The connections page is about how OpenAthens products like Keystone work in multiple federations. External applications such as Shibboleth don't have a separate connection here because their appearance in other federations isn't managed by us.

When you select a connection you can make the following adjustments:

Application:

The name of the application record(s) using this connection.

Rules (OpenAthens Keystone only)

Allows you to toggle rulesets on an off. Changes take place immediately after saving.

  • Common EduPerson and Extended EduPerson - translates the attribute names commonly used in educational federations to OpenID Connect claims.  See: eduPerson attributes
  • The one with a long name extracts some useful identifiers from the main eduPerson attribute used in federations 
  • The others... should not need to be used unless you are migrating from OpenAthens SP

SAML Connector: 

Entity

This is the entityID of your application and defaults to applicationURL/oa/metadata or applicationURL/oa/entity. If you change this, make sure to save changes and confirm the page has updated. You almost certainly will not want to change this once you are live. 

The dots menu gives you access to view the entitiy metadata so you can download it to send to federations you are joining.

The entity metadata has two options for logos. Inline (default) stores logo and banner as base64 encoded png images in the metadata, whilst hosted presents the banner as a URL and drops the logo. The reason for the choice is that some federations you might want to join insist on logos being hosted rather than imbedded.

Certificate

This is your metadata certificate. The same certificate is used for signing and encryption, and a federation might ask you to confirm its thumbprint when you register with them.

The dots menu gives you access to view the certificate details.

Privacy policies 

Allows you to add and remove links to your privacy policy in the metadata. You can specify one link per language.

This is a recommended action by most federations at the moment, and it is very likely to become a requirement. 

OpenAthens:

Allow sign-in for users in my domain

This inserts your application into the metadata used only by your own OpenAthens domain. If you are a publisher, this will only be useful during testing.

If you are using Keystone for something like a VLE that only you will access, it is the only setting you need to turn on and the rest of the page can be ignored.

Allow sign-in for any OpenAthens domain

This will signal inclusion in the OpenAthens federation once set as live on the application page and approved. It will then be visible to all OpenAthens IdPs.

Identity providers:

This section is about other federations you might be in or become a member of. Enable them here and their metadata will be added to your configuration, however that is all. The switch does not register you in that federation and you will still need to take steps to appear there. See: How to join other federations

The additional identity providers section is for those SAML IdPs that you want to connect who are not in a common federation (it is up to you to determine the weight of numbers that will make it easier for you to join any given federation than configure IdPs separately). See: Entities that are not in a federation

See also:

Entity categories: 

This section allows you to indicate in your metadata which entity categories you support. Once saved you'll be able to see changes immediately in the metadata view under the menu by the entityID, but it will take up to 6 hours for them to appear in the published OpenAthens federation metadata. You will need to tell any other federations you are registered in about the change (education federations that include you via EduGAIN will pick up the change from the update to the federation you are registered in).

Most entity categories signify compliance with a set of rules or behaviours, so it's best to leave these turned off until everything else is in place.  



  • No labels