Search

Skip to end of metadata
Go to start of metadata


Why hasn't my LDAP or Sirsi connection appeared at the authentication point yet?

It will usually appear within minutes so the things to check are:

  • Have you checked both the live and visible boxes on the details tab?
  • Are you looking at the correct organisation at the authentication point?
  • If you have not changed the username and password labels, it may not look any different from the OpenAthens sign-in page - try signing in.

Why hasn't my ADFS / CAS / SAML / API connection appeared at the authentication point yet?

It will usually appear within minutes, but the effect you are looking for is that as soon as the organisation is known (selecting from the search box will do) the user is taken directly to your own login. The things to check are:

  • Have you checked both the live, visible and default boxes on the details tab?
  • Are you looking at the correct organisation at the authentication point?
  • If you are being sent anywhere at all, the authentication point is doing its job so the problem will most likely be with your own login page or your browser's connection to it.
  • If you are running more than one connection and want both to appear, make sure none of them are marked as default

Why are users being assigned unexpected permission sets?

They are triggering more rules than you expect, or a rule is assigning more permission sets. Things to check are:

  • First check that you haven't manually assigned permission sets to the account
  • If the default permission sets rule is active, check if any other permission sets have been flagged as default.
  • If you are allocating permission set by passing the name in an attribute or claim:
    • Check the data in your directory is correct. 
    • If you are passing a multi-valued attribute, all values will be assigned.
  • Have you used a 'does not contain' operator on a multi-valued attribute? See below

Why is a rule assigning unexpected permission sets, organisation mappings or suspend rules? 

The most common reason for rules not behaving as expected is to do with multi-valued attributes such as memberOf. Where these are passed a rule will evaluate every value individually and if any value meets the condition then it matches. This means that negative comparisons such as 'does not contain' almost always match since it only needs one of the values to not contain the term you're checking, not all values.

Why are users getting an error message about organisation mapping?

This will happen when mapping rules are set up such that the user is mapped to anything other than 1 organisation (as in mapped to none or to more than one). 

Why can't I add a new relying party trust in ADFS?

You are probably using an old version of ADFS. ADFS 3 and above should be fine. ADFS 2 needs update rollup 3 https://support.microsoft.com/en-gb/help/2790338/description-of-update-rollup-3-for-active-directory-federation-service

How do I know what attributes to pass to a service provider?

If you are in IT, you can probably just hand the whole thing over to the library once it's set up and not worry about it.

If you are in the library and are now worried about the last sentence...

If you are already using OpenAthens, all the ways you are already passing things to service providers using OpenAthens are still in place - you'll usually only have to set up the rules to assign existing permission sets and you'll be good to go.

If you're moving from an existing IdP such as OpenAthens LA or upgrading from Shibboleth, then you might not know how, yet. This is still nothing to worry about as there are documentation and online courses  to help you as well as a service desk.

  • No labels