Skip to end of metadata
Go to start of metadata

Select from the applications list to edit an application. Local and external applications have slightly different options


The first two tabs appear for both types:

Details tab


When you are ready to go live in the OpenAthens federation you can set this to live. It always appears for external applications, but will not appear for local applications until the OpenAthens federation is added to the connection.

What will happen then is...

  • The logo and access URL fields become mandatory
  • Use of https for endpoints is enforced
  • On save you will see a preview of how your resource will appear to your customers
  • Our service desk will be alerted to  run some tests and approve your appearance in the OpenAthens federation. 

A description of your product or service. It appears below the application name when seen by customers. See also: What makes a good resource description?

These must be a jpg, png or gif of at least 128 x 128px. Ideally square with a transparent background.


Only used by the Wayfinder discovery service. These must be a jpg, png or gif of at least 400 x 50px. Ideally with a transparent background.

Information URL

This is not required, but if you want to you can add a link to a description or sales page where potential subscribers can find out how to purchase access

Access URL

The general access URL will be retired in the future but at the moment it is still necessary. 

Your customers will expect you to support WAYFless access and the easiest way to create a general access URL is to use is your WAYFless URL format and set as the entityID  e.g: .

OpenAthens Keystone supports WAYFless access with little or no configuration but if have used something else you might have implemented it in a way that does not support this kind of access. In such cases it is acceptable to enter a general landing page as the access URL so long as the user can gain access from there, however your customers will prefer you to support wayfless access.

Linking tab

This is all about the OpenAthens Redirector. If you support both WAYFless access and deep linking (article level linking) then you are redirector compatible. The redirector provides our mutual customers with a consistent link format that they can use in place of a proxy mask in applications such as link resolvers, and removes any need for them to use proxy servers to access your site.

What you enter here are tokenised access URLs and the internet domains that use them - e.g.


Any target addresses using the listed domains will use the tokenised URL for access. There are two tokens:

  • {entity} - the customer's entityID will be inserted here
  • {target} - the page the customer wants the end-user to end up on

If you have any difficulty with these, our service desk will be happy to help.

There is no facility to insert non-federation identifiers for customers.

SAML endpoints (external applications only)

This will list the endpoints specified in your metadata and provide an option to edit or remove them using the ( ) control. You can also add more SAML endpoints should you need to (e.g. for development boxes or load balanced services). If necessary you can manually set the index value. Changes can take up to 6 hours to be reflected in the federation metadata.

Local applications have a similar option on their connection.

<SAML> entity tab (external applications only)

This will display the metadata as it will appear in the federation once published. 

Configuration tab (OpenAthens Keystone applications) 

Client ID

This is the ID used to configure your OpenID Connect instance when you add OpenAthens as a provider.

Client secret

This is the secret used to secure your OpenID Connect instance when you add OpenAthens as a provider.

Application URL

The root of your application without a trailing slash, e.g:

Redirect URL

This is where your OpenID Connect instance expects us to return the user after authentication, e.g:

Login URL

This is the link that would initiate a user login in your OIDC application - i.e. the OIDC handler that is invoked when you hit the login button. It is required to support WAYFless access.


Keystone supports the sharing of connections so that multiple apps can use the same SAML connection in a federation.

Entity Categories

Entity categories allow you to restrict the entities that appear in supported discovery services such as OpenAthens Wayfinder. If set, only entities that have matching categories in their metadata will appear. At the moment you would almost certainly leave this blank.

Discovery tab (OpenAthens Keystone applications)


OpenAthens Wayfinder is the default and recommended organisation discovery option. 

Authorised domains:  these are only used if you add the Wayfinder embed script to your site. You can leave them blank otherwise. See Embedding OpenAthens Wayfinder for details on how to configure your site to use embedded Wayfinder.

Other central discovery service

Enter the URL of your chosen discovery service. It must support the SAMLDS protocol. 

Single identity provider 

Specify a single entityID to use for all logins. Ideal for single site applications such as VLEs and during testing.

Getting started tab (Keystone applications)

Internal applications have a getting started link that shows the basic implementation steps. It is the same information that was displayed when you created the application records and is available in several flavours.

  • No labels