User authentication and group policies

You can configure and enable user authentication in Enterprise Threat Protector (ETP) to allow specific users and groups access to websites, URLs, or web applications in your enterprise. Enabling authentication also allows you to view user and group information in activity reports.

To set up authentication, you must also configure these features:
  • Authentication mode. Setting where you enable or disable authentication. You can also make authentication optional. With the optional setting, users can authenticate or skip authentication for each browser session. For more information, see Authentication policy.
  • Identity providers (IdP). Service that authenticates users and expands their group membership. You can configure a third-party identity provider such as Okta and Active Directory Federation Services (AD FS). If you require authentication or make authentication optional, you must select an identity provider in the policy configuration. For more information, see Identity providers.
  • Directories. Directory service that your enterprise uses to manage users and user groups. You must associate a directory service to an identity provider. These directory services are supported:
    • Active Directory (AD)
    • Lightweight Directory Access Protocol (LDAP)
    • Active Directory Lightweight Directory Services (AD LDS)

    For more information, see Directories.

  • Identity connectors. An identity connector is a virtual appliance that you download in ETP and deploy behind the firewall in your data centers or hybrid cloud environments. Identity connectors dial-out to Akamai and enable connectivity to allow ETP to synchronize with your organization’s AD or LDAP servers that are located inside your enterprise data center. For more information, see Identity connectors.
Note: You can enable authentication and configure these features when ETP Proxy is enabled for the full web proxy and when using ETP Client 3.0.4 or later. ETP proxy acts as a full web proxy that performs URL filtering and anti-malware scanning in your current network configuration. If ETP Proxy is enabled to scan only risky traffic, these features do not apply. For more information, see Full web proxy.

After a user successfully authenticates, a user does not need to provide their credentials to access content for the length of their user session. You define the length of the user session in an identity provider configuration. If you add a user to a group that's granted access and the user authenticates, it may take up to 15 minutes before the user session is saved.

Note the following:

  • If your organization is also licensed for Enterprise Application Access (EAA), you can use your existing identity provider configuration in ETP. In this situation, make sure you manage the identity provider in EAA. Do not modify these settings in the ETP UI to avoid conflicting configuration changes.
  • The Cloud Directory is intended for testing purposes only. Do not use the Cloud Directory to store user and group information for production end-user traffic.
  • You can create separate identity providers for your production, staging, or testing environments. This allows you to modify IdP settings for testing without affecting existing production traffic.