Before making your service live for our mutual customers and publishing it the federation, our service desk runs some checks and to do so our identifiers will need to get past your authorisation checks.
- If your resource clearly shows whether or not a user is logged in or not - e.g. the login link disappears - then our service desk will only need sufficient access to get past the OpenAthens authentication rather than access any restricted content.
- If your resource does not clearly show whether or not a user is logged in or not, then we will also need sufficient access to at least one restricted page so that we are able to tell the difference.
Once you are live you can remove that authorisation however if it is possible to leave the
scope enabled for sufficient access to see if authorisation is working or not, it can save both your support team and ours some time and effort when customers report access problems.
For external applications such as Shibboleth we will need to make our accounts aware of your metadata before we can test. Our service desk will capture what they need from your application record.
If you have added the OpenAthens federation metadata, remove it. You can leave any other federation metadata in place, but during testing the only OpenAthens metadata to enable is our test IdPs: