How to Configure SAML 2.0 for Akamai Enterprise Application Access


This document includes the following topics:

Supported Features

Depending on the custom application configuration, the Okta/Akamai Enterprise Application Access SAML integration currently supports the following features:

Add Okta as an Identity Provider in Akamai Enterprise Application Access

  1. Log in to Akamai Luna control center with administrative privileges.

  2. Select the correct contract that is provisioned for Enterprise Application Access (EAA).

  3. In the selected contract, click CONFIGURE, then select Enterprise Application Access from the available list of Akamai products.

  4. The Akamai Luna control center will redirect you to EAA management console.

  5. In the EAA management console, select Applications > Identity Providers:

  6. akamai_1.png

  7. In the Identity Providers configuration menu, click Add Identity Provider, to add OKTA as a SAML IdP.

  8. In the Create New Identity Providers box, enter the following:

    • Name and Description: Enter a name (we used OKTA in our example) and description.

    • Provider Type: Select Okta from the dropdown menu.

    • Click Create Identity Provider and Configure.


  9. A new configuration pages appears. Enter the following:

    • General Settings:

      • Identity Intercept: Enter custom or Akamai domain to identify the Service Provider’s Base URL or ACS URL.

        • Note: If you choose Use your domain option, also configure the CNAME in your external DNS as generated by the UI.

        • Note: Upload and use your own certificate for custom domain.

      • Akamai Cloud Zone: Select the EAA Cloud zone from the dropdown menu closest to the users.

      • Certificate Authentication (Optional): Select the checkbox and configure required parameters if you want to enable Client Certificate authentication.


    • Authentication Configuration:

      • URL (Optional): Enter your Okta subdomain (we used acme in our example).

      • Logout URL: Sign into the Okta Admin Dashboard to generate this variable. Copy and paste the logout url from OKTA Admin dashboard.

      • Sign SAML Request (Optional): In a SP-initiated flow, if OKTA requires Signed SAML request, then you can enable this checkbox which will send the signed SAML assertion to OKTA.

      • Encrypted SAML Response: Enable this if OKTA sends encrypted SAML response to EAA (SP). Use the certificate required to encrypt responses.

      • Upload IDP Metadata File: Click Choose File to locate, then upload the metadata.xml file you have downloaded from OKTA dashboard for Akamai EAA SAML SP endpoint.


    • Session Settings:

      • Leave the Session Settings default values, then click Save & Exit:


Assign OKTA Identity Provider to a New/Existing Application in EAA and Configure Attributes Mapping

For access applications, EAA can provide Single Sign On (SSO) using custom headers. EAA uses various attributes, it receives as part of SAML assertion from OKTA and injects X-forwarded-for headers with custom attributes.

  1. In your EAA access application configuration, select the AUTHENTICATION tab, then click Assign Identity Provider for new applications or Change Identity Provider for existing applications:


  2. Select the OKTA as the Identity Provider:


  3. Click save, select the ADVANCED SETTINGS tab, then scroll down to the Custom HTTP Headers section:

  4. Configure attribute mapping as follows:

    • Header Name: Enter a required header name.

    • Attribute: Select Custom.


  5. Enter appropriate SAML attribute name(s).

    See the List of Supported Attributes. In our example below we added three headers (FirstName, LastName, Department) and mapped them to the FirstName, LastName and custom1 attributes from the SAML assertion received from OKTA.


  6. After configuring custom HTTP headers, save and deploy the the application configuration.

  7. Done!

You can find more information on how to setup your first application with the Akamai Enterprise Application Access platform in the EAA Quick Start Guide.


IDP-initiated SSO

Follow the instructions here: Simulating an IDP-initiated Flow with the Bookmark App. Use the Akamai application URL for the Okta Bookmark app URL field.

SP-initiated SSO

Open your application URL.

List of Supported Attributes

Okta sends the following attributes as part of the SAML assertion: FirstName, LastName. These attributes are mapped to the corresponding fields in the Okta Base User Profile.

In addition to the default attributes, Okta supports the following five custom attributes: custom1, custom2, custom3, custom4, custom5.

Here is an example describing how to add and use additional custom attributes:

  1. In Okta, navigate to Directory > Profile Editor.

  2. Search for the Akamai Enterprise Application Access app, then click Profile.


  3. Click Add Attribute, then enter the following:

    • Display Name: Enter the preferred attribute name. In our example we used Department.

    • Variable Name: If you are adding one attribute, enter custom1; for other attributes the value will be custom2, custom3, custom4, or custom5.

    • Click either Add Attribute if you are adding just one attribute, or Save and Add Another to add more.

    • Note: Scope (optional): If you check user personal, the current attribute will be available once you assign the user to the Akamai Enterprise Application Access app and will not be available once you assign the group to the app.


  4. Click Map Attributes:


  5. Select the Okta to Akamai Enterprise Application Access tab, then do the following:

    • Start typing the required attribute from the Okta base user profile (or use the dropdown list) and select the attributes you want to map.

    • In our example, we have selected the Department attribute, then the green arrows (Apply mapping on user create and update).

    • Click Save Mappings.


  6. Click Apply updates now:


  7. Now Okta will pass custom1 attribute with the value of the Department field from the Okta base user profile.

  8. You can use the custom1 attribute key for the SAML attribute name during attributes mapping in the Akamai Enterprise Application Access (step 4).

User Groups

  1. Select the Sign On tab for the Akamai Enterprise Application Access, then click Edit:

    • Select a preferred group filter for the Group attribute (the Regex rule with the value ".*" in order to send *all* groups to the Akamai instance we used in our example).

    • Click Save.