Manage user access to applications

Block and unblock users from accessing applications

Enterprise Application Access (EAA) maintains session information like username, time of login, browser used along with single sign-on (SSO). These attributes are kept till the session expires or the user logs out. There is no way for the administrator to clear this information even if the contract has expired, until the session timeout expires.

With this feature, the Enterprise Application Access identity administrator with Gmbo UI - IdP Admin permissions (see Role-based access control for EAA administrators), can block users or terminate users sessions from accessing applications associated with an identity provider (IdP) much faster. This is useful when the user has lost their credentials, left the organization, user's hardware like MFA token is lost, or you want to block a user or users from an application temporarily. After the situation is resolved, access can be granted.

After administrator blocks users, syncing to the directory happens every five minutes. If the user has any open sessions, they are terminated in a five to ten minute window, depending on the login time.

You can block a user, some users, or all users from an ‚ÄčAkamai‚Äč identity provider (IdP) or third party identity providers (IdPs) like Azure.

When you block a user on an identity provider (IdP). The user is blocked from accessing the applications since they cannot authenticate with his login credentials using that IdP. But, if the organization has another IdP that provides access to other applications, the same user can access those applications. So blocking of the user happens only per IdP and not the entire ‚ÄčAkamai‚Äč cloud directory or LDAP.

If the blocked user is accessing client applications using EAA Client, the user is immediately logged out.

Block and unblock users from applications associated with an Akamai identity provider

You can quickly block and unblock users from accessing applications associated with an Akamai identity provider. This blocks the users access to applications associated with the identity provider. But, users can still access other applications associated with a different identity provider.

  1. Log in to Enterprise Center.
  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.
  3. On the Identity provider list page, select the identity provider of IDP Type, Akamai.
  4. Go to the identity provider and click Directories
    5.Select the directory the user belongs to from the directory list.
    Users in the directory opens and all the IdPs associated with the directory are listed.
  5. To block user:
  • Locate the user from the Username column and click Click to Block User from Akamai IdP.
  • Select one or more ‚ÄčAkamai‚Äč IdPs and click Block.
  • To block other users, repeat the above steps.
  • Other Info column shows Blocked in: count of IdPs the users is blocked in. You can click on the IdP, to check the name.
  • The count of the IdPs in Blocked in: state in the Other info column should increased by the IdPs you selected.
  1. To unblock user:
  • Locate the user from the Username column, and click Click to Block User from Akamai IdP.
  • Deselect one or more ‚ÄčAkamai‚Äč IdPs where the user was blocked earlier and click Block.
  • The count of the IdPs in Blocked in: state in the Other info column should reduce by the IdPs you de-selected.
  1. Click Save.

When the blocked users log into the login portal for accessing HTTP application, a message appears indicating the user is blocked.

ūüďė

If the user has already logged into the EAA Client to access client apps, which uses this identity provider, they are logged out and connection to client applications is terminated. The EAA Client goes from connected state to not connected state.

Block or unblock users associated with a third party identity provider

If you’re using a third-party identity provider like Azure, you can:

Block or unblock users associated with an Azure SCIM directory or AD

ūüďė

Pre-requisites

  1. Users and groups configured on Microsoft Azure AD: https://www.portal.azure.com/
  2. Admin may also have an Azure AD Connect service on their local AD machine to sync with the Azure Cloud.

You can block or unblock a user in an Azure SCIM directory or Active Directory on Azure Cloud by enabling Directory Verification Required setting in the advanced setting of the IdP, and then blocking or blocking the user in the Azure SCIM directory or Azure AD.

STEP 1: Enable Directory Verification Required in the Azure IdP

Enable the Directory Verification Required option in the third party identity provider like Azure IdP.

  1. Log in to Enterprise Center.
  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.
  3. On the IdP list page, select a third party IdP like Microsoft Azure AD under the IDP type column.
  4. Click Advanced Settings.
  5. Enable Directory Verification Required. This enables EAA to block the users after they are synced with the Azure AD or Azure SCIM directory associated with this IdP.
  6. Click Save and Deploy, to save and deploy the changes.
  7. Next, you can block or unblock users in the Azure AD or Azure SCIM directory.

STEP 2: Block or Unblock Users from Azure SCIM directory or Azure AD associated with the Azure IdP

You can block or unblock users in an Azure SCIM directory or Azure AD associated with an Azure IdP with this procedure.

  1. Log in to Enterprise Center.
  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.
  3. On the IdP list page, select a third party IdP like Microsoft Azure AD under the IDP type column. Click Select directory to block users.
  4. Select the directory the user belongs to from the directory list.
    Users in the directory opens.
  5. To block user:
    a. Locate the user from the Username column and click Click to Block User from Microsoft Azure IdP.
    b. Select one or more ‚ÄčAzure IdPs and click Block.
    c. To block other users, repeat the above steps.
    d. Other Info column shows Blocked in: count of IdPs the user is blocked in. You can click on the IdP, to check the name.
    e. The count of the IdPs in Blocked in: state in the Other info column should be increased by the IdPs you selected.
  6. To unblock user:
    a. Locate the user from the Username column, and click Click to Block User from Microsoft Azure IdP.
    b. Deselect one or more ‚ÄčIdPs where the user was blocked earlier and click Unblock.
    c. The count of the IdPs in Blocked in: state in the Other info column should reduce by the IdPs you de-selected.
  7. Click Save.

Block or unblock users associated Azure Cloud

When you have users in your Azure Cloud and you do not have any directories associated with the Azure IdP, you can use this procedure to block or unblock the Azure cloud users.

Enable Block Users Tab and add users to be blocked or unblocked in the Azure IdP

Enable the Block Users Tab option in the third party identity provider like Azure IdP, add the users individually, so that you can block or unblock the users from this Azure IdP.

  1. Log in to Enterprise Center.
  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.
  3. On the IdP list page, select a third party IdP like Microsoft Azure AD under the IDP type column.
  4. Click Advanced Settings.
  5. Enable Block Users with Username. This enables EAA to block the user by adding the username in the Black Users tab, although there is no Azure directory associated to the Azure IdP.
  6. Click Block Users tab.
    Block Users opens.
  7. To block users individually after adding them to the block list, follow these steps:
    a. Click Add user to block list (+).
    b. Enter the username, first name, and last name of a user you want to block access. To block more users click Add user to block list (+), and add the username, first name, and last name of the next user. Click Block.
    The alert message appears (about users blocked from the third party IdP login portal).
  8. To unblock users follow these steps:
    a. Go to the user you wish to unblock and click Unblock User (unlocked icon).
    b. Verify the user details and click Unblock.
    The user is removed from the block list.
    c. Repeat the steps to unblock other users.
  9. Click Save and Deploy, to save and deploy the changes.
  10. The users that are blocked will not be able to access the Azure IdP and are given a message indicating access is blocked and they must contact the administrator. And, users that are unblocked are allowed to access the Azure IdP.