Configure EAA and Active Directory controller to use desktop SSO for IdP

Configuration steps in Active Directory Controller and EAA to support desktop SSO for IdP.

How to

  1. Create a directory and sync the user for the domain. See Add a directory to an identity provider and Add users to the cloud directory
  2. Configure a new Akamai identity provider (IdP).
    1. Add a new identity provider of type Akamai.
    2. Complete the general settings tab. Make a note of the Identity server hostname. If using Akamai domain as the identity server, make a note of the FQDN. Your FQDN will be of the form https://YOUR-IDP-NAME.login.go.akamai-access.com. If using your own domain, make a note of the CNAME.
    3. Click, Save and go to Directory.
    4. Add the directory to IdP.
    5. Click, Save and exit.
  3. Configure the following in active directory controller.
    1. Create a service account in Active Directory for EAA login.
    2. Generate a keytab file for the IWA. Use Microsoft ktpass utility. Read more on Microsoft ktpass usage.

      The format for the running ktpass command and generating the keytab is:

      ktpass /out ActiveDirectorydomain.keytab /princ HTTP/YOUR-IDP-NAME.login.go.akamai-access.com@ADDomain.com /mapuser serviceaccount@ADdomain.com /pass +rndPass /crypto All /ptype KRB5_NT_PRINCIPAL

      Note: Use the yourloginportalurl value to be the following :
      • if using your own domain, use the CNAME from step 2.b

      • If using Akamai domain, use the FQDN from step 2.b

      Note: Use ADDomain as the realm.
    You should have a keytab file called ActiveDirectorydomain.keytabthat is created on your laptop.
  4. Upload the keytab file into the EAA Management portal for IWA.
    1. From the top menu bar, click System > Keytabs > Add Keytab.
    2. Enter the information for the keytab.
      1. Name: a unique identifier for the keytab.
      2. Realm: the service domain that you want Akamai IdP to do desktop SSO. For this example, it is ADDomain.com
      3. Keytab Type: Select Integrated windows authentication.
      4. To upload keytab file, clickChoose File.
      5. Select the keytab file. For this example it is ActiveDirectorydomain.keytab from step 3.b
      6. ClickSave. The keytab appears as a card on the Keytabs page.
      Note: You should upload one keytab file for each forest or domain. It should have the correct SPN derived from the hostname/FQDN of the IdP when using Akamai Domain, or CNAME of the IdP when using your own domain in the keytab file you generated. If you have multiple domains with one-way or two-way trusted relationships, upload all the keytab files.
  5. Open the identity provider you created in step 1. Click on Advanced Settings tab. Complete this information, On premise subnets - Enter a list of all the outbound internet gateways. (optional, for only Use IWA set to when-applicable mode) Also see, Add public IP gateways to an IdP.
  6. Configure all of the Integrated windows authentication settings. See Description of use IWA parameter used in Integrated Windows Authentication settings.
    1. To enable IWA, select Use IWA with either always or when-applicable.
    2. Keytabs: Pick the name of the keytab file for this IdP. For this example, ActiveDirectorydomain.keytab. If multiple keytab files for multiple domains, search by name and select all of them.
    3. User on premise: Check this box only after you have added on premise subnets correctly in step 5.
    4. Browsers: Add a regular expression for multiple browsers.
      Some examples are:
      • For IE browser, use regular expression ([MS]?IE) (\d+)\.(\d+)
      • For excluding Firefox browser and include all other browsers, use regular expression ^((?!Firefox).)*$
    5. Operating Systems: Add a regular expression for multiple operating systems.
      Some examples are:
      • For Windows 10, use regular expression (Windows NT 6\.4)|(Windows NT 10\.0)
      • For Windows 8 , use regular expression (Windows NT 6\.2)|(Windows NT 6\.3)
    Note: You configure step 6.c, 6.d, 6.e only if Use IWA is set to when-applicable.
  7. Click, Save and go to Deployment to deploy the IdP. The IT administrator or end user must add the Akamai IdP hostname as local intranet zone. See Configure automatic logon with Kerberos on end-user's machine for Akamai IdP
  8. Verify the EAA IdP setup and access to application.
    1. Login to a domain joined computer with your network credentials.
    2. Ensure IdP URL is added to trusted site to do automatic logon with kerberos
    3. Access the Identity Portal URL.
    4. User automatically signs into the IdP.
    5. The end-user can access the applications on the IdP portal.