Tutorial: Microsoft Entra SSO integration with Akamai

In this tutorial, you'll learn how to integrate Akamai with Microsoft Entra ID. When you integrate Akamai with Microsoft Entra ID, you can:

  • Control in Microsoft Entra ID who has access to Akamai.
  • Enable your users to be automatically signed-in to Akamai with their Microsoft Entra accounts.
  • Manage your accounts in one central location.

Microsoft Entra ID and Akamai Enterprise Application Access integration allows seamless access to legacy applications hosted in the cloud or on-premises. The integrated solution takes advantages of all the modern capabilities of Microsoft Entra ID like Microsoft Entra Conditional Access, Microsoft Entra ID Protection and Microsoft Entra ID Governance for legacy applications access without app modifications or agents installation.

The below image describes, where Akamai EAA fits into the broader Hybrid Secure Access scenario.

Akamai EAA fits into the broader Hybrid Secure Access scenario

Key Authentication Scenarios

Apart from Microsoft Entra native integration support for modern authentication protocols like OpenID Connect, SAML and WS-Fed, Akamai EAA extends secure access for legacy-based authentication apps for both internal and external access with Microsoft Entra ID, enabling modern scenarios (such as password-less access) to these applications. This includes:

  • Header-based authentication apps
  • Remote Desktop
  • SSH (Secure Shell)
  • Kerberos authentication apps
  • VNC (Virtual Network Computing)
  • Anonymous auth or no inbuilt authentication apps
  • NTLM authentication apps (protection with dual prompts for the user)
  • Forms-Based Application (protection with dual prompts for the user)

Integration Scenarios

Microsoft and Akamai EAA partnership allows the flexibility to meet your business requirements by supporting multiple integration scenarios based on your business requirement. These could be used to provide zero-day coverage across all applications and gradually classify and configure appropriate policy classifications.

Integration Scenario 1

Akamai EAA is configured as a single application on the Microsoft Entra ID. Admin can configure the Conditional Access policy on the Application and once the conditions are satisfied users can gain access to the Akamai EAA Portal.

Pros:

  • You need to only configure IDP once.

Cons:

  • Users end up having two applications portals.

  • Single Common Conditional Access policy coverage for all Applications.

Integration Scenario 1

Integration Scenario 2

Akamai EAA Application is set up individually on the Azure portal. Admin can configure Individual he Conditional Access policy on the Application(s) and once the conditions are satisfied users can directly be redirected to the specific application.

Pros:

  • You can define individual Conditional Access Policies.

  • All Apps are represented on the 0365 Waffle and myApps.microsoft.com Panel.

Cons:

  • You need to configure multiple IDP.

Integration Scenario 2

Prerequisites

To get started, you need the following items:

  • A Microsoft Entra subscription. If you don't have a subscription, you can get a free account.
  • Akamai single sign-on (SSO) enabled subscription.

Scenario description

In this tutorial, you configure and test Microsoft Entra SSO in a test environment.

  • Akamai supports IDP initiated SSO.

Important

All the setup listed below are same for the Integration Scenario 1 and Scenario 2. For the Integration scenario 2 you have to set up Individual IDP in the Akamai EAA and the URL property needs to be modified to point to the application URL.

Screenshot of the General tab for AZURESSO-SP in Akamai Enterprise Application Access. The Authentication configuration URL field is highlighted.

To configure the integration of Akamai into Microsoft Entra ID, you need to add Akamai from the gallery to your list of managed SaaS apps.

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
  2. Browse to Identity > Applications > Enterprise applications > New application.
  3. In the Add from the gallery section, type Akamai in the search box.
  4. Select Akamai from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

Alternatively, you can also use the Enterprise App Configuration Wizard. In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. Learn more about Microsoft 365 wizards.

Configure and test Microsoft Entra SSO for Akamai

Configure and test Microsoft Entra SSO with Akamai using a test user called B.Simon. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in Akamai.

