Akamai MFA two-factor authentication

Use Akamai MFA as the second factor authentication with an Akamai identity provider.

EAA allows you to use Akamai MFA as a second-factor authentication (2FA) for an Akamai identity provider. With both EAA and Akamai MFA on the same contract, the users in any/all EAA directories may be provisioned into Akamai MFA. This action is executed from the Akamai MFA service.

You can integrate Akamai EAA identity provider with Akamai MFA to provide end users with two-step authentication.

Authentication process with EAA.

  1. The user attempts to access the protected enterprise application.
  2. The user is prompted to sign in using their credentials.
  3. After a successful authentication, EAA IdP redirects the user to Akamai MFA.
  4. Akamai MFA challenges the user with secondary authentication.
  5. Once the user’s identity is confirmed, Akamai MFA redirects the user to EAA IdP.
  6. EAA IdP allows the user to proceed to the protected application.
Note: This authentication process refers to users who are enrolled in Akamai MFA. New users will need to self-enroll their two factor device.

Integrate Akamai MFA with EAA

Before you begin

EAA and Akamai MFA must be available in the same contract to use this feature.

  1. Generate the integration credentials in Akamai MFA.
    1. In the Akamai MFA navigation menu, select Integrations.
    2. Click Add Integration.
    3. Select the EAA type and enter a unique integration name.
    4. Click Save and Deploy.
    5. Copy and save your Integration ID, Signing Key, and API Host.
  2. Configure Akamai MFA as a 2FA in EAA Akamai identity provider.
    1. Log into EAA Management portal.
    2. From the top menu bar, select Identity > Identity Providers .
    3. Select the identity provider for which you wish to add Akamai MFA as a 2FA. You should have added users to the directory and added the directory to this identity provider.
    4. Click the MULTIFACTOR tab.
    5. In General MFA settings section, enable IdP MFA policy.
    6. Click Akamai MFA.
    7. Paste the integration credentials, namely the values for Integration ID, Signing Key, and API Host.
    8. Select the Akamai MFA UserID attribute. The Akamai MFA UserID attribute selected in EAA determines the attribute that is sent as the username Akamai MFA. Choose one of the following:
      1. Email
      2. SAM account name
      3. User Principal Name (UPN)
      4. Domain/SAM account name
      Note: This attribute must be the same as the Login preference you set up when you configured the EAA directory that has the user and is associated with the identity provider.

      Otherwise you will see an error when you login to access the application:

    9. Click Save and exit.
    10. Deploy the identity provider.Deploy the identity provider
  3. Assign the identity provider to one or more EAA applications.
    Note: The identity provider must be assigned to at least one EAA application for Akamai MFA to be used.
  4. Deploy the application.
  5. Log in to the application using a web browser.
  6. Enter your first factor authentication like username, password or select the certificate. If successful, new users are redirected for PushMFA registration.
  7. Self-enroll in Akamai MFA. Choose in-line enrollment and enroll your smartphone, phone, iPad or tablet after installing the Akamai MFA mobile app on google android or iphone.
  8. Complete MFA verification depending on which device you enrolled. See Use Akamai MFA to authenticate for details.
  9. Then the end -user is redirected to the application to access the resource.

Limitations of Akamai MFA

  1. Akamai MFA cannot be used with other MFA factors for an identity provider.
  2. User enrollment cannot be changed in EAA. It is managed by Enterprise Center and can be reset in Enterprise Center.
  3. Akamai MFA is set up per user so you don’t need to re-enroll the user on other identity providers or apps. Enrollment stays even if a user is deleted and added back in EAA.