Select from the applications list to edit an application. Local and external applications have slightly different options

 

Details tab

Status

When you are ready to go live in the OpenAthens federation you can set this to live. It always appears for external applications, but will not appear for local applications until the OpenAthens federation is added to the connection.

What will happen then is...

  • The logo and access URL fields become mandatory
  • Use of https for endpoints is enforced
  • On save you will see a preview of how your resource will appear to your customers
  • Our service desk will be alerted to run some tests and approve your appearance in the OpenAthens federation. 
Description

A description of your product or service. It appears below the application name when seen by customers. See also: What makes a good resource description?

These must be a jpg, png or gif of at least 128 x 128px. Ideally square with a transparent background.

Banner

Only used by the Wayfinder discovery service. These must be a jpg, png or gif of at least 400 x 50px. Ideally with a transparent background.

Information URL

This is not required, but if you want to you can add a link to a description or sales page where potential subscribers can find out how to purchase access

Access URL

The general access URL will be retired in the future but at the moment it is still necessary. 

Your customers will expect you to support WAYFless access and the easiest way to create a general access URL is to use is your WAYFless URL format and set https://idp.eduserv.org.uk/openathens as the entityID  e.g: https://sp.yourdomain.com/landingpage?entityID=https://idp.eduserv.org.uk/openathens .

OpenAthens Keystone supports WAYFless access with little or no configuration but if you have used something else, you might have implemented it in a way that does not support this kind of access. In such cases, it is acceptable to enter a general landing page as the access URL so long as the user can gain access from there, however your customers will prefer that you support WAYFless access.

Linking tab

This is all about the OpenAthens Redirector. If you support both WAYFless access and deep linking (article level linking) then you are redirector compatible. The redirector provides our mutual customers with a consistent link format that they can use in place of a proxy mask in applications such as link resolvers and removes any need for them to use proxy servers to access your site.

What you enter here are tokenised access URLs and the internet domains that use them - e.g.

URLDomains
https://sp.yourdomain.com/access?entityID={entity}&destinationPage={target}

yourdomain.com

yourdomain.co.uk

yourdomain.net

theversionforschoolsdomain.com

Any target addresses using the listed domains will use the tokenised URL for access. There are two tokens:

  • {entity} - the customer's entityID will be inserted here
  • {target} - the page the customer wants the end-user to end up on

If you have any difficulty with these, our service desk will be happy to help.

There is no facility to insert non-federation identifiers for customers.

Tabs for specific types of application


SAML endpoints

This will list the endpoints specified in your metadata and provide an option to edit or remove them using the dots menu. You can also add more SAML endpoints should you need to (e.g. for development boxes or load balanced services). If necessary you can manually set the index value. Changes can take up to 6 hours to be reflected in the federation metadata.


Local applications have a similar option on their connection.

<SAML> entity tab

This will display the metadata as it will appear in the federation once published. 

Configuration tab  

How to configure your web application

This link brings up the basic implementation steps. It is the same information that was displayed when you created the application record and is available in several flavours.

Client ID

This is the ID used to configure your OpenID Connect instance when you add OpenAthens as a provider.

Client secret

This is the secret used to secure your OpenID Connect instance when you add OpenAthens as a provider.

Application URL

The root of your application without a trailing slash, e.g: https://login.yourdomain.com

Redirect URL

This is where your OpenID Connect instance expects us to return the user after authentication, e.g: https://login.yourdomain.com/oidc/redirect

Login URL

This is the link that would initiate a user login in your OIDC application - i.e. the OIDC handler that is invoked when you hit the login button. It is required to support WAYFless access.

Connection

Keystone supports the sharing of connections so that multiple apps can use the same SAML connection in a federation.

Discovery tab

Wayfinder

OpenAthens Wayfinder is the default and recommended organisation discovery option. 

Authorised domains:  these are only used if you add the Wayfinder embed script to your site. You can leave them blank otherwise. See Embedding OpenAthens Wayfinder for details on how to configure your site to use embedded Wayfinder.

SeamlessAccess integration: enables SeamlessAccess integration with OpenAthens Wayfinder. You will need to add the SeamlessAccess button to your web application before enabling this functionality.

Other central discovery service

Enter the URL of your chosen discovery service. It must support the SAMLDS protocol. 

Single identity provider 

Specify a single entityID to use for all logins. Ideal for single site applications such as VLEs and during testing.

Attributes tab

This is where you can specify the attributes that your application expects IdPs to release. These attributes are categorised as either required or optional and must be from the list of standard eduPerson attributes. Attributes added here will appear in your application metadata.

In line with federation best practices, you should not set attributes containing personally identifiable information as 'required'. Typical required attributes are eduPersonTargetedID (unique to the user) and eduPersonScopedAffiliation (provides role@organisation information). 

Keystone apps: entity categories and privacy policy links you have specified on your connection will display here for convenience.

External applications such as Shibboleth: the entity categories and privacy policies displayed in this tab are taken from the metadata when you upload it. 

IdP Support tab

Here you can add any support email addresses and specify your preferred activation method for the application.

For Keystone applications, any email addresses added here will also be added to the application metadata.

Preferred activation method

The preferred activation method is how you want your OpenAthens customers to contact you about enabling access. The idea is to minimise back and forth between our mutual customer and your support team by making sure they send the information you need to where it needs to go. You can choose one of four options:

Email

Specify the email address to write to. You can include parameters if you wish, e.g. subject 

Add any other details in the boxes below. There's a check box for when a customer's subscription ID is important to specify 

Portal

Specify the web address of the portal, including the protocol (e.g. https), and some basic instructions

Webform

Specify the web address of the form, including the protocol (e.g. https)

Other

This is any process not covered by the other three

  • No labels