SAML integration

This integration uses the standard SAML 2.0 protocol. SAML 2.0 (Security Assertion Markup Language 2.0) is an open standard for exchanging authentication and authorization data to enable single sign-on (SSO) for users.

With the SAML integration, you can connect your identity provider (IdP) solution with ‚ÄčAkamai MFA‚Äč providing the user with two-step authentication. First, the user needs to confirm their identity with your IdP system, for example, using their username and password. Next, the user has to confirm that the login is legitimate using one of the ‚ÄčAkamai MFA‚Äč second factors.

Supported enrollment types:

  • Email enrollment
  • In-line enrollment

Supported secondary authentication methods:

  • Clientless push
  • Email or SMS OTP
  • Hardware token
  • Phone call
  • Phone security key
  • Push notification
  • Push TOTP
  • WebAuthn/FIDO2 security key

When a user attempts to authenticate, your IdP creates a SAML assertion that includes the requested attributes. ‚ÄčAkamai MFA‚Äč can return the following attribute statements in the response, based on the requested attributes in the metadata provided when the integration is set up:

  • groups
  • email
  • lastName

This is useful if you’d like to, e.g., control access based on the user’s group membership. Other attribute names will be echoed back without a value. To ensure that a requested SAML attribute is honored in the SAML response, you need to make sure that the appropriate tags and attributes are present in the metadata file provided by the IdP. Specifically, the following tags and attributes must be included:

  • The md:AttributeConsumingService tag.

  • The md:RequestedAttribute tag. This tag is used to specify the attribute that you are requesting.

  • The isRequired=‚ÄĚtrue‚ÄĚ attribute. This attribute is used to specify whether the requested attribute is required or optional. For ‚ÄčAkamai MFA‚Äč to honor and return the attribute statement, it must be present and set to true.

Refer to your IdP documentation to learn how to configure your IdP to include this information in the SAML metadata. Alternatively, see Manually editing the SAML metadata file to learn how to add the necessary tags and attributes using a text editor.

Add a SAML integration

Follow this procedure to generate the security components to create a custom SAML integration.

  1. Configure your ‚ÄčAkamai MFA‚Äč integration and generate your integration credentials and certificate:
    a. In the Enterprise Center navigation menu, select Multi-factor Authentication > Integrations.
    b. Click Add Integration (+).
    c. In Integration Type, select SAML.
    d. In Name, enter a unique integration name.
    e. Click Save and Deploy.
    You‚Äôve just generated your Issuer URI, SSO URL, and Certificate. This data will be available for you on the integration page. Your MFA credentials can be copied anytime and used to integrate ‚ÄčAkamai MFA‚Äč with your SAML application.

  2. In your identity management solution, enter the ‚ÄčAkamai MFA‚Äč Issuer URI, SSO URL, and Certificate that you generated in the previous step.
    This lets you generate your IdP SAML metadata containing the Certificate and the Assertion Consumer Service URL.

  3. Save your IdP metadata to your computer.

  4. To enable communication between your IdP and ‚ÄčAkamai MFA‚Äč, enter your IdP integration metadata in ‚ÄčAkamai‚Äč Enterprise Center.
    a. In the Enterprise Center navigation menu, select Multi-factor Authentication > Integrations.
    b. Navigate to your SAML integration.
    c. In SAML SP Settings, click Provision.
    d. In the Upload SAML Metadata dialog, click the Metadata icon and select the metadata.xml file that you previously downloaded by clicking Open. When the metadata displays in Metadata Content, click Upload to confirm.

    The uploaded metadata appears in the SAML SP Settings section.

You've just configured a SAML integration between your identity solution and ‚ÄčAkamai MFA‚Äč.

Manually editing the SAML metadata file

To edit your SAML metadata file and add the md:AttributeConsumingService, md:RequestedAttribute tags and the isRequired=‚ÄĚtrue‚ÄĚ attribute to, e.g., enable ‚ÄčAkamai MFA‚Äč to return the groups attribute, do the following:

ūüďė

Depending on your IdP and its settings, your metadata file may differ from the example shown below. This procedure goes over steps necessary to add all the required tags and attributes. Review the structure of your metadata and edit as appropriate.

  1. Open the SAML metadata xml file provided by your IdP in a text editor.
  2. Add the <md:RequestedAttribute isRequired="true" Name="groups"/> tag within the md:EntityDescriptor/md:SPSSODescriptor/md:AttributeConsumingService tags as shown below:
<md:EntityDescriptor …>
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    ...
    <md:AttributeConsumingService index="0">
      <md:RequestedAttribute isRequired="true" Name="groups"/>
    </md:AttributeConsumingService>
  </md:SPSSODescriptor>
</md:EntityDescriptor>
  1. Save the metadata file.
  2. Continue setting up your SAML integration by uploading the metadata file in Enterprise Center.