To configure and test Microsoft Entra SSO with Akamai, perform the following steps:

  1. Configure Microsoft Entra SSO - to enable your users to use this feature.
  2. Configure Akamai SSO - to configure the single sign-on settings on application side.
  3. Test SSO - to verify whether the configuration works.

Configure Microsoft Entra SSO

Follow these steps to enable Microsoft Entra SSO.

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.

  2. Browse to Identity > Applications > Enterprise applications > Akamai > Single sign-on.

  3. On the Select a single sign-on method page, select SAML.

  4. On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.

    Edit Basic SAML Configuration

  5. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode, enter the values for the following fields:

    a. In the Identifier text box, type a URL using the following pattern: https://<Yourapp>.login.go.akamai-access.com/saml/sp/response

    b. In the Reply URL text box, type a URL using the following pattern: https:// <Yourapp>.login.go.akamai-access.com/saml/sp/response

    Note

    These values are not real. Update these values with the actual Identifier and Reply URL. Contact Akamai Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section.

  6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find Federation Metadata XML and select Download to download the certificate and save it on your computer.

    The Certificate download link

  7. On the Set up Akamai section, copy the appropriate URL(s) based on your requirement.

    Copy configuration URLs

Create a Microsoft Entra test user

In this section, you'll create a test user called B.Simon.

  1. Sign in to the Microsoft Entra admin center as at least a User Administrator.
  2. Browse to Identity > Users > All users.
  3. Select New user > Create new user, at the top of the screen.
  4. In the User properties, follow these steps:
    1. In the Display name field, enter B.Simon.
    2. In the User principal name field, enter the username@companydomain.extension. For example, B.Simon@contoso.com.
    3. Select the Show password check box, and then write down the value that's displayed in the Password box.
    4. Select Review + create.
  5. Select Create.

Assign the Microsoft Entra test user

In this section, you'll enable B.Simon to use single sign-on by granting access to Akamai.

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
  2. Browse to Identity > Applications > Enterprise applications > Akamai.
  3. In the app's overview page, select Users and groups.
  4. Select Add user/group, then select Users and groups in the Add Assignment dialog.
    1. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the bottom of the screen.
    2. If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see "Default Access" role selected.
    3. In the Add Assignment dialog, click the Assign button.

Configure Akamai SSO

Setting up IDP

AKAMAI EAA IDP Configuration

  1. Sign in to Akamai Enterprise Application Access console.

  2. On the Akamai EAA console, Select Identity > Identity Providers and click Add Identity Provider.

    Screenshot of the Akamai EAA console Identity Providers window. Select Identity Providers on the Identity menu and select Add Identity Provider.

  3. On the Create New Identity Provider perform the following steps:

    a. Specify the Unique Name.

    b. Choose Third Party SAML and click Create Identity Provider and Configure.

General Settings

In the General tab, enter the following information:

  1. Identity Intercept - Specify the name of the domain (SP base URL–will be used for Microsoft Entra Configuration).

    Note

    You can choose to have your own custom domain (will require a DNS entry and a Certificate). In this example we are going to use the Akamai Domain.

  2. Akamai Cloud Zone - Select the Appropriate cloud zone.

  3. Certificate Validation - Check Akamai Documentation (optional).

Authentication Configuration

  1. URL – Specify the URL same as your identity intercept ( this is where users are redirect after authentication).

  2. Logout URL : Update the logout URL.

  3. Sign SAML Request: default unchecked.

  4. For the IDP Metadata File, add the Application in the Microsoft Entra ID Console.

    Screenshot of the Akamai EAA console Authentication configuration showing settings for URL, Logout URL, Sign SAML Request, and IDP Metadata File.

Session Settings

Leave the settings as default.

Screenshot of the Akamai EAA console Session settings dialog.

Directories

In the Directories tab, skip the directory configuration.

Customization UI

You could add customization to IDP. In the Customization tab, there are settings for Customize UI, Language settings, and Themes.

Advanced Settings

In the Advanced settings tab, accept the default values. Refer Akamai documentation for more details.

