Guide
TrainingSupportCommunity

Integrate Azure Active Directory

Suggest Edits

Use Azure Active Directory (Azure AD) as an identity provider (IdP) and Enterprise Application Access (EAA) as the service provider (SP) to access an EAA application. This allows any application in Enterprise Application Access to use Azure AD as the single sign-on (SSO) mechanism.

Prerequisite:
Set up an Azure AD premium account.

  1. Create an Azure identity provider in Enterprise Application Access.

  2. Create an ​Akamai​ Enterprise Application Access gallery application in Azure AD environment.

  3. Configure the authentication settings for the Azure IdP in Enterprise Application Access.

  4. Assign the Azure IdP to an application in Enterprise Application Access.

  5. Verify Azure AD integration with Enterprise Application Access.

The workflow below shows the use of the Azure Active Directory as an identity provider and Enterprise Application Access ( EAA) as a service provider for accessing an EAA application.

Use Azure AD as idp

Create an Azure IdP in EAA

You can create a third party identity provider (IdP) in Enterprise Application Access (EAA), to set up Azure as the authentication source. You can then configure the general settings for your Azure identity provider.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Identity > Identity providers.

  3. Click Add Identity Provider.

  4. Type a custom name and optional description for the identity provider. For example, AzureAD.

  5. Select Microsoft Azure AD as the provider type from the menu.

  6. Click Continue.
    The identity provider configuration page appears.

  7. Complete the general settings:

    a. Identity intercept domain. Choose your own domain or an ​Akamai​ domain.

    • If you select Use your domain, EAA provides a CNAME redirect for the application. Use this CNAME record in your public DNS zone. You need to specify a self-signed certificate or upload a certificate.

    • If you select Use Akamai Domain, provide a name for the IdP in the following format: https://YOUR-IDP-NAME.login.go.akamai-access.com/.. For example if YOUR-IDP-NAME is azureidp enter https://azureidp.login.go.akamai-access.com/.

    b. Akamai cloud zone. Select an EAA cloud zone that is closest to the user.

  8. Click Save and exit. Do not deploy the identity provider.
    You can click Installation instructions on the right side, for the overall steps setting up EAA as SP and Azure Active Directory as IdP.
    A new identity provider tile is created for this IdP, with no applications or directories associated with it.

Next, create an ​Akamai​ Enterprise Application Access (EAA) application in Azure AD.

Create an ​Akamai​ EAA app in Azure AD

You create an ​Akamai​ Enterprise Application Access (EAA) application in Azure Active Directory (AD) premium and use it as the login service for Enterprise Application Access.

  1. Get your Azure AD premium trail for a month, or skip this step if you already have an Azure AD premium account.

  2. Log into the Azure admin portal, as an administrator with your Azure AD premium global administrator credentials to create a new EAA application.

  3. Select Azure Active Directory.

  4. Click Enterprise Applications.

  5. Click New application (+).

  6. In Add an application > Add from gallery, enter Akamai in Azure marketplace.

  7. Select ​Akamai​ Enterprise Application Access, as your premium application, and click Add.
    Application ​Akamai​ Enterprise Application Access added successfully message appears.

  8. In the Getting Started wizard for ​Akamai​ Enterprise Application Access application complete the following mandatory steps:

    1. Select Assign a user for testing (required), and click Add user (+).

    2. In the search bar, find and select the member or group you created before.
      See the selected members section.

    3. Click Select.
      Application assignment succeeded message appears.

    4. Select the Configure single sign-on (required) option.

    5. Select SAML as the Single sign-on method.
      The ​Akamai​ Enterprise Application Access - SAML-based Sign-On window opens.

