Current release

Release date: 21 November 2022

Notable bug fixes and changes:
  • [MDP-10192] - Add more choice about what appears in the published contact details
  • [MDP-10254] - Send an email alert on a password change
  • [MDP-10391] - Additional fields from public contacts for email templates
  • [MDP-10458] - Passwords would  not work if they contained non-ASCII characters
  • [MDP-10459] - The unique ID field was not searchable

Previous releases

Release date: 16 November 2022

Notable bug fixes and changes:

Release date: 14 November 2022

Notable bug fixes and changes:

Release date: 10 November 2022

Notable bug fixes and changes:
  • [MDP-10235] -
    • The updated password policy is now enforced for existing administrator-enabled accounts. They can no longer skip the password reset prompt if they have a weak password
    • Personal accounts (end users) are now prompted to change their password if it is weak, but have a skip option for now.

Release date: 9 November 2022

Notable bug fixes and changes:

  • [SMS-212] - upgrade jackson-databind to a newer version containing a fix for CVE-2022-42003

Release date: 7 November 2022

Notable bug fixes and changes:
  • [MDP-10150] - Improved handling of unsupported digest methods in SP metadata
  • [MDP-10409] - Action to get client-side password validation code accepted by the firewalls that didn't some of the words in the too-common password check

  • [CICD-99] - uplift Java and GWT versions

Release date: 11 October 2022

Notable bug fixes and changes:
  • [MDP-10191] - SAML connectors using Name ID as the unique ID and any other attribute as display name were not displaying correctly

Release date: 10 October 2022

Notable bug fixes and changes:
  • [MDP-10408] - Setting a new password would fail if firewalls or similar blocked the client-side validation code (zxcvbn.js)

Release date: 29 September 2022

Notable bug fixes and changes:
  • [MDP-10313] - Remove auto focus on fields from the authentication point
  • [MDP-10334] - Accessibility fix on button colour

  • [MDP-10258] - Add Matomo to authentication points
  • [PROXY-463, 464, 472] - Various improvements to the creation and maintenance of proxy resources

Release date: 12 September 2022

Notable bug fixes and changes:
  • [REP-565/570] - Keyboard navigation improvements to the reporting interface
  • [MYP-709] - MyAthens Plus resource filter improvements for mobile 

Release date: 2 September 2022

Notable bug fixes and changes:
  • [MYP-676] - Resource description now respects line breaks
  • [MYP-732] - Pressing the enter key whilst in the search bar was clearing the history 

  • [MDP-10305/9] - Security enhancements for CSP frame ancestors and HSTS length

Release date: 1 September 2022

Notable bug fixes and changes:
  • [MDP-10235] - Admin accounts that do not comply with the new password policy are now prompted to update, with a defer option

Release date: 30 August 2022

Notable bug fixes and changes:

  • [MDP-10235] - Code released behind feature toggle for upcoming changes to password strength enforcement in the admin area and authentication point 

Release date: 17 August 2022

Notable bug fixes and changes:
  • [PROXY-425] - Fixed character display for
  • [PROXY-459] - Increased session lifetime to avoid re-authentication (and additional transfer statistics) on certain resources 

  • [PROXY-315] - Disabled jsoup pretty printing to avoid serialisation errors on malformed HTML
  • [PROXY-458] - Null ISO country codes caused errors

Release date: 17 August 2022

Notable bug fixes and changes:
  • [MDP-10294] - Bulk uploads were failing under the combination of Firefox, MS Office and Windows. 