Deployment

  1. In the Deployment tab, click on Deploy Identity Provider.

  2. Verify the deployment was successful.

Header Based Authentication

Akamai Header Based Authentication

  1. Choose Custom HTTP form the Add Applications Wizard.

    Screenshot of the Akamai EAA console Add Applications wizard showing CustomHTTP listed in the Access Apps section.

  2. Enter Application Name and Description.

    Screenshot of a Custom HTTP App dialog showing settings for Application Name and Description.

    Screenshot of the Akamai EAA console General tab showing general settings for MYHEADERAPP.

    Screenshot of the Akamai EAA console showing settings for Certificate and Location.

Authentication

  1. Select Authentication tab.

    Screenshot of the Akamai EAA console with the Authentication tab selected.

  2. Select Assign identity provider.

Services

Click Save and Go to Authentication.

Screenshot of the Akamai EAA console Services tab for MYHEADERAPP showing the Save and go to AdvancedSettings button in the bottom right corner.

Advanced Settings

  1. Under the Customer HTTP Headers, specify the CustomerHeader and SAML Attribute.

    Screenshot of the Akamai EAA console Advanced Settings tab showing the SSO Logged URL field highlighted under Authentication.

  2. Click Save and go to Deployment button.

    Screenshot of the Akamai EAA console Advanced Settings tab showing the Save and go to Deployment button in the bottom right corner.

Deploy the Application

  1. Click Deploy Application button.

    Screenshot of the Akamai EAA console Deployment tab showing the Deploy application button.

  2. Verify the Application was deployed successfully.

    Screenshot of the Akamai EAA console Deployment tab showing the Application status message: "Application Successfully Deployed".

  3. End-User Experience.

    Screenshot of the opening screen for myapps.microsoft.com with a background image and a Sign in dialog.

    Screenshot showing part of an Apps window with icons for Add-in, HRWEB, Akamai - CorpApps, Expense, Groups, and Access reviews.

  4. Conditional Access.

    Screenshot of the message: Approve sign in request. We've sent a notification to your mobile device. Please respond to continue.

    Screenshot of an Applications screen showing an icon for the MyHeaderApp.

Remote Desktop

  1. Choose RDP from the ADD Applications Wizard.

    Screenshot of the Akamai EAA console Add Applications wizard showing RDP listed among the apps in the Access Apps section.

  2. Enter Application Name, such as SecretRDPApp.

  3. Select a Description, such as Protect RDP Session using Microsoft Entra Conditional Access.

  4. Specify the Connector that will be servicing this.

    Screenshot of the Akamai EAA console showing settings for Certificate and Location. Associated connectors is set to USWST-CON1.

Authentication

In the Authentication tab, click Save and go to Services.

Services

Click Save and go to Advanced Settings.

Screenshot of the Akamai EAA console Services tab for SECRETRDPAPP showing the Save and go to AdvancedSettings button in the bottom right corner.

Advanced Settings

  1. Click Save and go to Deployment.

    Screenshot of the Akamai EAA console Advanced Settings tab for SECRETRDPAPP showing the settings for Remote desktop configuration.

    Screenshot of the Akamai EAA console Advanced Settings tab for SECRETRDPAPP showing the settings for Authentication and Health check configuration.

    Screenshot of the Akamai EAA console Custom HTTP headers settings for SECRETRDPAPP with the Save and go to Deployment button in the bottom right corner.

  2. End-User Experience

    Screenshot of a myapps.microsoft.com window with a background image and a Sign in dialog.

    Screenshot of the myapps.microsoft.com Apps window with icons for Add-in, HRWEB, Akamai - CorpApps, Expense, Groups, and Access reviews.

  3. Conditional Access

    Screenshot of the Conditional Access message: Approve sign in request. We've sent a notification to your mobile device. Please respond to continue.

    Screenshot of an Applications screen showing icons for the MyHeaderApp and SecretRDPApp.

    Screenshot of  Windows Server 2012 RS screen showing generic user icons. The icons for administrator, user0, and user1 show that they are Signed in.

