Set up Microsoft Azure as a third-party SAML identity provider

Before you begin

Make sure you have an Azure premium account.

To set up Microsoft Azure as a third-party SAML IdP:

  1. In the Microsoft Azure portal, complete these steps:

    1. Add an Akamai Enterprise Application Access gallery application to Azure AD.

    2. Set up single sign-on for Enterprise Application Access application.

    3. Create a test user in Azure AD.

    4. Assign the test user to the application.

    5. Sync users from Active Directory to Azure AD.

  2. In ETP, complete these steps:

    1. Add Microsoft Azure AD as a third-party SAML identity provider.

    2. Download and deploy an identity connector. For more information, see Create and download an identity connector.

    3. Add your AD to ETP. As part of this procedure, make sure you assign the identity connector that you created to the directory. For more information, see Add a directory.

    4. Assign AD to the Azure IdP. See Assign AD to the Azure identity provider.

  3. If this is the first Azure IdP that you are creating in ETP, add domains that are specific to Azure to an exception list. For more information, see Add identity provider domains to an exception list.

  4. Test SSO. After you assign the IdP to a policy for authentication, you can try to access a website that requires authentication with the test user account that you created and assigned to Azure AD.

Add an Akamai Enterprise Application Access gallery application to Azure AD

To set up Azure AD as an IdP, you need to first add the application for Akamai Enterprise Application Access to Azure AD, then select this application from the Azure gallery:

  1. Log in to the Azure portal.

  2. In the navigation menu, select Azure Active Directory.

  3. Click Enterprise Applications.

  4. Click +New application to add a new enterprise application.

  5. In the Add an application panel, under Add from gallery search box, enter Akamai. Select Akamai Enterprise Access Application as your application and in the panel that appears, click Add.

Next steps

Set up single sign-on for Enterprise Application Access application.

Set up single sign-on for Enterprise Application Access application

Before you begin

Add an Akamai Enterprise Application Access gallery application to Azure AD.

To set up SSO for the Enterprise Application Access gallery application you added:

  1. In the Getting Started wizard, click Set up single sign on.

  2. Click SAML as the SSO method. The Akamai Enterprise Application Access - SAML-based Sign-On window opens.

  3. Click the edit icon for Basic SAML Configuration.

  4. In the Identifier (Entity ID) and the Reply URL (Assertion Consumer URL) fields, enter the IdP URL in this format:

    https://<YOUR-IDP-NAME>.login.go.akamai-access.com/saml/sp/response

    where <YOUR-IDP-NAME> is the hostname of your IdP.

  5. Click Save. The User Attributes & Claims are populated with all of the attributes and claims that are understood by ETP.

  6. In the User Attributes & Claims section, click the edit icon and click the Unique User Identifier (NameID).

  7. On the Manage Claim window, enter user.userprincipalname or user.mail into the Source attribute field and click Save. This attribute identifies the user in the application.

  8. On the SAML Signing Certificate section, download the Federation Metadata XML file. Save the metadata file to a secure location. You'll upload this file in the ETP IdP configuration.

    IMAGE_STUBIMAGE_STUB

  9. In the Set up Akamai Enterprise Application Access section, copy the Login URL. You can click the clipboard icon to save this URL to your clipboard. You provide this URL when you configure the IdP in ETP.

Next steps

Create a test user in Azure AD.

Create a test user in Azure AD

This test user lets you test SSO after you set up Azure AD and the IdP in ETP.

Before you begin

Add an Akamai Enterprise Application Access gallery application to Azure AD.

To create a test user that you can assign to the Akamai Enterprise Application Access gallery application:

  1. In the Azure Portal navigation menu, select Azure Active Directory.

  2. Under Manage, select Users and in the panel that appears, select All Users.

  3. Click +New User.

  4. Add a user with a username and password. Make sure you enter the username in this format:

    username@companydomain.extension

  5. Click Create.

Next steps

Assign the test user to the application.

Assign the test user to the application

You'll use this user to test SSO.

Before you begin

Create a test user in Azure AD.

To assign a test user to the Akamai Enterprise Application Access gallery application:

  1. In the Azure Portal navigation menu, select Azure Active Directory.

  2. Under Manage, select Enterprise Applications.

  3. Select All applications.

  4. In the list of applications, select Akamai Enterprise Application Access.

  5. Under Manage menu, select Users and groups.

  6. Click +Add user.

  7. In the Add Assignment window, click Users and Groups.

  8. Select the user that you want to assign to the group. If necessary, you can search for the user by entering the name in the search text box.