  • uplift internal email-commons library
  • remove certain deployment-specific arguments relating to the release of the new password policy

Release date: 15 August 2022

Notable bug fixes and changes:

Release date: 10 August 2022

Notable bug fixes and changes:
  • [Proxy-444] - DOI URLs when proxied would not maintain the proxy prefix for onward links
  • [PROXY-341, 393, 426, 429, 458] - Various improvements to the creation and maintenance of proxy resources

Release date: 2 August 2022

Notable bug fixes and changes:
  • [MYP-637] - MyAthens Plus resource list search now remembers previous searches if they led to a resource being selected
  • [MYP-726] - MyAthens Plus resource list no longer resets to all after setting or removing a favourite

Release date: 1 August 2022

Notable bug fixes and changes:
  • n/a

  • [MDP-10040, 10084, 10085] - Code released behind feature toggle for upcoming changes to password selection in the admin area and authentication point
  • [CICD-71] - uplift activity-server-client version
  • [PROXY-341] - allow super-user to allocate proxy instance to sub-orgs via domain manager
  • [SMA-48] - Remove old email API from system

Release date: 26 July 2022

Notable bug fixes and changes:
  • n/a

  • [CICD-71,104] - dependency uplifts for the activity service and script service

Release date: 21 July 2022

Notable bug fixes and changes:
  • [MDP-3890] - Enable download of local accounts
  • [MDP-10041] - Replace password confirmation box with a show/hide button

Release date: 18 July 2022

Notable bug fixes and changes:
  • [MDP-10089] - Local accounts were not being removed when they hit the set last-access threshold 
  • [MDP-10208] - Sending an activation code now appears in the audit stream for OpenAthens accounts

  • [SMA-12] - implement email recipient verification

Release date: 16 June 2022

Notable bug fixes and changes:
  • [RED-200] - The redirector was handling DOI links incorrectly in certain circumstances  

Release date: 13 June 2022

Notable bug fixes and changes:
  • n/a

  • [PROXY-386,420,424,428,434,435,442] - Various improvements to the creation and maintenance of proxy resources

Release date: 25 May 2022

Notable bug fixes and changes:
  • [MYP-640, 673, 700] - Improvements to MyAthens for text size and mobile support
  • [MYP-634, 635, 710] - Improvements to the resource list in MyAthens+  

Release date: 10 May 2022

Notable bug fixes and changes:
  • [MYP-636] - Navigation of the resources list in MyAthens+ has been enhanced with an alphabetic filter
  • [MYP-642] - MyAthens+ resource list favourites button is now a filter rather than a sort 
  • [REP-556] - Download options weren't working on read-only report views

Release date: 13 April 2022

Notable bug fixes and changes:
  • [OASD-17818, 18335, 18475], [PROXY-277, 377, 378, 388, 392] -  Various fixes and improvements to the managed proxy service including
    • Improved rewriting of URLs within parameters & JavaScript
    • Improved handling of XHR and CORS requests

Release date: 28 March 2022

Notable bug fixes and changes:
  • [MDP-10069] -  the SAML1 format of scopedAffiliation had stopped being automatically scoped

Release date: 24 March 2022

Notable bug fixes and changes:
  • [MYP-638] - Truncated resource descriptions in MyAthens can now be expanded up to 10 lines 

Release date: 22 February 2022

Notable bug fixes and changes:
  • [MDP-9510] - Last signed in date added to list for local accounts

Release date: 24 November 2021

Notable bug fixes and changes:

Release date: 22 November 2021

Notable bug fixes and changes:
  • [MDP-9885] - Some accounts were imperfectly deleted causing conflicts fields set as unique    
  • [MDP-9935] - Links in notifications were failing due to using an admin identifier instead of an organisation identifier 

Release date: 2 November 2021

Notable bug fixes and changes:
  • [MDP-9671/9462] - All administrators and sub-organisations can now, again, be deleted when necessary  

Release date: 29 October 2021

Notable bug fixes and changes:
  • Updates to the managed proxy to improve the handling of session cookies 

Release date: 14 October 2021

Notable bug fixes and changes:

Release date: 9 August 2021

Notable bug fixes and changes:

