How-To Guide: Okta and Akamai Integration

Shalom Carmel Chief Information Officer at GlobalDots
3 Min read

Unlike many other applications, Okta doesn’t have a ready-made SAML integration for Akamai for SSO, and getting it to work requires another step in Okta’s API.

Allow us save you a few hours with this step-by-step guide. You’re welcome!

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

These are the steps needed in Okta’s UI:

1. Create a new SAML2.0 app in Okta

2. Give it a name and a logo and continue to Configure SAML

3. Fill the following:

  1. Single sign on URL is https://control.akamai.com/ids-sso/v1/sp/login
  2. Audience URI is https://control.akamai.com
Configuration settings for SAML integration,including Single Sign-On URL,Audience URI,and application username options.

Continue, provide Okta feedback (optional) and Finish and we’re ready to move on to the fun part.

Steps needed in Okta’s APIs:

Okta’s certificates are valid for 10 years by default. Akamai doesn’t trust certificates who’s expiry date is over 5 years. Something needs to be done! This tutorial uses Postman, so if you want to follow it, download and install Postman and Okta’s Apps postman collection https://app.getpostman.com/run-collection/4857222012c11cf5e8cd
I’ll also provide quick and dirty curl commands

  1. Create an API token in Okta (security -> API -> Create Token) and save it somewhere safe
  2. Go to the newly created application, and from the url copy the part after /instance/ and before /# and save it somewhere safe. This is your application id
  3. If you’re using postman, add/update your environment variables to match the following:
    a. url with your Okta domain (in my case – globaldots.okta.com)
    b. appId with your application ID
    c. Apikey with your api token
  4. Select “Certificate Operations” and “Generate Certificate” – PREPEND HTTPS TO THE REQUEST, change validity Years parameter to 5 (Akamai’s max) and hit Send.
    a. Curl alternative for the lazy – replace okta Domain with your domain, appid with appid, API key with API key

     

    curl -X POST
    'https://{{oktaDomain}}/api/v1/apps/{{appId}}/credentials/keys/generate?validityYears=5'
    -H 'Accept: application/json'
    -H 'Accept-Encoding: gzip, deflate'
    -H 'Authorization: SSWS {{APIKEY}}'
    -H 'Cache-Control: no-cache'
    -H 'Connection: keep-alive'
    -H 'Content-Length: 0'
    -H 'Content-Type: application/json'
    -H 'Host: {{oktaDomain}}'
    -H 'User-Agent: PostmanRuntime/7.19.0'
    -H 'cache-control: no-cache'
                         

  5. From the response, grab the key id (kid) and save it somewhere
  6. Send another API call to get the full app details and note the app name, label and SignOnMode parameters. In Postman select “Get App” and in curl use:curl -X GET
    https://{{oktatenant}}/api/v1/apps/{{appId}}
    -H 'Accept: application/json'
    -H 'Accept-Encoding: gzip, deflate'
    -H 'Authorization: SSWS {{API token}}'
    -H 'Cache-Control: no-cache'
    -H 'Connection: keep-alive'
    -H 'Content-Type: application/json'
    -H 'Cookie: JSESSIONID=D0C79026910B893FA804BA0A6868E373'
    -H 'Referer: http://{{oktatenant}}/api/v1/apps/{{appId}}'
    -H 'cache-control: no-cache’ --compressed
                         
  7. To update the certificate we just created, use “Update Application Certificate” in postman, navigate to the “Body” tab and replace {{keyId}} with the kid you got on stage 4. Again prepend with HTTPS, fill in the rest of the application details
    1. curl -v -X PUT
      -H "Accept: application/json"
      -H "Content-Type: application/json"
      -H "Authorization: SSWS ${api_token}"
      -d '{
      "name": “{{appname}}",
      "label": “{{label}}",
      "signOnMode": "SAML_2_0",
      "credentials": {
      "signing": {
      "kid": “${kid}"
      }
      }
      }' "https://${yourOktaDomain}/api/v1/apps/${aid}”

      Go back to Okta’s UI, open your newly created app, and copy the Identity provider metadata URL to your clipboard
  8. Open Akamai’s Control Panel and navigate to Identity -> manage sso
  9. Create a new configuration and paste the metadata URL under “Load metadata from a URL”

Done! By default SSO is enabled but not enforced, so on sign in you can decide how you want to log in. You can force SSO if you want to.

Latest Articles

Embark on Your Cloud Security Journey with GlobalDots CNAPP and its New CIEM Capability

Imagine being the captain of a vast space station, floating in the endless cosmos. Your station is filled with various facilities, each serving its unique purpose, and inhabited by astronauts, each following their own set of rules. Without a proficient system to manage these rules, chaos could reign. An astronaut might accidentally enter a restricted […]

Ganesh The Awesome Senior Pre & Post-Sales Engineer at GlobalDots
27th July, 2023
Long-Term LastPass Breach Sounds Alarm For Static Credentials

LastPass’ password management service has introduced millions of users to the convenience and security of unique passwords. Across mobile and browser, LastPass promises a near-passwordless experience for millions of individuals and over 100,000 businesses. However, recent news threatens to drop a bombshell on credential-based security.  The Year-Long LastPass Dual Breach  In August 2022, LastPass released […]

Ganesh The Awesome Senior Pre & Post-Sales Engineer at GlobalDots
2nd March, 2023
It’s time to get rid of passwords!

In addition to being outdated, passwords create frictions and hassles for workflows, teams, and users. We enable the complete elimination of passwords, securely and with an optimal user experience – by implementing the latest IAM & CIAM innovative solutions.  We are using a technology called FIDO2 (Fast ID Online) Authentication – new passwordless authentication method that relieves credentials […]

Ganesh The Awesome Senior Pre & Post-Sales Engineer at GlobalDots
10th November, 2022
GlobalDots Partners With Transmit to Make Passwords Extinct

As we rely more and more on online services, managing passwords becomes increasingly challenging. Compromised passwords lead to account takeovers, which pose existential threats to customer-facing businesses. Account takeovers led to an estimated $11.4 billion in losses in 2021, caused mostly by compromised passwords. GlobalDots, a cloud innovation leader, partners with Transmit Security, a leading […]

Ganesh The Awesome Senior Pre & Post-Sales Engineer at GlobalDots
8th September, 2022

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser

    CTO

    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni

    CIO

    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services