SAML integration
This integration uses the standard SAML 2.0 protocol. SAML 2.0 (Security Assertion Markup Language 2.0) is an open standard for exchanging authentication and authorization data to enable single sign-on (SSO) for users.
With the SAML integration, you can connect your identity provider (IdP) solution with Akamai MFA providing the user with two-step authentication. First, the user needs to confirm their identity with your IdP system, for example, using their username and password. Next, the user has to confirm that the login is legitimate using one of the Akamai MFA second factors.
Supported enrollment types:
- Email enrollment
- In-line enrollment
Supported secondary authentication methods:
- Clientless push
- Email or SMS OTP
- Hardware token
- Phone call
- Phone security key
- Push notification
- Push TOTP
- WebAuthn/FIDO2 security key
SAML metadata
When a user attempts to authenticate, your IdP creates a SAML assertion that includes the requested attributes. Akamai MFA can return the following attribute statements in the response, based on the requested attributes in the metadata provided when the integration is set up:
groups
email
lastName
This is useful if you’d like to, for example, control access based on the user’s group membership. Other attribute names will be echoed back without a value. To ensure that a requested SAML attribute is honored in the SAML response, you need to make sure that the appropriate tags and attributes are present in the metadata file provided by the IdP. Specifically, the following tags and attributes must be included:
-
The
md:AttributeConsumingService
tag. -
The
md:RequestedAttribute
tag. This tag is used to specify the attribute that you are requesting. -
The
isRequired=”true”
attribute. This attribute is used to specify whether the requested attribute is required or optional. For Akamai MFA to honor and return the attribute statement, it must be present and set totrue
.
Refer to your IdP documentation to learn how to configure your IdP to include this information in the SAML metadata. Alternatively, see Manually editing the SAML metadata file to learn how to add the necessary tags and attributes using a text editor.
Be sure to include your X.509 public key in the SAML metadata. Additionally, the
AuthnRequest
must be signed by the service provider.
Add a SAML integration
Follow this procedure to generate the security components to create a custom SAML integration.
-
Configure your Akamai MFA integration and generate your integration credentials and certificate:
a. In the Enterprise Center navigation menu, select Multi-factor Authentication > Integrations.
b. Click Add Integration (+).
c. In Integration Type, select SAML.
d. In Name, enter a unique integration name.
e. Click Save and Deploy.
You’ve just generated your Issuer URI, SSO URL,Certificate, and Metadata URL. This data will be available for you on the integration page. Your MFA credentials can be copied anytime and used to integrate Akamai MFA with your SAML application. Alternatively, you can click Download Metadata to save your Akamai MFA metadata inXML
format. -
In your identity management solution, enter the Akamai MFA Issuer URI, SSO URL, and Certificate that you generated in the previous step. Depending on your IdP, you can either enter the credentials manually, import your downloaded metadata
XML
file, or provide the Metadata URL.
This lets you generate your IdP SAML metadata containing the Certificate and the Assertion Consumer Service URL. -
Save your IdP metadata to your computer.
-
To enable communication between your IdP and Akamai MFA, enter your IdP integration metadata in Akamai Enterprise Center.
a. In the Enterprise Center navigation menu, select Multi-factor Authentication > Integrations.
b. Navigate to your SAML integration.
c. In SAML SP Settings, click Provision.
d. In the Upload SAML Metadata dialog, click the Metadata icon and select the metadata.xml file that you previously downloaded by clicking Open. When the metadata displays in Metadata Content, click Upload to confirm.The uploaded metadata appears in the SAML SP Settings section.
You've just configured a SAML integration between your identity solution and Akamai MFA.
Manually editing the SAML metadata file
To edit your SAML metadata file and add the md:AttributeConsumingService
, md:RequestedAttribute
tags and the isRequired=”true”
attribute to, e.g., enable Akamai MFA to return the groups
attribute, do the following:
Depending on your IdP and its settings, your metadata file may differ from the example shown below. This procedure goes over steps necessary to add all the required tags and attributes. Review the structure of your metadata and edit as appropriate.
- Open the SAML metadata
xml
file provided by your IdP in a text editor. - Add the
<md:RequestedAttribute isRequired="true" Name="groups"/>
tag within themd:EntityDescriptor/md:SPSSODescriptor/md:AttributeConsumingService
tags as shown below:
<md:EntityDescriptor …>
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
...
<md:AttributeConsumingService index="0">
<md:RequestedAttribute isRequired="true" Name="groups"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>
- Save the metadata file.
- Continue setting up your SAML integration by uploading the metadata file in Enterprise Center.
Updated 17 days ago