  4. Alternatively, you can also directly Type the RDP Application URL.

SSH

  1. Go to Add Applications, Choose SSH.

    Screenshot of the Akamai EAA console Add Applications wizard showing SSH listed among the apps in the Access Apps section.

  2. Enter Application Name and Description, such as Microsoft Entra modern authentication to SSH.

  3. Configure Application Identity.

    a. Specify Name / Description.

    b. Specify Application Server IP/FQDN and port for SSH.

    c. Specify SSH username / passphrase *Check Akamai EAA.

    d. Specify the External host Name.

    e. Specify the Location for the connector and choose the connector.

Authentication

In the Authentication tab, click on Save and go to Services.

Services

Click Save and go to Advanced Settings.

Screenshot of the Akamai EAA console Services tab for SSH-SECURE showing the Save and go to AdvancedSettings button in the bottom right corner.

Advanced Settings

Click Save and to go Deployment.

Screenshot of the Akamai EAA console Advanced Settings tab for SSH-SECURE showing the settings for Authentication and Health check configuration.

Screenshot of the Akamai EAA console Custom HTTP headers settings for SSH-SECURE with the Save and go to Deployment button in the bottom right corner.

Deployment

  1. Click Deploy application.

    Screenshot of the Akamai EAA console Deployment tab for SSH-SECURE showing the Deploy application button.

  2. End-User Experience

    Screenshot of a myapps.microsoft.com window Sign in dialog.

    Screenshot of the Apps window for myapps.microsoft.com showing icons for Add-in, HRWEB, Akamai - CorpApps, Expense, Groups, and Access reviews.

  3. Conditional Access

    Screenshot showing the message: Approve sign in request. We've sent a notification to your mobile device. Please respond to continue.

    Screenshot of an Applications screen showing icons for MyHeaderApp, SSH Secure, and SecretRDPApp.

    Screenshot of a command window for ssh-secure-go.akamai-access.com showing a Password prompt.

    Screenshot of a command window for ssh-secure-go.akamai-access.com showing information about the application and displaying a prompt for commands.

Kerberos Authentication

In the below example we will publish an internal web server at http://frp-app1.superdemo.live and enable SSO using KCD.

General Tab

Screenshot of the Akamai EAA console General tab for MYKERBOROSAPP.

Authentication Tab

In the Authentication tab, assign the Identity Provider.

Services Tab

Screenshot of the Akamai EAA console Services tab for MYKERBOROSAPP.

Advanced Settings

Screenshot of the Akamai EAA console Advanced Settings tab for MYKERBOROSAPP showing settings for Related Applications and Authentication.

Note

The SPN for the Web Server has be in SPN@Domain Format ex: HTTP/frp-app1.superdemo.live@SUPERDEMO.LIVE for this demo. Leave rest of the settings to default.

Deployment Tab

Screenshot of the Akamai EAA console Deployment tab for MYKERBOROSAPP showing the Deploy application button.

Adding Directory

  1. Select AD from the dropdown.

    Screenshot of the Akamai EAA console Directories window showing a Create New Directory dialog with AD selected in the drop down for Directory Type.

  2. Provide the necessary data.

    Screenshot of the Akamai EAA console SUPERDEMOLIVE window with settings for DirectoryName, Directory Service, Connector, and Attribute mapping.

  3. Verify the Directory Creation.

    Screenshot of the Akamai EAA console Directories window showing that the directory superdemo.live has been added.

  4. Add the Groups/OUs who would be require access.

    Screenshot of the settings for the directory superdemo.live. The icon that you select for adding Groups or OUs is highlighted.

  5. In the below the Group is called EAAGroup and has 1 Member.

    Screenshot of the Akamai EAA console GROUPS ON SUPERDEMOLIVE DIRECTORY window. The EAAGroup with 1 User is listed under Groups.

  6. Add the Directory to your Identity Provider by clicking Identity > Identity Providers and click on the Directories Tab and Click on Assign directory.

Configure KCD Delegation for EAA Walkthrough

Step 1: Create an Account

  1. In the example we will use an account called EAADelegation. You can perform this using the Active Directory users and computer Snappin.

    Note

    The user name has to be in a specific format based on the Identity Intercept Name. From the figure 1 we see it is corpapps.login.go.akamai-access.com

  2. User logon Name will be:HTTP/corpapps.login.go.akamai-access.com

    Screenshot showing EAADelegation Properties with First name set to "EAADelegation" and User logon name set to HTTP/corpapps.login.go.akamai-access.com.

Step 2: Configure the SPN for this account

  1. Based on this sample the SPN will be as below.

  2. setspn -s Http/corpapps.login.go.akamai-access.com eaadelegation

    Screenshot of an Administrator Command Prompt showing the results of the command setspn -s Http/corpapps.login.go.akamai-access.com eaadelegation.

Step 3: Configure Delegation

  1. For the EAADelegation account click on the Delegation tab.

    Screenshot of an Administrator Command Prompt showing the command for configuring the SPN.

    • Specify use any authentication Protocol.
    • Click Add and Add the App Pool Account for the Kerberos Website. It should automatically resolve to correct SPN if configured correctly.

Step 4: Create a Keytab File for AKAMAI EAA

  1. Here is the generic Syntax.

  2. ktpass /out ActiveDirectorydomain.keytab /princ HTTP/yourloginportalurl@ADDomain.com /mapuser serviceaccount@ADdomain.com /pass +rdnPass /crypto All /ptype KRB5_NT_PRINCIPAL

  3. Example explained

    Snippet Explanation
    Ktpass /out EAADemo.keytab // Name of the output Keytab file
    /princ HTTP/corpapps.login.go.akamai-access.com@superdemo.live // HTTP/yourIDPName@YourdomainName
    /mapuser eaadelegation@superdemo.live // EAA Delegation account
    /pass RANDOMPASS // EAA Delegation account Password
    /crypto All ptype KRB5_NT_PRINCIPAL // consult Akamai EAA documentation
  4. Ktpass /out EAADemo.keytab /princ HTTP/corpapps.login.go.akamai-access.com@superdemo.live /mapuser eaadelegation@superdemo.live /pass RANDOMPASS /crypto All ptype KRB5_NT_PRINCIPAL

    Screenshot of an Administrator Command Prompt showing the results of the command for creating a Keytab File for AKAMAI EAA.

Step 5: Import Keytab in the AKAMAI EAA Console

  1. Click System > Keytabs.

    Screenshot of the Akamai EAA console showing Keytabs being selected from the System menu.

  2. In the Keytab Type choose Kerberos Delegation.

    Screenshot of the Akamai EAA console EAAKEYTAB screen showing the Keytab settings. The Keytab Type is set to Kerberos Delegation.

  3. Ensure the Keytab shows up as Deployed and Verified.

    Screenshot of the Akamai EAA console KEYTABS screen listing the EAA Keytab as "Keytab deployed and verified".

  4. User Experience

    Screenshot of the Sign in dialog at myapps.microsoft.com.

    Screenshot of the Apps window for myapps.microsoft.com showing App icons.

  5. Conditional Access

    Screenshot showing an Approve sign in request message. the message.

    Screenshot of an Applications screen showing icons for MyHeaderApp, SSH Secure, SecretRDPApp, and myKerberosApp.

    Screenshot of the splash screen for the myKerberosApp. The message "Welcome superdemo\user1" is displayed over a background image.

Create Akamai test user

In this section, you create a user called B.Simon in Akamai. Work with Akamai Client support team to add the users in the Akamai platform. Users must be created and activated before you use single sign-on.

Test SSO

In this section, you test your Microsoft Entra single sign-on configuration with following options.

  • Click on Test this application, and you should be automatically signed in to the Akamai for which you set up the SSO.

  • You can use Microsoft My Apps. When you click the Akamai tile in the My Apps, you should be automatically signed in to the Akamai for which you set up the SSO. For more information about the My Apps, see Introduction to the My Apps.

Next steps

Once you configure Akamai you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. Learn how to enforce session control with Microsoft Defender for Cloud Apps.