A piece of information about an object, usually a user, supplied by an identity provider to a service provider.

Authentication & authorisation

Authentication is the checking of user credentials which in a federated context is done by the identity provider. Authorisation is whether or not they can access a thing which is decided by the service provider based on the user's scope and attributes.

Deep linking

Where a link can send the user directly to the signed-in version of a page. Sometimes called 'article level linking'


More accurately known as organisation discovery to avoid confusion with content discovery, it's the way a user accessing a service provider (SP) identifies to that SP which identity provider they are from. The usability of these can vary, although things like OpenAthens Wayfinder and more recently the Seamless Access project can help SPs be more consistent. 


An identity provider or service provider within a federation. Some have more than one entity, such as when a service provider has several products.


The identifier of an entity within metadata. An identity provider will have one of these but may have multiple scopes. These usually take the format of a secure URI on a domain owned by the identity provider, but do not have to be a real web page - e.g:

Identity Provider (IdP)

The organisation that issues identities to its users, e.g. a library.


Information about entities. Each identity provider or service provider entity will have its own metadata that describe it in terms of signatures, certificates, sign-in addresses and what they support. Exchanging this sets up the relationship between the IdP and SP and whilst this can take the form of a 1-2-1 exchange, a SAML federation will maintain a central metadata file which aggregates all the individual entities metadata to make things simple and secure for all parties.

This aggregated metadata is cached by the IdP and SP software for quick reference, so changes can take a day or so to be picked up by all parties.

OpenAthens Redirector

When a resource supports both deep linking and wayfless access, our redirector can be used by identity providers as a simple way to form access links


Security Assertion Markup Language. The standard upon which most federations work. 


The identifier of an organisation or part of an organisational expressed as an internet domain owned by the identity provider. Organisation parts would usually add a 'subdomain' as the thing that tells them apart.  in the OpenAthens federation it generally a number. E.g:

The scope is supplied as part of the scopedAffiliation attribute (see below)


The friendlier name for an attribute with the charming name of urn:oid: It's a user's roll, such as member, staff, student, combined with your scope. E.g: 

Service provider (SP)

The resource provider that authorises entry based on the scope and attributes of the user attempting access. SP is the SAML term, but you may recognise them as vendors or publishers.


An open source software developed originally by Internet2 and supported by the Shibboleth Foundation. Since federation operators can talk about it without appearing to endorse any particular supplier, they do that. 


The friendlier name for urn:oid: It is a pseudonymous identifier for an individual user that is consistent every time the user visits an SP but different for each separate SP. 


An access URL that includes the entityID of a user's IdP so that the user does not have to stop and tell the resource where they are from when signing in.