When you are connecting to an application that is not part of a federation, e.g. a custom SAML resource such as a VLE, you may need to supply that application with your metadata address. Metadata is available for both SAML 2 and the older SAML 1.1. Where there is a choice, SAML 2 is the one to use.
You will need to know your OpenAthens domain name. This is usually the same as the scope registered against your domain organisation as seen on the organisation summary. If using that does not work, contact our service desk and they'll help you out.
E.g. if your OpenAthens domain is institution.ac.uk, your metadata address will be:
If you have sub-organisations that have different entityIDs (which is incredibly rare) you may need to access their metadata - e.g. if setting up a custom SAML resource that only they will access. The metadata address is essentially the same but with a
/o/NUMBER bit added on the end:
...where the number at the end is the unique ID shown on their organisation account's permissions tab. If manually specifying endpoints (see below) you would also add the
/o/NUMBER part to the end.
Manually specifying connection settings
The metadata address should be sufficient for most things that use SAML since all the information is there, however some may instead want you to specify things manually instead. If they do:
Endpoints / SSO address:
You can copy these from the metadata, but they will look like this:
This will be the x509 certificate in the metadata, topped and tailed as follows. This is sometimes called PEM format.
Issuer / IDP issuer / identifier / entityID
Your entityID, e.g.
Binding / Binding type / IDP Binding
Where there is a choice, select 'Redirect' rather than 'Post'.