images
figures
Blog How-To Guides

How-To Guide: Okta and Akamai Integration

Dror Arie
05.01.2021
image 3 Min read
Identity & Access Management (IAM)

Unlike many other applications, Okta doesn’t have a ready-made SAML integration for Akamai for SSO, and getting it to work requires another step in Okta’s API.

Allow us save you a few hours with this step-by-step guide. You’re welcome!

These are the steps needed in Okta’s UI:

1. Create a new SAML2.0 app in Okta

1-1

2. Give it a name and a logo and continue to Configure SAML

3. Fill the following:

  1. Single sign on URL is https://control.akamai.com/ids-sso/v1/sp/login
  2. Audience URI is https://control.akamai.com

2-1

Continue, provide Okta feedback (optional) and Finish and we’re ready to move on to the fun part.

Steps needed in Okta’s APIs:

Okta’s certificates are valid for 10 years by default. Akamai doesn’t trust certificates who’s expiry date is over 5 years. Something needs to be done! This tutorial uses Postman, so if you want to follow it, download and install Postman and Okta’s Apps postman collection https://app.getpostman.com/run-collection/4857222012c11cf5e8cd
I’ll also provide quick and dirty curl commands

  1. Create an API token in Okta (security -> API -> Create Token) and save it somewhere safe
  2. Go to the newly created application, and from the url copy the part after /instance/ and before /# and save it somewhere safe. This is your application id
  3. If you’re using postman, add/update your environment variables to match the following:
    a. url with your Okta domain (in my case – globaldots.okta.com)
    b. appId with your application ID
    c. Apikey with your api token
  4. Select “Certificate Operations” and “Generate Certificate” – PREPEND HTTPS TO THE REQUEST, change validity Years parameter to 5 (Akamai’s max) and hit Send.
    a. Curl alternative for the lazy – replace okta Domain with your domain, appid with appid, API key with API key

    curl -X POST
    'https://{{oktaDomain}}/api/v1/apps/{{appId}}/credentials/keys/generate?validityYears=5'
    -H 'Accept: application/json'
    -H 'Accept-Encoding: gzip, deflate'
    -H 'Authorization: SSWS {{APIKEY}}'
    -H 'Cache-Control: no-cache'
    -H 'Connection: keep-alive'
    -H 'Content-Length: 0'
    -H 'Content-Type: application/json'
    -H 'Host: {{oktaDomain}}'
    -H 'User-Agent: PostmanRuntime/7.19.0'
    -H 'cache-control: no-cache'
                         

  5. From the response, grab the key id (kid) and save it somewhere
  6. Send another API call to get the full app details and note the app name, label and SignOnMode parameters. In Postman select “Get App” and in curl use:curl -X GET
    https://{{oktatenant}}/api/v1/apps/{{appId}}
    -H 'Accept: application/json'
    -H 'Accept-Encoding: gzip, deflate'
    -H 'Authorization: SSWS {{API token}}'
    -H 'Cache-Control: no-cache'
    -H 'Connection: keep-alive'
    -H 'Content-Type: application/json'
    -H 'Cookie: JSESSIONID=D0C79026910B893FA804BA0A6868E373'
    -H 'Referer: http://{{oktatenant}}/api/v1/apps/{{appId}}'
    -H 'cache-control: no-cache’ --compressed
                         
  7. To update the certificate we just created, use “Update Application Certificate” in postman, navigate to the “Body” tab and replace {{keyId}} with the kid you got on stage 4. Again prepend with HTTPS, fill in the rest of the application details
    1. curl -v -X PUT
      -H "Accept: application/json"
      -H "Content-Type: application/json"
      -H "Authorization: SSWS ${api_token}"
      -d '{
      "name": “{{appname}}",
      "label": “{{label}}",
      "signOnMode": "SAML_2_0",
      "credentials": {
      "signing": {
      "kid": “${kid}"
      }
      }
      }' "https://${yourOktaDomain}/api/v1/apps/${aid}”

      Go back to Okta’s UI, open your newly created app, and copy the Identity provider metadata URL to your clipboard
      3-1
  8. Open Akamai’s Control Panel and navigate to Identity -> manage sso
  9. Create a new configuration and paste the metadata URL under “Load metadata from a URL”

4-1

Done! By default SSO is enabled but not enforced, so on sign in you can decide how you want to log in. You can force SSO if you want to.

5

 

Comments

0 comments

There’s more to see

slider item
Identity & Access Management (IAM)
GlobalDots Featured on Nasdaq
Dror Arie 13.09.21

Dror Arie, senior solution engineer at GlobalDots, is a pioneer in employee onboarding automation using IT workflows. In his Nasdaq guest article, he answers some key questions on one of the most crucial, yet overlooked, elements of employer branding: The employee onboarding experience. Why is onboarding overlooked in the employee lifecycle? Employers believe that their […]

Read more
slider item
Identity & Access Management (IAM)
Automating Hypergrowth with Okta: The Pagaya Case Study
Dror Arie 12.09.21

HR professionals usually agree that proper employee onboarding is a 90-day process. Stats mentioning 7 days are therefore responded to with horror, or at least great concern. But, a great deal of employee onboarding – namely the IT part of it – can actually be automated. Imagine account provisioning by role and team rolling out […]

Read more
slider item
Identity & Access Management (IAM)
The good, the good-old and the biometric: 5 Passwordless options compared
Dror Arie 25.08.21

Passwords are obsolete. Memorizing long and complicated passwords has been holding back businesses for over 50 years, while cyberattacks are evolving every day. ¹ In fact, Google has registered over 2 million phishing sites as of January 2021. The figure is up from 1.7 million in January 2020, a 27% increase year on year. ² […]

Read more

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.
Contact us
figure figure figure figure figure

Don’t Fortify. Amplify | Cloud Security Reimagined