FAQ

• Attributes that start with urn:oid
• Configuring OpenAthens LA as an authentication provider for OpenAthens MD
• Ephemeral key size error on the latest browsers
• Glossary
• How to attach a runtime
• How to backup and restore administration console databases
• How to connect to Adobe Creative Cloud Enterprise
• How to connect to a federation
• How to connect to G Suite
• How to connect to OpenAthens MD
• How to create attributes for specific Service Providers
• How to deny access to users in various ways
• How to link directly to a service
• How to reattach a runtime
• LDAP ports and searching the Global Catalogue vs Searching the Domain
• What are the differences between LA and MD
• What are the prerequisites for installing OpenAthens LA
• What happens during a publish
• What is a federation
• What is federated access management
• What is OpenAthens LA and should I use it
• What to do if a federation changes its certificate
• What to tell service providers about OpenAthens LA
• Where the logs are on the servers
• Why it is better to use the IdP than the proxy whenever you can

Questions with short answers:

Browser requirements

It is a good idea to always use the most recent version of any browser. Whilst older versions of browsers will often work, we do not encourage their use.

Can I change my entityID?

This can be done on the configurations > connections settings page, but has significant implications if you are live as all federations and service providers would also need to make updates, and your users would appear to be new people.

Can I use OpenAthens LA in the OpenAthens federation?

Not directly. OpenAthens LA can be used as an authentication provider for OpenAthens MD, however you may find that OpenAthens MD's newer local connectors now make that the better solution for you. See: Connections in the MD documentation.

Can more than one type of authentication method be used at the same time?

Yes... but it would be difficult. Whilst you can set up several authentication stores in the administration console, only one can be used per runtime. You would need to use additional runtimes with separate configurations, and add a method to the authentication point to transfer to the relevant runtime.

Can the runtime and administration servers be installed on the same machine?

Yes... but you would rarely want to do so. The runtime server has to be internet facing to allow users to log into resources from outside of your network, but the administration console should only be accessible to trusted people within your network. If you are short of server space, you can install the administration console on a desktop machine as a workaround.

How do I change my organisation display name?

This can be done on the configurations > connections settings page.

How do users log out?

The logout function is at /oala/logout - e.g. https://idp.yourdomain.com/oala/logout.

How much RAM can I add to a 32bit image?

Our images ship with PAE enabled which means they can support more than the usual 2GB limit. The recommended maximum is 16GB.

There is no 64bit version available.

I've been told that X or Y component is not the latest version

As long as you are regularly updating, this is usually nothing to worry about. As long as the components in question are within vendor support, they will receive all relevant security patches (often called 'backports'). Our pre-built images run on CentOS 6 which is supported by CentOS until 2020.

What are the security implications of using Referral URL or Form GET with proxy resources?

Unlike some proxy software, the OpenAthens LA proxy module will not pass the referral URL and username/password from the proxy server to the remote site. This means that even if the end user has installed software to monitor the web traffic, they will not be able to retrieve the login credentials (e.g. from page headers).

For any resources that use shared credentials, you should ensure that the access credentials cannot be modified without further authorisation before setting up access this way.

Which ports need to be open

See the server considerations page in the administration console installation section or runtime installation section:

• Server considerations for the admin console
• Server considerations for the runtime

Why do some users get a message about disabled cookies when they access proxied resources?

It's unlikely but not impossible that they have disabled cookies entirely, but more likely that they are using Internet Explorer and have set the privacy settings higher than medium - they can either set it to medium, or add the domain of your LA login to their trusted sites.