Add OKTA as an Identity Provider in EAA Log in to Akamai Luna control center with administrative privileges. Select the correct contract which is provisioned for Enterprise Application Access (EAA). In the selected contract, click CONFIGURE and click Enterprise Application Access from the available list of Akamai products Akamai Luna control center will redirect you to EAA management console, In EAA management portal, click Identity Providers, then click Identity Providers In the Identity Providers configuration menu, click Add Identity Provider, to add OKTA as a SAML IdP. In Create New Identity Provider configuration box, enter the following: a. Name and Description: Enter a name (we used Okta in our example) and description. b. Provider Type: Select Okta from the dropdown menu. c. Click Create Identity Provider and Configure.
A new configuration pages appears. Enter the following: a. Identity Intercept: Enter custom or Akamai hostname to identify SP (Service Provider s) Base URL or ACS URL. Note: If you choose Use your domain option, please configure the CNAME in your external DNS as generated by the UI Note: Upload and use your own certificate for custom domain. b. Akamai Cloud Zone: Select the EAA Cloud zone from the dropdown menu closest to the users. c. Certificate Authentication (Optional) : Select the checkbox and configure required parameters if you want to enable Client Certificate authentication d. URL: Enter your Okta subdomain (we used acme in our example). e. Logout URL: Sign into the Okta Admin Dashboard to generate this variable. Copy and paste the logout url from OKTA Admin dashboard. f. Sign SAML Request (Optional) : i.in SP initiated flow, if OKTA requires Signed SAML request, then you can enable this checkbox which will send the signed SAML assertion to OKTA ii.encrypted SAML Response: Enable this checkbox if OKTA sends encrypted SAML response to EAA (SP). Use the certificate required to encrypt responses. g. Upload IDP Metadata File: Click Choose File to locate, then upload the metadata.xml file you have downloaded from OKTA dashboard for Akamai EAA SAML SP endpoint. h. Leave the Session Settings default and click Save & Exit.
Assigning OKTA Identity Provider to a New/Existing Applications in EAA and Configure Attributes Mapping For access applications, EAA can provide Single Sign On (SSO) using custom headers. EAA uses various attributes, it receives as part of SAML assertion from OKTA and injects X-forwarded-for headers with custom attributes
In your EAA access application configuration, Select the AUTHENTICATION tab, then click Assign Identity Provider for new applications or Change Identity Provider for existing applications to select OKTA. Select the Okta as Identity Provider Click save and go to ADVANCED SETTINGS tab, then scroll down to the Custom HTTP Headers section: Configure attributes mapping as follows: o Header Name: Enter a required header name. o Attribute: Select custom.
Enter appropriate SAML attribute name(s). See List of Supported Attributes. In our example below we added three headers (FirstName, LastName, Department) and mapped them to the FirstName, LastName and custom1 attributes from the SAML assertion received from OKTA After configuring custom HTTP headers, save and deploy the the application configuration. Done! You can find more information on how to setup your first application with the Akamai Enterprise Application Access platform at EAA Quick Start Guide
OKTA Configuration. Notes: Depending on the custom application configuration, SP-initiated flows, IdP-initiated flows, and Just In Time (JIT) provisioning are all supported. For IDP-initiated Flows Follow the instructions here: http://saml-doc.okta.com/saml_docs/simulating-an-idp-initiated-flowwith-the-bookmark-app.html. Please use Akamai application URL for the Okta Bookmark app URL field. For SP-initiated Flows Open your application URL. List of Supported Attributes Okta sends the following attributes as part of the SAML assertion: FirstName, LastName. These attributes are mapped to the corresponding fields in the Okta Base User Profile. In addition to the default attributes, Okta supports the following five custom attributes: custom1, custom2, custom3, custom4, custom5. Here is an example describing how to add and use additional custom attributes: In Okta, navigate to Directory > Profile Editor.
Search for the Akamai Enterprise Application Access app, then click Profile. Click Add Attribute, then enter the following: Display Name: Enter the preferred attribute name. In our example we used Department. Variable Name: If you are adding one attribute, enter custom1; for other attributes the value will be custom2, custom3, custom4, or custom5. Click either Add Attribute if you are adding just one attribute, or Save and Add Another to add more. Note: Scope (optional): If you check user personal, the current attribute will be available once you assign the user to the Akamai Enterprise Application Access app and will not be available once you assign the group to the app.
Click Map Attributes: Select the Okta to Akamai Enterprise Application Access tab, then do the following: Start typing the required attribute from the Okta base user profile (or use the dropdown list) and select the attributes you want to map. In our example, we have selected the Department attribute, then the green arrows (Apply mapping on user create and update).
Click Save Mappings. Click Apply updates now:
Now Okta will pass custom1 attribute with the value of the Department field from the Okta base user profile. You can use the custom1 attribute key for the SAML attribute name during attributes mapping in the Akamai Enterprise Application Access (step 5). User Groups Select the Sign On tab for the Akamai Enterprise Application Access, then click Edit: Select a preferred group filter for the Group attribute (the Regex rule with the value ".*" in order to send *all* groups to the Akamai instance we used in our example). Click Save.