Release date: 4 August 2021

Notable bug fixes and changes:
  • [MDP-9271] - Unable to create permission set mapping rule at the organisation mapped org in certain situations
  • [MDP-9599] - Entitlement value lengths could be set longer than maximum
  • [MDP-9637] - Certain customers could not view the groups page
  • [MDP-9647] - Could not impersonate into reports for an organisation that had no administrator
  • [MDP-9654] - Some account account downloads were failing for some sub-organisations
  • [MDP-9672] - Accounts created via Self-registration were incorrectly being recorded against the activity stream of the administrator
  • [MDP-9677 / 9685] - Misuse monitoring updates to support future functionality
  • [MDP-9678] - Creating a new organisation sometimes did not refresh the All organisations summary screen
  • [MDP-9682] - The organisation button on a manually mapped connection had stopped working correctly

Release date: 22 July 2021

Notable bug fixes and changes:
  • [MDP-9079] - IdP metadata now includes an error URL, and libraries can have the SIRTFI entity category set if their federation requires it (
  • [MDP-9680] - Some recently enabled admin accounts would have their password rejected on certain changes. 

Release date: 29 June 2021

Notable bug fixes and changes:
  • [MDP-9058] - You can now set the order that local connections are displayed to the user when you have more than one. See: Sorting connections
  • [MDP-9419] - Sub organisations can no longer modify username prefixes

Release date: 24 May 2021

Notable bug fixes and changes:
  • [MDP-9499] - Successful authentication events now appear in an account's activity stream

Release date: 5 May 2021

Notable bug fixes and changes:
  • Updates to the interface including a new organisation switcher. See: How to act as a sub-organisation
  • [MDP-8264] - Default status can now be applied to a permission set at creation time
  • [MDP-9487] - The reporting API no longer returns a 500 error for certain queries 
  • [MDP-9495] - Advanced search was not showing all values in dropdown lists

Release date: 27 April 2021

Notable bug fixes and changes:
  • [MDP-9455] - In certain circumstances, moving an account between sub-organisations might not be recorded in the activity stream
  • [MDP-9461] - Bulk upload functionality had started rejecting non-UTF-8 characters

Release date: 3 March 2021

Notable bug fixes and changes:
  • [MDP-9190] - Data downloads and bulk uploads now reference the organisation number instead of the admin username

Release date: 10 February 2021

Notable bug fixes and changes:
  • [MDP-9117] - Access code generation added to the activity stream
  • [MDP-9249] - Libraries in multiple federations could have problems using the redirector in certain circumstances
  • [MDP-9264] - Permission set schemas incorrectly denying add/edit permission in certain circumstances
  • [MDP-9270] - The old organisation name was indexed when accounts moved to new organisations
  • [MDP-9273] - Resource catalogue display issues around some resources
  • [MDP-9289] - Changes to password reset request limits

Release date: 2 February 2021

Notable bug fixes and changes:
  • [MDP-9248] - Group affiliation was not maintained when moving accounts if the group was not present in the target organisation 
  • [MDP-9260] - Access accounts could not sign in

Release date: 18 January 2021

Notable bug fixes and changes:
  • [MDP-9192] - Could impersonate from the ownership information hover on search results
  • [MDP-9193] - Links in daily/weekly notification emails were not working
  • [MDP-9194] - Account data download link was not working
  • [MDP-9195] - Redirector and visibility icons were not appearing in the resource catalogue

Release date: 13 January 2021

Notable bug fixes and changes:
  • Start of transition process for changes to administrator accounts 
  • [MDP-9105,6] - Attributes were not removed from the attribute release policy properly when disabled or changed to no longer be releasable in the schema editor
  • [MDP-8918] - The organisation summary page was not listing organisations in alphabetical order
  • [MDP-8992] - Creation of sub-organisations was not included in the activity stream

Release date: 21 July 2020

New functionality:

Release date: 14 July 2020

Notable bug fixes and changes:
  • [REP-491] - Very large reports could not be exported. 
  • [REP-515] - Resource reports are now supplied 'flat' for greater flexibility and compatibility. See: Saving reports 

Release date: 28 May 2020

Notable bug fixes and changes:
  • [MDP-8569] - Metadata now includes names of sub-organisations where they have distinct scope values. 

