Delegated login behaviour

If you have connected a delegated login to OpenAthens such as ADFS, SAML or the API connector, the behaviour of the authentication point is different from LDAP or OpenAthens accounts.

With this connection type one local connection, set as default, is the recommended option for the best user experience. Instead of being presented with an OpenAthens login box, once recognised as yours the user is transferred immediately your own login point so in most cases will not even see our login.

The user is recognised as one of yours by any of these means:

• The user selects your organisation from the organisation search
• The user selects your organisation during discovery at a resource (does not see our authentication point)
• The user is following a wayfless URL (does not see our authentication point)  
• The user is following a Redirector link (does not see our authentication point)
• The user was successfully authenticated by you the last time we saw them (does not see our authentication point)

If you need to have multiple connectors - e.g. if staff and students are in different directories - then these can be presented as a list for the user to choose from (all live and visible non-default connections are shown). As above, the selected connector is remembered when the user is successfully authenticated.

Anything to watch out for?

If a user fails to authenticate at your login, the AP will stop remembering they are from your organisation. This is so that users from other organisations who select you by accident or mistake are not sent there automatically next time and only affects the last of the scenarios listed above.

Anything that clears cookies or local storage will mean the AP forgets the user too.

If a delegated login is set as default then no other connectors can be shown, even in debug mode.