OpenAthens Keystone
OpenAthens Keystone is our hosted Service Provider option. It is middleware that allows an OpenID Connect Relying Party to be used in SAML federations without the need to understand SAML. As long as your OpenID Connect relying party meets the basic requirements there should be no problem using it with Keystone.
See also: What is OpenAthens Keystone
Basic OpenID Connect requirements
Whichever OpenID Connect client, plug-in or framework you are using, it...
MUST
- be OpenID Connect based on OAuth2 rather than plain OpenID.
- support daily key rotation
- i.e. the keys published at our jwks endpoint will change every 24 hours. This is usually handled automatically by whichever OpenID Connect framework you are using.
SHOULD
- support multiple providers so that Keystone can be used alongside any other OpenID Connect login options you do or may want to provide (e.g. Google).
MAY
- utilise PKCE (Proof Key for Code Exchange)