Release date: 6 May 2020

Notable bug fixes and changes:
  • [My-41] - Accessibility improvements for MyAthens. 

Release date: 30 April 2020

Notable bug fixes and changes:
  • [REP-498] - Fixed a problem affecting the map view of authentications in the reporting interface

Release date: 21 April 2020

Notable bug fixes and changes:
  • [RED-170] - Could not paste links into the redirector link generator if using IE11

Release date: 4 April 2020

Notable bug fixes and changes:
  • [MDP-8585] - Fixed inconsistency between "Join requests" number in summary page and the list "Accounts awaiting approval to join this organisation" function
  • [MDP-8587] - The fast forward button on search results has had the jump increased
  • [MDP-8609] - The search backend was having problems when very large numbers of custom attributes were being used
  • [MDP-8653] - Could not search for local accounts by their email addresses

Release date: 20 March 2020

Notable bug fixes and changes:

Release date: 16 March 2020

Notable bug fixes and changes:
  • [RED-138] - Updates to the redirector link generators
  • [MDP-8287] - SAML based local auth connectors now support the forceAuthn option (SAML, ADFS, CAS)
  • [MDP-8347] - Previously set filters on audit streams were not applied on initial view

Release date: 30 January 2020

Notable bug fixes and changes:
  • [MDP-8542] - The OpenAthens account option alongside local connectors can now contain custom text. Set it under domain preferences

Release date: 13 January 2020

Notable bug fixes and changes:
  • [MDP-8524] - Default settings on a new SAML local connection were incorrect
  • [MDP-8526] - Validation on the bulk modify details function would incorrectly fail in certain circumstances

Release date: 1 November 2019

Notable bug fixes and changes:
  • Administrators were unable to use the 'Log a query' link within the Administration area as an error was occurring on the support portal (

Release date: 30 October 2019

Bug fixes and changes:
  • A HTTP header of referrer-policy has been added to the Administration area ( with the enforcement of strict-origin
  • A HTTP header of content-security-policy has been added to the Administration area ( in reporting only mode
  • [MDP-8449] - Display name attribute and Unique user attribute on a SAML connection could not be left blank even when "Use Subject NameID" is selected

Release date: 26 September 2019

Bug fixes and changes:
  • [MDP-8276] - A new non-interactive signin API option has been added (the old method will still work).
  • [MDP-8284] - The uniqueID used for local account can now be case normalised to aid OALA migration. 
  • [REP-400] - Deleted reportable attributes could still appear in breakdown options on reports

Release date: 24 September 2019

Notable bug fixes:
  • [REP-408] - Multi-dimension reports that included permission sets were producing errors
  • [REP-409] - Accounts > Authentications reports would not load

Release date: 18 September 2019

Notable bug fixes:
  • [REP-404] - Group name changes were not always reflected in reports
  • [REP-407] - The top resources widget on the reports dashboard was not displaying data

Release date: 28 August 2019

Notable bug fixes:
  • [RED-91] - the redirector didn't like how some links were encoded / decoded

Release date: 19 August 2019

Notable bug fixes:
  • [RED-67] - the redirector could get a bit confused when there were multiple link formats for the same target

Release date: 31 July 2019

Notable bug fixes:
  • [MDP-8278] - Security headers were being sent twice in MyAthens

Release date: 25 July 2019

Notable bug fixes:
  • [MDP-8125] - certain characters could cause an error when clicking on an account that contained them in the audit stream
  • [MDP-8152] - local accounts were not always cleaned up correctly when organisation mapping was being used

Release date: 18 July 2019

Notable Changes:

  • [MDP-8163] - A scoped version of the targetedID attribute is now available in the Attribute release policies to help people who are migrating from other systems. To support use of this, the regular (unscoped) targetedID attribute that has always been released by default is now visible and selectable in policies.
Notable bug fixes:

Release date: 12 June 2019

Notable bug fixes:
  • [MDP-8176] - Local accounts where the unique ID was an empty string are now reported in audit as having their unique user identifier missing
  • [MDP-8183] - Improved error handling when users were sent to sign in at a disabled domain
  • [MDP-8198] - Users using a URL containing a organisation id of 0 were seeing an internal server error

