Manage user access to applications

Block and unblock users from accessing applications

Enterprise Application Access (EAA) maintains session information like username, time of login, browser used along with single sign-on (SSO). These attributes are kept till the session expires or the user logs out. There is no way for the administrator to clear this information even if the contract has expired, until the session timeout expires.

With this feature, the Enterprise Application Access identity administrator with Gmbo UI - IdP Admin permissions (see Role-based access control for EAA administrators), can block users or terminate users sessions from accessing applications associated with an identity provider (IdP) much faster. This is useful when the user has lost their credentials, left the organization, user's hardware like MFA token is lost, or you want to block a user or users from an application temporarily. After the situation is resolved, access can be granted.

After administrator blocks users, syncing to the directory happens every five minutes. If the user has any open sessions, they are terminated in a five to ten minute window, depending on the log in time.

You can block a user, some users, or all users from an ​Akamai​ identity provider (IdP) or third party identity providers (IdPs) like Okta and Azure.

When you block a user on an identity provider (IdP). The user is blocked from accessing the applications since they cannot authenticate with his login credentials using that IdP. But, if the organization has another IdP that provides access to other applications, the same user can access those applications. So blocking of the user happens only per IdP and not the entire ​Akamai​ cloud directory or LDAP.

If the blocked user is accessing client applications using EAA Client, the user is immediately logged out.

Block and unblock users from applications associated with an identity provider

You can quickly block and unblock users from accessing applications associated with an identity provider.

The administrator can block a user, some or all users from an identity provider (IdP) in Enterprise Center. This blocks the users access to applications associated with the identity provider. But, users can still access other applications associated with a different identity provider.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.

  3. Go to the identity provider and click Select directory to block users.

  4. Select the directory the user belongs to from the directory list.
    Users in the directory opens and all the IdPs associated with the directory are listed.

  5. To block user:

    1. Locate the user from the Username column and click Click to Block User from Akamai IdP.

    2. Select one or more ​Akamai​ IdPs and click Block.

    3. To block other users, repeat the above steps.

    4. Other Info column shows Blocked in: count of IdPs the users is blocked in. You can click on the IdP, to check the name.

    5. The count of the IdPs in Blocked in: state in the Other info column should increased by the IdPs you selected.

  6. To unblock user:

    1. Locate the user from the Username column, and click Click to Block User from Akamai IdP.

    2. Deselect one or more ​Akamai​ IdPs where the user was blocked earlier and click Block.

    3. The count of the IdPs in Blocked in: state in the Other info column should reduce by the IdPs you de-selected.

  7. Click Save.

When the blocked users log into the login portal for accessing HTTP application, a message appears indicating the user is blocked.

πŸ“˜

If the user has already logged into the EAA Client to access client apps, which uses this identity provider, they are logged out and connection to client applications is terminated. The EAA Client goes from connected state to not connected state.

Block or unblock users associated with a third party identity provider

You can block or unblock a user from a directory associated with a third party identity provider (IdP) like Okta and Azure after you enable lookup the user to be blocked in the third party IdP.

Enable block user lookup in the third party IdP

Enable the user lookup option in the third party identity provider that allows you to look up the user's name in the third party IdP.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.

  3. Select the IdP to open it. The IDP type in the IdP card is for example Okta, Third party SAML.

  4. Click Advanced Settings.

  5. Enable Block User Lookup.

  6. Click Save and go to Deployment. Deploy the IdP.

  7. Next, you can block or unblock users in a third party identity provider.

Block or unblock users in a third party identity provider

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.

  3. Select the IdP you want to block the user from. The IDP type in the IdP card is for example Okta, Third party SAML.

  4. Click Block Users.
    Block Users opens.

  5. To block users follow these steps:

    1. Click Add user to block list (+).

    2. Enter the username, first name, and last name of a user you want to block access. To block more users click Add user to block list (+), and add the username, first name, and last name of the next user. Click Block.
      The alert message appears (about users blocked from the third party IdP login portal).

  6. To unblock users follow these steps:

    1. Go to the user you wish to unblock and click Unblock User (unlocked icon).

    2. Verify the user details and click Unblock.
      The user is removed from the block list.

    3. Repeat the steps to unblock other users.


Did this page help you?