Manage user access to applications
Disable and enable users from accessing applications
Enterprise Application Access (EAA) maintains session information like username, time of login, browser used along with single sign-on (SSO). These attributes are kept till the session expires or the user logs out. There is no way for the administrator to clear this information even if the contract has expired, until the session timeout expires.
With this feature, the Enterprise Application Access identity administrator with EAA - IDP Admin permissions (see Role-based access control for EAA administrators), can disable users or terminate users sessions from accessing applications associated with an identity provider (IdP) much faster. This is useful when the user has lost their credentials, left the organization, user's hardware like MFA token is lost, or you want to block a user or users from an application temporarily. After the situation is resolved, access can be granted.
After administrator blocks users, syncing to the directory happens every five minutes. If the user has any open sessions, they are terminated in a five to ten minute window, depending on the login time.
You can disable a user, some users, or all users from an Akamai identity provider (IdP) or third party identity providers (IdPs) like Azure.
When you disable a user on an identity provider (IdP), the user is disabled from accessing the applications since they cannot authenticate with his login credentials using that IdP. But, if the organization has another IdP that provides access to other applications, the same user can access those applications. So disabling of the user happens only per IdP and not the entire Akamai cloud directory or LDAP.
If the disabled user is accessing client applications using EAA Client, the user is immediately logged out.
Disable and enable users from applications associated with an Akamai identity provider
You can quickly disable and enable users from accessing applications associated with an Akamai identity provider. This disables the users access to applications associated with the identity provider. But, users can still access other applications associated with a different identity provider.
- Log in to Enterprise Center.
- In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.
- On the Identity provider list page, select the identity provider of IDP Type, Akamai.
- Go to the identity provider and click Directories
5.Select the directory the user belongs to from the directory list.
Users in the directory opens and all the IdPs associated with the directory are listed. - To disable user:
- Locate the user from the Username column and click Click to enable/disable user from Akamai IDPs. For third-party IDPs go to IDP details page.
- Select one or more Akamai IdPs and click Enable/Disable.
- To disable other users, repeat the above steps.
- Other Info column shows Disabled in: count of IdPs the users is blocked in. You can click on the IdP, to check the name.
- The count of the IdPs in Disabled in: state in the Other info column should increased by the IdPs you selected.
- To enable user:
- Locate the user from the Username column, and click Click to enable/disable user from Akamai IDPs. For third-party IDPs go to IDP details page.
- Deselect one or more Akamai IdPs where the user was disabled earlier and click Enable/Disable.
- The count of the IdPs in Disabled in: state in the Other info column should reduce by the IdPs you de-selected.
- Click Save.
When the disabled users log into the login portal for accessing HTTP application, a message appears indicating the user is disabled.
If the user has already logged into the EAA Client to access client apps, which uses this identity provider, they are logged out and connection to client applications is terminated. The EAA Client goes from connected state to not connected state.
Disable or enable users associated with a third party identity provider
If you’re using a third-party identity provider like Azure, you can:
Disable or enable users associated with an Azure SCIM directory or AD
Pre-requisites
- Users and groups configured on Microsoft Azure AD: https://www.portal.azure.com/
- Admin may also have an Azure AD Connect service on their local AD machine to sync with the Azure Cloud.
You can disable or enable a user in an Azure SCIM directory or Active Directory on Azure Cloud by enabling Directory Verification Required setting in the advanced setting of the IdP, and then disabling or enabling the user in the Azure SCIM directory or Azure AD.
STEP 1: Enable Directory Verification Required in the Azure IdP
Enable the Directory Verification Required option in the third party identity provider like Azure IdP.
- Log in to Enterprise Center.
- In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.
- On the IdP list page, select a third party IdP like Microsoft Azure AD under the IDP type column.
- Click Advanced Settings.
- Enable Directory Verification Required. This enables EAA to disable the users after they are synced with the Azure AD or Azure SCIM directory associated with this IdP.
- Click Save and Deploy, to save and deploy the changes.
- Next, you can disable or enable users in the Azure AD or Azure SCIM directory.
STEP 2: Disable or enable Users from Azure SCIM directory or Azure AD associated with the Azure IdP
You can disable or enable users in an Azure SCIM directory or Azure AD associated with an Azure IdP with this procedure.
- Log in to Enterprise Center.
- In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.
- On the IdP list page, select a third party IdP like Microsoft Azure AD under the IDP type column. Click Disable users.
- (optional) If there are multiple directories associated with the IDP, select the directory the user belongs to from the directory list.
Users in the directory opens. - To disable user:
a. Locate the user from the Username column and click Disable User from Microsoft Azure IdP.
b. Select one or more Azure IdPs and click Disable.
c. To disable other users, repeat the above steps.
d. Other Info column shows Disabled in: count of IdPs the user is blocked in. You can click on the IdP, to check the name.
e. The count of the IdPs in Disabled in: state in the Other info column should be increased by the IdPs you selected. - To enable user:
a. Locate the user from the Username column and click Enable User from Microsoft Azure IdP.
b. Deselect one or more IdPs where the user was disabled earlier and click Enable.
c. The count of the IdPs in Disabled in: state in the Other info column should reduce by the IdPs you de-selected.
- Click Save.
Disable or enable users associated Azure Cloud
When you have users in your Azure Cloud and you do not have any directories associated with the Azure IdP, you can use this procedure to disable or enable the Azure cloud users.
Enable "Disable users with username" setting in the IdP and add users to be disabled or enabled list in the Azure IdP
Enable the Disabled Users Tab option in the third party identity provider like Azure IdP, add the users individually, so that you can disable or enable the users from this Azure IdP.
- Log in to Enterprise Center.
- In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.
- On the IdP list page, select a third party IdP like Microsoft Azure AD under the IDP type column.
- Click Advanced Settings.
- Enable Disable users with username. This enables EAA to disable the user by adding the username in the Disabled Users tab, although there is no Azure directory associated to the Azure IdP.
- Click Disabled Users tab.
Disabled Users opens. - To disable users individually after adding them to the disabled list, follow these steps:
a. Click Add user to disabled list (+).
b. Enter the username, first name, and last name of a user you want to disable access. To disable more users click Add user to disabled list (+), and add the username, first name, and last name of the next user. Click Disable.
The alert message appears (about users disabled from the third party IdP login portal). - To enable users follow these steps:
a. Go to the user you wish to unblock and click Enable Users (unlock icon).
b. Verify the user details and click Enable.
The user is removed from the disabled list.
c. Repeat the steps to enable other users. - Click Save and Deploy, to save and deploy the changes.
- The users that are disabled will not be able to access the Azure IdP and are given a message indicating access is disabled and they must contact the administrator. And, users that are enabled are allowed to access the Azure IdP.
Updated 2 months ago