Basic configuration of an IdP

Add a new identity provider

With Enterprise Application Access (EAA) as your service provider (SP), you must identify identity providers (IdP) within EAA and assign them to an application in order to authenticate SAML and Single sign-on (SSO) authentication for those applications.

When it comes to directories, if you use either EAA's Cloud Directory or an Active Directory (AD), you can use EAA as both your SP and IdP. This does not generate any SAML.

Decide which IdP provider type to use up to the preference of your business. If no IdP has been used before, you can use a custom SAML IdP type. Add a new IdP and use it to authenticate multiple applications.

In EAA you can use a third-party SAML IdP or EAA as the SAML IdP to authenticate access to your applications. When an IdP such as EAA and a SP such as a SaaS application both implement SAML, they are able to authenticate accredited users associated with the IdP to use the SP.

Identity provider types supported by Enterprise Application Access:

  • ​Akamai​
  • Google
  • Microsoft Azure AD
  • Okta
  • OneLogin
  • PingOne
  • Third party SAML
  1. In the EAA Management Portal navigation menu, select Identity > Identity providers.
    The Identity providers page appears.

  2. Click Add Identity Provider.

  3. Enter name, description, and select the provider type from the drop-down menu, for example, select the ​Akamai​ type.

  4. Click Create Identity Provider and configure.
    You're redirected to the General tab on the Identity provider configuration page.

  5. In the General Settings section of the IdP configuration page, provide a URL for the Identity Server for ​Akamai​ IdP or Identity Intercept for third-party IdP. You can select Use ​Akamai​ domain or Use your domain. If you use your own domain, you should use a self-signed certificate or use an uploaded custom certificate.
    To learn more about certificates, see Use certificates for authentication.
    If you are adding a new, third-party IdP, click Show Installation Instructions for portal type-specific instructions to configure ​Akamai​ (EAA) as the SP with that IdP.

📘

14 days before the certificates expire, the IdPs change to Deployment Not Ready state. You should renew the certificate before expiry and deploy again the IdP, although the IdP would work fine during the expiration warning period.

For the identity provider, in the General Settings, choose the ​Akamai​ Cloud zone closest to the majority of the users base. It can be in the Client-* form, for example, Client-US-East, or just US-East, since the identity provider can be used for Client-access applications or client-less applications in any cloud zone. For tcp-type or tunnel-type client-access applications, use ​Akamai​ Cloud zone , for example, Client-US-East, or Client-US-West, closest to the application in the data center.

  1. To save the changes, click Save and go to Directories.

Next, add a directory to your identity provider.

Add a directory to an identity provider

  1. In the EAA Management Portal navigation menu, select Identity > Identity providers.
    The Identity providers page appears.

  2. On the identity provider card, click Configure Identity Provider.
    You're redirected to the IdP configuration page.

  3. In DIRECTORIES click Assign directory.
    The list of configured directories displays.

    📘

    If you have more than 20 directories configured, only the first 20 directory cards are listed in Directories.

  4. Select and click the directory from the list. You can also filter by the directory name.
    The selected directory appears in Directories.

    📘

    If you are a first-time user, select the Cloud Directory card.

  5. To save the changes click Save and exit or Save and go to Customization.

  6. Deploy the identity provider.

Assign identity providers to an application

Prerequisites:

  • Make sure the identity provider you want to use is set up in Enterprise Application Access. See Add a new identity provider. Then, Add a directory to an identity provider.

  • With Enterprise Application Access (EAA) as your service provider (SP), you must identify identity providers (IdPs) within Enterprise Application Access and assign them to applications in order to authenticate SAML and single sign-on for those applications.

  1. In the EAA Management Portal navigation menu, select Applications.
    You're redirected to the Applications page.

  2. On the application card, click Settings.
    The Application configuration page displays.

  3. In AUTHENTICATION select one of these options:

    • For a new application, select Assign Identity Provider.
    • For an existing application, select Change Identity Provider.
  4. Select the IdP to assign to the application.

  5. To set up services for an application, click Save and go to Services.

  6. To save and finish configuring your application, click Save and exit.

  7. Deploy the application.

Deploy the identity provider

Put configuration changes to an identity provider (IdP) into effect. Changes to identity providers (IdPs) in Enterprise Application Access (EAA) go into effect after you deploy the IdP, similar to the deployment of applications. After you create or change the configuration of an IdP in EAA, deploy the IdP.

When you configured an IdP in previous versions of EAA, the option to Save and exit automatically deployed the IdP, resulting in multiple versions of the deployed IdP. If you selected an incorrect version of a deployed IdP, there could be missing or incorrect configurations in the IdP used by the application. With the deploy identity provider capability the Save and exit button saves the IdP configuration in cache and does not deploy the IdP. After you complete the configuration click Save and go to Deployment to deploy the IdP. This ensures that all of your configurations are properly set in a single deployed version of the IdP.

  1. In the EAA Management Portal navigation menu, select Identity > Identity providers.
    The Identity providers page appears.

  2. On the identity provider card, click Configure Identity Provider.
    The Identity provider configuration page opens.

  3. Go to DEPLOYMENT and confirm if the IdP current status is Ready for Deployment.

  4. Click Deploy Identity provider.
    The deployment process takes a few minutes. The identity provider deployment status page displays information about the IdP deployment stage. You should see the Deployment Pending status and IDP Successfully deployed statuses.

Identity provider health and deployment status

Interpret the health and deployment status of the identity provider based on icons on the identity provider page. The identity provider (IdP) health status and deployment status information is available in the following areas of the EAA Management Portal:

  • IdP card
  • IdP deployment status page
  • Application deployment status page

Identity provider card

  1. In the EAA Management Portal navigation menu, select Identity > Identity providers.
    The Identity providers page appears.

  2. Navigate to your identity provider card.
    The health and deployment statuses are independent of one another and both appear as icons on the IdP card.

    To determine the health status of an IdP, locate the IdP card and hover your cursor over the cloud symbol, which is the IdP health status indicator. Red indicates that the IdP is down and green indicates that the IdP is up.

    To determine the deployment status of an IdP, locate the IdP card and look at the airplane symbol, which is the IdP deployment status indicator. It can be in these states:

    • IdP is deployed. A green airplane means the IdP is successfully deployed and can be used with applications.

    • Ready for deployment. A yellow airplane means the IdP configured correctly, but admin needs to deploy the IdP.

    • Deployment not ready. A red airplane means the IdP is not configured correctly.

    • Deployment failed. A red airplane means the IdP deployment failed. This happens if any of the configurations were not set correctly and you pressed Deploy identity provider.

IdP deployment status page

  1. In the EAA Management Portal navigation menu, select Identity > Identity providers.
    The Identity providers page appears.

  2. On the identity provider card click Configure Identity Provider, and select DEPLOYMENT.
    You're redirected to the IdP deployment status page, where you can find information about the current deployment status, for example, IdP not ready status.

Application deployment status page

  1. In the EAA Management Portal navigation menu, select Applications.
    The Applications page appears.

  2. On the application card click Settings, and select DEPLOYMENT.
    You're redirected to the Application deployment status page, where you can find information about the current IdP deployment status, for example, The identity server has not been deployed.

You can troubleshoot some of the configuration issues from IdP deployment status page.