Changes to WAYFLess URLs for login.openathens.net

If you have recently moved from auth.athensams.net to login.openathens.net we hope you are benefiting from the enhanced functionality.

Most access URLs are unaffected by the change, but you may encounter some that use a format specific to old versions of Shibboleth and SAML 1.1. These links would start with https://auth.athensams.net? and after the question mark there would be a long string of text that included [often percent encoded] two more URLs and often the word "shire=". E.g.

https://auth.athensams.net?target=https%3A%2F%2Fsso.resource.com%2F&shire=https%3A%2F%2Fsso.resource.com%2FShibboleth.sso%2FSAML%2FPOST&providerId=https%3A%2F%2Fsso.resource.com%2Fentity

If you have any of those, you should first check with the service provider to see if they offer a more modern alternative using SAML2. If not then you will need to replace the first part (your SSO address) as follows:

https://auth.athensams.net?

Change to...

For UK federation resources

https://login.openathens.net/saml/1/sso/DOMAIN/c/ukfed?

where DOMAIN is your OpenAthens domain - usually the same as your scope.

OpenAthens federation resources

https://login.openathens.net/saml/1/sso/DOMAIN/c/oafed?

where DOMAIN is your OpenAthens domain - usually the same as your scope.

Anything to watch out for?

The last part (ukfed, oafed) is a federation identifier and can make a difference.

For this format of WAYFless URL, you cannot use SAML2 - so ensure the SSO address has the /saml/1/ path specified.

Whilst your OpenAthens domain is usually the same as your scope, it may be different if you are part of a consortium such as NHS England.