Release date: 31st May 2019

Notable changes
  • [MDP-4999] - Added support for HTTP-POST for SAML based local connectors
  • [MDP-7248] - Add in support for Sirtifi (
  • [MDP-7426] - Changes in the schema editor were not always reflected in the UI until the cache cleared
  • [MDP-8050] - The 'Account > Totals > By attribute' report now includes local accounts
  • [MDP-8058] - Accessibility improvements on the authentication point
  • [MDP-8112] - Some less-common characters were not supported in the Unique ID field for local accounts
  • [MDP-8139] - ADFS connectors using organisation mapping could be downgraded to http from https in certain circumstances
  • [MDP-8140] - Fixed a CSS issue around the forgotten password confirmation message
  • [MDP-8150] - Fixed CSS issues when selecting connections at the authentication point
  • [REP-244] - Could not transfer to reporting from the admin area in certain circumstances
  • [REP-246] - Attributes that have the reportable option removed will no longer appear as breakdown options in reporting
  • [REP-300] - Clean up duplicates created before the release of [REP-245] -
  • [REP-319] - Non-interactive sign-in via the management API was not recorded in reports
  • [REP-356] - Could not remove people from a scheduled report distribution list

Release date: 25 April 2019

Notable changes
  • [REP-293] - Removed the unique average column from reports (was of no use unless the period matched the granularity).

Release date: 3 April 2019

Notable changes
  • [CSP-3115] - Hide from discovery option moved from a domain preference to a connection preference
  • [MDP-4245 / 7527 / 7637 / 7797] - Various improvements to auditing, including local account activity
  • [REP-201] - Account totals reports now distinguish between organisations that do and don't have their own scopes
  • [REP-280] - Account totals reports displayed zero for breakdowns of choice attributes if the name contained a space

Release date: 14 March 2019

Notable changes
  • [REP-174] - Added a link from the reporting interface to the admin interface
  • [REP-206 / MDP-7819] - Column headings could be unclear in certain circumstances
  • [REP-214 / 236] - Interface shows a progress bar and no longer times out when generating very large reports
  • [REP-245] - Local authentication usernames could appear twice in reports in certain circumstances

Release date: 7 February 2019

Notable changes
  • [REP-21] - Replace unique total with average on the authentication report
  • [REP-142] - Remove totals series from the Account totals by status report
  • [REP-207] - Fixed error on accessing some scheduled reports from emailed links
  • [MY-35] - Fixes to the MyAthens panel editor

Release date: 19 December 2018

Notable changes
  • [MDP-7736, MDP-7812, MDP-7820] - Certain situations could see a hop from https to http and back again
  • [MDP-7617] - transfers to the authentication point quoting an invalid entityID now have a more presentable error message
  • [MPP-7845] - audit sourced values on the homepage link to the relevant audit stream once more

Release date: 15 November 2018

New features


Available to


Audit-based activity for your organisation is available on the dashboard and audit pages for events from todayAllSee: Auditing
Local authentication connectors can now transform inbound attributes to another output valueSites using local authenticationSee: Attribute transformation
New interface-based bulk modify actionSites using OpenAthens accountsSee: How to modify many accounts at once
Automatic banning of accounts when misuse is detectedAllSee: About banned accounts
Core OpenAthens attributes can be set as reportable (including username)AllSee: Schema editor
Choice and yes/no attributes added as breakdown options on Account totals reportsAllSee: Account reports
Quick search extended to local accountsSites using local authenticationSee: About search
Notable bug fixes
  • [MDP-7548] - The expiry date quoted in the account expiring emails was in an unhelpful format
  • [MDP-7616] - SAML requests that cannot be decoded now return a relevant "bad request" error instead of a "something went wrong" error
  • [REP-159] - Report downloads were failing with error: "Cannot create a text value from null."

