Skip to end of metadata
Go to start of metadata

The connections page is about how OpenAthens products like Keystone work in multiple federations. External applications such as Shibboleth don't have a separate connection here because their appearance in other federations isn't managed by us.

When you select a connection you can make the following adjustments:


The name of the application record(s) using this connection.

Rules (OpenAthens Keystone only)

Allows you to toggle rulesets on an off. Changes take place immediately after saving.

  • Common EduPerson and Extended EduPerson - translates the attribute names commonly used in educational federations to OpenID Connect claims.  See: eduPerson attributes
  • The one with a long name extracts some useful identifiers from the main eduPerson attribute used in federations 
  • The others... should not need to be used unless you are migrating from OpenAthens SP

SAML Connector:


This is the entityID of your application and defaults to applicationURL/oa/metadata or applicationURL/oa/entity. If you change this, make sure to save changes and confirm the page has updated. You almost certainly will not want to change this once you are live. Changing the entityID will not change the address of your metadata.

The menu icon ( ) gives you access to view the entities metadata.


This is your metadata certificate. The same certificate is used for signing and encryption, and a federation might ask you to confirm its thumbprint when you register with them.

The menu icon ( ) gives you access to view the certificate details.


Allow sign-in for users in my domain

This inserts your application into the metadata used only by your own OpenAthens domain. If you are a publisher, this will only be useful during testing.

If you are using Keystone for something like a VLE that only you will access, it is the only setting you need to turn on and the rest of the page can be ignored.

Allow sign-in for any OpenAthens domain

This will put your application in the OpenAthens federation and, once set as live on the application page, make it visible to all OpenAthens IdPs.

Identity providers:

This section is about other federations you might be or become a member of. Enable them here and their metadata will be added to your configuration, however that is all. The switch does not register you in that federation and you will still need to take steps to appear there. See: How to join other federations

The additional identity providers section is for those SAML IdPs that you want to connect who are not in a common federation (it is up to you to determine the weight of numbers that will make it easier for you to join any given federation than configure IdPs separately). See: Entities that are not in a federation

See also:

  • No labels