You can connect your Keycloak solution with ​Akamai MFA​, providing the user with two-step authentication. First, the user needs to confirm their identity with your Keycloak instance, for example, using their username and password. Next, the user has to confirm that the login is legitimate using one of the ​Akamai MFA​ second factors.

This guide will walk you through the steps to integrate Keycloak with ​Akamai MFA​.

Add Keycloak integration

Follow this procedure to generate your integration credentials that you will need to provide in the following step to enable the communication between ​Akamai MFA​ and Keycloak.

  1. In the Enterprise Center navigation menu, select Multi-factor Authentication > Integrations.

  2. Click Add integration (+).

  3. In Integration Type, select Keycloak.

  4. In Name, enter a unique name for your Keycloak integration.

  5. Click Save and Deploy.
    You’ve just generated your API Host, Integration ID, Verifying Key and Signing Key. This data will be available for you on the integration page. Your integration credentials can be copied anytime and used in the following steps to configure the integration.


Your Signing Key should be kept completely secret like any other password or secret key credential.

Integrate Keycloak with ​Akamai MFA​

  1. Download the ​Akamai MFA​ provider for Keycloak and unpack the archive.

  2. Copy the akamai-keycloak-connector-VERSION.jar file to the providers directory of your Keycloak distribution and restart your Keycloak server. To learn more about provider configuration, see Keycloak documentation.

  3. Open your Keycloak admin console and click Authentication in the left sidebar menu.

  4. In the Flows tab, find the browser built-in flow, click ⋮ and Duplicate the flow.

  5. In the Duplicate flow screen, enter a name and description for your ​Akamai MFA​ browser flow and click Duplicate. In this example procedure, we will be using the following name: MFA Browser Flow.

    Flow details screen of the newly duplicated flow opens.

  6. In the list of steps, find MFA Browser Flow forms, click + and Add step.

  7. In Add step to MFA Browser Flow forms, select Akamai MFA and click Add.

  8. Back on the flow details screen, find the MFA Browser Flow - Conditional OTP step and select Disabled from the dropdown menu.

  9. Find the Akamai MFA step, drag it by holding ☷ and drop it below the Username Password Form step.

  10. Expand the dropdown menu in the Akamai MFA step and select Required.

  11. Click the cogwheel button in the Akamai MFA step to configure the integration.

  12. In Akamai MFA config, enter the following:

  • Alias. Enter your integration handle, e.g., ​Akamai MFA​.
  • Akamai MFA Host. Enter the API Host that you generated when creating your Keycloak integration.
  • Akamai MFA Signing Key. Enter the Signing Key that you generated when creating your Keycloak integration.
  • Akamai MFA Verifying Key. Enter the Verifying Key that you generated when creating your Keycloak integration.
  • Akamai MFA App Id. Enter the Integration ID that you generated when creating your Keycloak integration.
  • Akamai MFA auth expiry (Seconds). Set the auth window in seconds.
  • Fail Safe. With this setting enabled, users will be able to log in even if ​Akamai MFA​ isn't reachable.
  1. Click Save.
  2. Back in MFA Browser Flow, navigate to the top right hand corner, expand the Action dropdown menu and click Bind flow.
  3. In Choose binding type, select Browser flow and click Save.

You've just configured an integration between your Keycloak server and ​​Akamai MFA​​. You can now test your settings or continue configuring your Keycloak instance.