Release date: 9 October 2018

Notable changes and enhancements
  • [REP-144] - The old statistics menu item now says 'Archive'
Notable bug fixes
  • [MDP-7616] - A more helpful error is now returned when a non-decodable SAML request is received from a Publisher.

Release date: 6 September 2018

Notable bug fixes
  • [MDP-7216] - Expiry date was reduced by 1 day on save when the expiry date was within daylight saving time of the admin-user's locale

Release date: 22 August 2018

Notable bug fixes
    • [MDP-7434] - Users mapped to multiple organisations using a local authentication connector were encountering a 500 error
    • [MDP-7490] - Accounts that had been deleted still received an account expiry email if they were within the recovery window

Release date: 14 August 2018

Notable bug fixes
  • [MDP-7264] - "Contacting your OpenAthens administrator function" in the MyAthens help page was not working

Release date: 2 August 2018

New features
FeatureAvailable toNotes
A sub-organisation can now have a distinct entityIDAllMust be requested via the service desk.
Sub-organisations with their own entityID have their own redirector prefixAll
Notable changes and enhancements
Notable bug fixes
  • [MDP-3009] - Confirmation emails were not being sent on bulk upload success
  • [MDP-3671] - Local accounts that passed an AthensDALegacyUID attribute that was empty encountered a 500 server error instead of a 400 bad request error
  • [MDP-3872] - Calendar defaulted to 1906 after attempting to manually enter incorrect date format when creating a new personal account
  • [MDP-7237] - The continue button during password reset didn't work on branded login pages

Release date: 17 July 2018

Notable bug fixes
  • [CSP-2880] - Edits to MyAthens web content panels were not published
  • [CSP-2881] - MyAthens was not setting target = "_blank" when specified on web content panel links

Release date: 3 July 2018

New features:
FeatureAvailable toNotes
Set custom attributes as reportableAll
Notable changes and enhancements
  • [CSP-2778] - Allow administrators to bulk generate redirector links
  • [CSP-2744 / 2767 / 2745] - Activity performed by the System, OpenAthens service desk and partners is now identified as such in the account activity stream. See: Auditing
  • [CSP-2745] - Activity performed by a customer API keys is now displayed on the account activity stream - e.g. self-registration actions
Notable bug fixes
  • [MDP-3181] - Unable to see full organisation name when moving accounts
  • [MDP-6544] - Number of users displayed on group and permission set buttons included deleted accounts
  • [MDP-6547] - Activation code was not always being replaced in emails for resetting password
  • [MDP-7216] - Expiry date was reduced by 1 day when the administrator clicks save
  • [MDP-7267] - Admin account activation emails had a link to the old federation manager

Release date: 6 Jun 2018

New features:
FeatureAvailable toNotes
Reporting beta updated to include report scheduling and several new report typesAllSee: Reporting
SAML connections now support SHA-256 signingSAML connections
Allow usage of the same SAML IdP to be used by multiple customersSAML connections
Account activity can now been seen on the account details pageOAMD account usersSee: Auditing

Notable changes and enhancements

  • [CSP-2306] - Access to MyAthens admin, the statistics archive and the support interface whilst impersonating a sub-org is now possible. 

Release date: 21st May 2018

Notable bug fixes

  • [CSP-2648] - Corrected a bug that caused Job roles to be incorrectly captured  between 14 April and 21 May in the retiring statistics package for a small number of customers.

Release date: 20th February 2018

Notable changes and enhancements:

Notable bug fixes

  • [MDP-6245] - Deleted accounts were appearing in the counts on the dashboard buttons

Release date: 25 January 2018

Notable changes and enhancements:

  • [MDP-5796 / MDP-6262] - Organisation search sometimes returned incorrect results
  • [MDP-5882] - Update the ADFS Connector to deal with the way objectSid was interpreted by Shibboleth's LDAP connection to generate targetedIDs so that sites upgrading to OpenAthens can maintain users' IDs. See: objectSid and ADFS
  • [MDP-6001] - Domains can now be flagged as hidden in organisation discovery services. See: Domain preferences

Release date: 9 January 2018

Notable changes and enhancements:

  • [MDP-4981] - Back end work done to support upcoming changes to account deletion means that account usernames will not be available for recycling for 30 days after deletion.