    6. In Basic SAML Configuration click the Edit icon.

    7. Update the Identifier (Entity ID) and the Reply URL (Assertion Consumer URL) settings.
      The correct format is the following: https://YOUR-IDP-NAME.login.go.akamai-access.com/saml/sp/response. For example if YOUR-IDP-NAME is azureidp type the following:

    • Identifier (Entity ID): https://azureidp.login.go.akamai-access.com/saml/sp/response

    • Reply URL: https://azureidp.login.go.akamai-access.com/saml/sp/response

  9. Click Save.
    Save Single Sign-on configuration message appears.

  10. Leave User Attributes & Claims with default information.

  11. In SAML Signing Certificate, click Download (next to Federation Metadata XML).
    You need downloaded metadata.xml to upload it in EAA in next steps.

  12. From Set up ​Akamai​ Enterprise Application Access, copy the Login URL by clicking on the blue symbol.
    You need to save Login URL for configuration of the identity provider in EAA in next steps.

Next, configure authentication settings for the Azure IdP in Enterprise Application Access (EAA).

Configure authentication settings for the Azure IdP in EAA

Complete the authentication settings for the Azure identity provider (IdP) in Enterprise Application Access (EAA). Update your EAA Azure IdP with authentication information like relying party URLs.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Identity > Identity providers.

  3. Select the IdP you created in previous steps, and configure the following:

    1. In URL enter the Akamai IdP URL, https://YOUR-IDP-NAME.login.go.akamai-access.com/. For example if YOUR-IDP-NAME is azureidp enter https://azureidp.login.go.akamai-access.com/ .

    2. Logout URL is set to default: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0. Modify it, if you need to point it to a different logout URL.

    3. Sign SAML request (optional). If Azure requires a signed SAML request in a SP-initiated SAML flow, select it to send the signed SAML assertion to Azure.

    4. Encrypted SAML response. If Azure sends encrypted SAML responses to EAA when EAA is the SP, select it to use certificates to encrypt responses.

    5. Upload IdP metadata file. To upload the metadata.xml file for the EAA SAML SP endpoint click Choose file. (You have downloaded the file from the Azure AD dashboard in the previous steps).

    6. Leave the default session settings for Session idle expiry, Limit session life, and Max session duration.

    7. Leave the default settings for DIRECTORIES, CUSTOMIZATION, ADVANCED SETTINGS.
      You can add your own directory, if you want to do shadow authorization with an on-premise Active Directory. You can also customize your Login Portal, and set more advanced settings for the identity provider.

  4. Click Save to save the changes.

  5. Click Save and Deploy, to deploy the identity provider.
    Now the Azure AD identity provider acts as an intercept between the EAA gallery application in Azure AD and the application behind EAA.

Next, assign the Azure identity provider (IdP) to an application in Enterprise Application Access (EAA).

Assign the Azure IdP to an app in EAA

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Applications.

  3. Select the application you want to assign an IdP to and select Settings > AUTHENTICATION.

    1. For a new application, click Assign Identity Provider.

    2. For an existing application, click Change Identity Provider.

  4. Select the Azure IdP (IdP type: Microsoft Azure AD) and assign it to the application.

  5. To set up services for an application, click Services. To finish configuring your application, click Save, to save.

  6. Click Save and Deploy to deploy the application.
    This allows Azure as the user-facing authentication mechanism for any application associated with this identity provider.

Next, verify the setup of Azure AD integration with Enterprise Application Access (EAA).

Verify Azure AD integration with EAA

To verify the setup of Azure AD integration with Enterprise Application Access log into the Office 365 portal or to the EAA Login Portal.

  1. To verify with Office 365 portal log into the Azure AD portal.
    It redirects to the Microsoft Office 365 portal.

  2. Click All Apps.

  3. Select ​Akamai​ Enterprise Application Access application.
    It redirects to the ​Akamai​ EAA Login Portal. Login Portal displays the applications in EAA.

  4. To verify with EAA Login Portal, select the EAA Login Portal URL link in your identity provider.
    It redirects to the Office 365 portal for authentication.
    After successful login, you are allowed to access the application in EAA.

Updated over 1 year ago