  9. Click Select.

  10. In the dialog, click Assign.

Next steps

Sync users from Active Directory to Azure AD.

Sync users from Active Directory to Azure AD

Before you begin

Make sure you create a test user in Azure AD and assign it to the Akamai Enterprise Application Access gallery application.

📘

This procedure may not be necessary if you've already synced AD to your Azure implementation.

To sync users from your AD to Azure AD:

  1. Download Azure AD Connect from the Azure portal:

    1. In the Azure navigation menu, select Azure Active Directory.

    2. Under Manage, select Azure AD Connect.

    3. Under Provision from Active Directory, click Download Azure AD Connect.

  2. Install Azure AD Connect. Complete these steps:

    1. On the Welcome window, click Continue.

    2. Click Use Express Settings.

    3. On the Connect to Azure AD window, enter your global administrator credentials for Azure AD, and click Next.

    4. In the Connect to AD FS window, enter your AD FS credentials, and click Next.

    5. On the Ready to Configure window, select Start the configuration process as soon as the configuration completes and click Install.

  3. In the Azure Portal, confirm that users were synchronized and now appear in the portal.

  4. Assign a global administrator role to a user you synchronized. Complete these steps:

    1. Select a user.

    2. Under Manage, select Assigned roles.

    3. In the panel that appears, click +Add assignment.

    4. In the list of directory roles, select Global administrator and then click Add.

  5. Assign this user to the ​Akamai​ Enterprise Application Access application:

    1. Return to the ​Akamai​ Enterprise Application Access application.

    2. Click Add user.

    3. In the Add Assignment pane, select Users and groups.

    4. Search for the user that you assigned with the global administrator role.

    5. Click Select.

    6. In the dialog, click Assign.

Next steps

Add Microsoft Azure AD as a third-party SAML identity provider.

Add Microsoft Azure AD as a third-party SAML identity provider

Before you begin

Confirm that you completed the required setup in the Azure portal. See Set up Microsoft Azure as a third-party SAML identity provider.

To add Microsoft Azure AD as a third-party SAML IdP:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Identity Providers.

  2. Configure basic IdP settings:

    1. In the Name and Description fields, enter a name and description for the IdP.

    2. In the Provider Type menu, select Third-Party SAML.

    3. Click Continue.

  3. In the General settings section:

    1. For Identity Intercept, select Use ​Akamai​ domain and enter a hostname. The identity intercept is the URL for the authentication page that's presented to users. The hostname you provide here is the one you entered in the Set up single sign-on for Enterprise Application Access application.

    2. In the ​Akamai​ Cloud Zone, select a cloud zone that is closest to the user base.

  4. In the Session section, use the default settings for the Session Idle Expiry, Limit Session Life, and Max Session Duration fields.

  5. In the Authentication section, complete these steps:

    1. In the URL field, enter the URL that you provided for the Identity Intercept.

    2. Select Sign SAML request.

    3. Select Encrypted SAML response.

    4. For the IdP metadata file, click Choose File.

    5. Browse to the metadata file and click Open.

  6. In the Advanced Settings, select Enable authorization.

  7. Click Save.

Next steps

  1. Create and download an identity connector.

  2. Add AD to ETP. As part of this procedure, make sure you assign an identity connector to the directory. For instructions, see Add a directory.

  3. Assign AD to the Azure identity provider.

Assign AD to the Azure identity provider

Before you begin

Add AD to ETP. For instructions, see Add a directory.

To review the overall setup process for adding Azure as a third-party SAML IdP, see Set up Microsoft Azure as a third-party SAML identity provider.

To assign your AD to your Microsoft Azure AD third-party SAML IdP:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Identity Providers.

  2. Click the name of the Azure IdP.

  3. Click the Directories tab.

  4. Click the link icon and select the AD that you added.

  5. Click Associate.

Next steps

  1. Confirm that users are synchronized and appear in ETP, including the user you associated with the application in Azure AD.

  2. Deploy the IdP:

    • In the ETP IdP configuration, you can click the icon next to the Ready for Deployment status. A deployment icon also appears next to a failed deployment status in case you need to deploy the IdP again. This action starts the deployment process.

    • Deploy IdP configuration changes in the list of Pending Changes. For more information, see Deploy configuration changes.

  3. If this is the first Azure IdP that you are creating, add the Azure IdP domains to an exception list. See Add identity provider domains to an exception list.

  4. Associate the IdP with a policy that's enabled for authentication. For more information, see Require authentication to access a website or web application.

  5. Test SSO. After you assign the IdP to a policy for authentication, you can try to access a website that requires authentication with the test user account you created.


Did this page help you?