Application Delivery Management
Application Modernization & Connectivity
CyberRes
IT Operations Management
(Direct link to download Akamai EAA Connector for NAM:
- v1.0.5: EAA Connector for NAM)
Akamai Enterprise Application Access (EAA) is a hybrid (cloud and on-premise) solution that shifts the attack surface of a DMZ in a secure cloud bastion.
The whole idea is to control and secure access without any distinction between internal and external users, following the new paradigm of the Zero Trust model.
https://securityintelligence.com/the-zero-trust-model-for-living-in-a-hacked-world/
But in brief, EAA is a big cloud reverse proxy using an on-premise gateway(s) to make the bridge with the enterprise (without opening anything on the firewall).
Thanks to federation and SAML2 protocol both NetIQ Access Manager and Akamai EAA can be integrated together in hybrid cloud access management project.
And for having worked a lot on NAM these past years, EAA offers something that everyone who already deployed NAM in a complex environment would love: Publishing securely, the NAM Identity Server on the Internet in a matter of minutes. And this way, bypassing the issues on firewall/proxies/waf/vlan/router/... that are a common pain.
Well of course this will leverage a discussion of offloading part of the DMZ or not, but let's not drown in it and walk through some configurations to show what it does.
Providing remote access to applications through EAA also require to provide a remote access to NAM IDP as it will serve the authentication page and the SAML endpoint to client web browser.
This brings two architecture cases:
In this article I will explain the configuration using the case 2: Publishing NAM IDP with the help of EAA.
Using the above schema, here is the access scenario of end-user client accessing "app1.go.akamai-access.com" (EAA edge proxy of the application) for the first time in his session. This is basically a classic SAML SP-Initiated scenario, but it's always good to write down some basics to be sure we understand every requests happening there.
NAM IDP Server is listening by default on TCP Port 8443 so I suggest you to do the mapping to TCP 443 in the EAA Application Configuration and avoid/remove any previous solution like extra proxy or script to do it.
In your EAA Management Console:
Prerequisite:
Preparation:
https://<nam-idp-fqdn>/nidp/saml2/metadata
In your EAA Management Console:
To configure NetIQ Access Manager IDP, there is two ways:
This solution is more adapted if you don't know much about NAM IDP configuration as it is easier.
In NAM Administration Console:
In NAM Administration Console - https://<nam-console>:8443/nps (be careful, most of the time NAM Administration Console is not hosted on the same server, check with the admin team):
Remark:
Signed SAML Request allow NAM IDP to verify the authenticity of the EAA Login SP sending a request. So the request cannot be forged by someone else as only the EAA Login SP will have the private key of the signing certificate.
This is not a mandatory feature but a nice to have. Because what matters first is the SP trusting the IDP, meaning the IDP authenticity is the most important. As it will tell EAA the identity and the authorization info of the client, the trust has to be strong or everyone could stole any identity by faking some SAML assertion.
(Remark: both SHA1 and SHA2 hash algorithm are available, the default is SHA2)
-----BEGIN CERTIFICATE-----
MIIEMzCCAxugAwIBAgIQZYE9cARyEeeCGfRcicFe7zANBgkqhkiG9w0BAQsFADBi
MQ0wCwYDVQQDDARTb2hhMRswGQYDVQQKDBJTb2hhIFN5c3RlbXMsIEluYy4xEjAQ
BgNVBAcMCVN1bm55dmFsZTETMBEGA1UECAwKQ2FsaWZvcm5pYTELMAkGA1UEBhMC
VVMwHhcNMTcwMzA5MDI0NTAzWhcNMzcwMzA0MDI0NTAzWjBiMQ0wCwYDVQQDDART
b2hhMRswGQYDVQQKDBJTb2hhIFN5c3RlbXMsIEluYy4xEjAQBgNVBAcMCVN1bm55
dmFsZTETMBEGA1UECAwKQ2FsaWZvcm5pYTELMAkGA1UEBhMCVVMwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwt674nE05LDtg7gwhmnaMfE rZm06gMji
BFp9XLVoKm35qaYWUoEMCwo4wJHjuG8Myrv2Mi3PRZi vaE5L5y4yxR 1bnZaNgw
ZprcqkukxI phSl6kLXJVZ J4GpzXyqHiMa Eh/KWde60W1Vcv7c18KTjVqG3Plx
KxcAukxOfkuWnacsEOQnCuJ/UZM6mQXI5Y/zfmWEslyyVar9TSxZ50WANpZtaZej
F9s9n6oMrfOwcG3ZMaCZlMDY5/0yS9F3YKzeAP VViBMXXgGcpqc9tK T5QBaZ8t
kVcbrqnYm RbADyhog8f0K BFqFfHaiXjD0F7TL rQ5ndo9RSTWjAgMBAAGjgeQw
geEwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
FJRbyeOqMpMRLMEnmlGZt4EVr2qaMIGbBgNVHSMEgZMwgZCAFJRbyeOqMpMRLMEn
mlGZt4EVr2qaoWakZDBiMQ0wCwYDVQQDDARTb2hhMRswGQYDVQQKDBJTb2hhIFN5
c3RlbXMsIEluYy4xEjAQBgNVBAcMCVN1bm55dmFsZTETMBEGA1UECAwKQ2FsaWZv
cm5pYTELMAkGA1UEBhMCVVOCEGWBPXAEchHnghn0XInBXu8wDQYJKoZIhvcNAQEL
BQADggEBAKywxH3Oca9uGVUIIgYlmOVLUZMdxOdJKjy ve3Mkoo4nhoGoCfuuh7
vrhuupxCODyg6 dDFidUI/dBsuhKLxA28aJuN9vpccil89mKtsMmJp5laZ5y2Mrk
sIsMA8t7a3 snuMY2Puwr3c5LpEwh PRNldVfQRmrSme vG6 rtFadXNSOxE5se1
NeLVMn66v5cVICvFTboBTRexunA2qObrk8jKhOO1Lp124g72a/12/FnE4Mph 2fr
Py1P58O7UxMYGqYeDkDsocx9B Yogi/hPhXCfDNkrZG4fvknOtEMIgDJILgFFPeq
WS3jcl4V8C4TGUfX0zHrOZqitlWs9BU=
-----END CERTIFICATE-----
In order to test the federation set between NAM and EAA, you have to configure at least one application that will be accessible only if authenticated against NAM IDP.
To do so, go in EAA Management Console:
In order to provide optimal authorization and do the full "chain of access control", EAA should also enforce some rule to prevent access to certain applications.
To achieve this:
Prerequisite:
To do so, go in EAA Management Console: