corporate network or on a managed device or combinations of both. Then, the user will not be prompted for the MFA.

How to

  1. Log in to the Enterprise Application Access (EAA) Management Portal.
  2. From the top menu bar, select Identity > Identity Providers.
  3. Click the Configure Identity Provider icon on the identity provider.
  4. Click the Multifactor tab.
  5. In the Bypass MFA criteria section, click Add Criteria, to add criteria on when to not prompt the user for MFA. We support up to two criteria, On Corporate Network and Device is managed. Select either or both of these criteria and configure accordingly.
    • On Corporate Network. Select Corporate Gateway Check. This option checks if the request is coming from the outbound web gateway. If you want this check to be done, click Configure and set the on premise subnets field in the Advanced Settings of the IdP.
    • Device is managed. Select Certificate validation check if the device used by the user has a client certificate installed on the laptop that can be validated by a trusted root CA. To setup certificate validation, Configure. You are taken to the General settings of the IdP page.

      You will need to configure all of these mandatory Certificate Validation Settings in the IdP:

      1. Certificate validation. Select this option.
      2. Enforcement. Select one of these choices:
        • Required. (default) The IdP requires the client to present a valid client certificate for authentication that has been issued by a trusted root CA and can be validated by the root CA. If no certificate is presented the user will see an 400 HTTP error in the browser.
        • Optional. It is optional for the client to present a valid client certificate for authentication that has been issued by a trusted root CA. If a valid client certificate is presented, the user logs in. Otherwise, form-based login is used as the fall-back mechanism.
        • Required off network, Disabled on network. You cannot use this option with bypass MFA criteria - Device is managed option. You will get an error message. Also, see Certificate enforcement options
      3. CA certificate issuer. Select the Root CA that you want to use to validate the client certificate. You should have uploaded a certificate for EAA under System > Certificates.
      4. Certificate Identity Attribute . Select the attribute to identify the user in the certificate.
      5. Certificate identity is username. You must enable this option for bypass MFA to work. It allows the username identity to be picked from the certificate.
        Note: Bypass MFA feature is not supported when the “Certificate Identity is Username” field is unchecked in the General settings of the IdP and Device is Managed is the Bypass MFA criteria. Users will be prompted for MFA.
        Note: Bypass MFA feature is not supported when the “Certificate Identity is Username” field is unchecked in the General settings of the IdP and Device is Managed AND On Corporate Network are together used as the Bypass MFA criterias. Users will be prompted for MFA.

      These additional Certificate Validation Settings in the IdP are optional:

      1. Certificate validation method. None (Default). Can be left as default. If you select OCSP, then an OCSP responder must be provided or it is picked from the certificate.
      2. Certificate onboard URL.(optional) Enter the URL where the user is redirected if no certificate is provided.
  6. To save changes, click Save and exit or Save and go to Deployment, to deploy the identity provider.