Skip to main content
Skip table of contents

How to access your login.openathens.net metadata

When you are connecting to an application that is not part of a federation, e.g. a custom SAML resource such as a VLE, you may need to supply that application with your metadata address. Metadata is available for both SAML 2 and the older SAML 1.1. Where there is a choice, SAML 2 is the one to use.

You will need to know your OpenAthens domain name. This is usually the same as the scope registered against your domain organisation as seen on the organisation summary. If using that does not work, contact our service desk and they'll help you out.

Metadata address:

https://login.openathens.net/saml/2/metadata-idp/DOMAIN

E.g. if your OpenAthens domain is institution.ac.uk, your metadata address will be:

https://login.openathens.net/saml/2/metadata-idp/institution.ac.uk

Sub-organisation metadata

If you have sub-organisations that have different entityIDs (which is incredibly rare) you may need to access their metadata - e.g. if setting up a custom SAML resource that only they will access. The metadata address is essentially the same but with a /o/NUMBER bit added on the end:

https://login.openathens.net/saml/2/metadata-idp/DOMAIN/o/NUMBER 

...where the number at the end is the unique ID shown on their organisation account's permissions tab. If manually specifying endpoints (see below) you would also add the /o/NUMBER part to the end.

Manually specifying connection settings

The metadata address should be sufficient for most things that use SAML since all the information is there, however some may instead want you to specify things manually instead. If they do:

Endpoints / SSO address:

You can copy these from the metadata, but they will look like this:

https://login.openathens.net/saml/2/sso/DOMAIN

Certificate

This will be the x509 certificate in the metadata, topped and tailed as follows. This is sometimes called PEM format.

CODE 
-----BEGIN CERTIFICATE-----
MIID+TCCAuGgAwIBAgIUM+ZPnNWu8sILET088Io2w02A5xUwDQYJKoZIhvcNAQEL
BQAwgYsxCzAJBgNVBAYTAkdCMRkwFwYDVQQIDBBCcmlzdG9sLCBDaXR5IG9mMQ0w
CwYDVQQKDARKaXNjMR8wHQYDVQQDDBZnYXRld2F5Lm9wZW5hdGhlbnMubmV0MTEw
LwYJKoZIhvcNAQkBFiJmZWRlcmF0aW9uLXNlY3VyaXR5QG9wZW5hdGhlbnMubmV0
MB4XDTI0MDQwOTEzMTUzNloXDTM0MDQwOTEzMTUzNlowgYsxCzAJBgNVBAYTAkdC
MRkwFwYDVQQIDBBCcmlzdG9sLCBDaXR5IG9mMQ0wCwYDVQQKDARKaXNjMR8wHQYD
VQQDDBZnYXRld2F5Lm9wZW5hdGhlbnMubmV0MTEwLwYJKoZIhvcNAQkBFiJmZWRl
cmF0aW9uLXNlY3VyaXR5QG9wZW5hdGhlbnMubmV0MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAsc/LNDF5S/9kLO/j/tv/fgLWyf/LUEMrdCE3IFSxLKQc
EBWYzHp9/ihLMIiukHzi/okzdcwp8DObBAs6fRmELzmwZ9ACgDFWu410dYVSI/Bh
BTg7791MzrO8u7bAt4g27QJRP9Akw19ZqytRR8GbC6HYkGXL2b/zOvvmkjtjBZoO
Qy8cd1o65xm6fkfCMDIbYAsxi0UXNBk/lifh/rLLMv7E/WUpCFtw1IDp22g10QCC
Fv4wwPgPTMCgFKtxlsiCe9dYrAaHtAryOJ4GQ242fig0LMU3cRe1Fr/3MSuc0M2B
5mSwHgj/1w5L44X3vg6E91kgtdUjCdbLp0XeMBipDwIDAQABo1MwUTAdBgNVHQ4E
FgQUms57hFh1e+SmuOrSFbOz4PE8nWwwHwYDVR0jBBgwFoAUms57hFh1e+SmuOrS
FbOz4PE8nWwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAewlr
WYe3uY1UIZ5kd6ZBpFeWuv+N5yzFRSnGkjZyBYZNRuBQdnLadYRWJ8E57e1aDDHT
hrsK8e2aABa7b4uzpeOfiSFW3InPDR/XbAO92xvTGnBisBrOHSXe08gi+cWz0ORc
0wWZmN3fNQyiaDZ1AIirf25E3noetBF4kIDzFs7OLca+pCDfGcj32OEGnDs4h+gF
YfFI87CaEE2tBqqfcpk/ec5LOu7sNHOrBb5f77xwXffoubhSK4QMoUIpWwuL0W7I
/N9rcFL5YjAJ2EKfWbXllAGyDKj9Y+48RdtGK5Sxbfkf4T7utehVerqF2k0IbI+u
E/EFXheIvEglUQpe9w==
-----END CERTIFICATE-----

The relevant fingerprints are:

SHA1 fingerprint = A9:91:F3:84:45:47:1C:67:7C:2B:0A:DC:63:83:25:3B:45:3C:47:26

SHA256 fingerprint = 4A:7A:87:11:E6:CC:DD:28:B0:DD:5F:70:F9:9D:1E:0B:33:EB:D0:F8:59:AB:B3:95:91:EA:63:32:AB:5A:3F:35

Issuer / IDP issuer / identifier / entityID

Your entityID, e.g. https://idp.institution.ac.uk/openathens

Binding / Binding type / IDP Binding

Where there is a choice, select 'Redirect' rather than 'Post'.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close