Release date: 23 November 2017

Notable changes and enhancements:

  • [MDP-3815] - Can now maintain targetedID values when moving from OpenAthens accounts to using a Local authentication connection. See: How to maintain user identifiers when you move to a local connection.
  • [MDP-5535] - When a user is mapped to multiple organisations by a SAML connector (e.g. ADFS, CAS) they will now see an organisation selection option rather then receiving an error.

Release date: 26 October 2017

Notable bug fixes

  • [MDP-5838] - Resending an account activation email did not contain an activation code

Release date: 17 October 2017

Notable changes and enhancements:

  • [MDP-4184] - Administrators can define an address to forward the users too after they activate their accounts. See: Domain preferences
  • [MDP-5368] - Automatic deletion of expired or non-activated accounts now has a maximum setting of 365 days. See: Organisation preferences and Domain preferences
  • [MDP-5369] - Automatic deletion of cached local accounts is now has a maximum setting of 365 days.
  • [MDP-5387] - User-facing error pages now contain a link to find administrator details

Notable bug fixes

  • [MDP-5599] - An error was not being displayed when creating a connection that contains more than 2 certificates
  • [MDP-4405] - Triggering a password change and not changing the password left accounts in a state which the automatic deletion process took as non-activated.

Release date: 24 August 2017

Notable changes and enhancements:

Notable bug fixes

  • [MDP-4405] - Triggering a password change and not changing the password left accounts in a pending state which could lead to automatic deletion 
  • [MDP-5276] - Fixed problem where having exactly two permission sets assigned could cause problems with authentication under certain circumstances
  • [MDP-5279] - Fixed the underlying problem that interupted the service on 17 July
  • [MDP-5292] - Domain logos were not being added to the OpenAthens federation metadata when updated
  • [MDP-5304] - An incorrect cookie home organisation was being set when logging in under certain circumstances
  • [MDP-5372] - Bulk upload was no longer returning an error when unknown admin or permission sets were specified

Release date: 22 June 2017

Notable changes and enhancements:

  • [MDP-850] - Support added for use of NameID as the identifier for SAML local authentication connections.
  • [MDP-4360] - Login failures from brokered local authentication connections now have more granular information.
  • [MDP-4576] - /wiki/spaces/Libraries/pages/5079131.
  • [MDP-4596] - When OpenAthens accounts had been specified alongside multiple local authentication connectors, selecting OpenAthens account as the method was not remembered.
  • [MDP-4863] - Including a space in a quicksearch was giving unexpected results.

Release date: 15 June 2017

Notable changes and enhancements:

Release date: 4 May 2017

Notable bug fixes:
  • [MDP-4597] - Audit did not record the username for local accounts when they were blocked, which prevented some batch jobs from running.
  • [FN-2187] - Element refused to fire on execute command.

Release date: 20 April 2017

Notable changes and enhancements:
  • [MDP-3056] - The InCommon federation is now supported for customers who are members
  • [MDP-3817] - Searching for organisations on the forgotten password page now finds contact details - See: About the authentication point
  • [MDP-4071] - The account move dialog has an improved search function
  • [MDP-4422] - To avoid confusion, the catalogue no longer highlights resources where the redirector will fallback to using the access URL
Notable bug fixes:
  • [MDP-3954] - The Redirector was not selecting the correct syntax when the OpenAthens federation was disabled for a customer (e.g. only configured for UK federation)
  • [MDP-4220] - Permission set mapping rules could disappear from an inherited local connection
  • [MDP-4307] - Where multiple local auth connections were available, the authentication point did not remember the selected choice in some circumstances

Release date: 14 February 2017

Notable bug fixes and other enhancements:
  • [MDP-4157] - Local connection flags and types not displaying correctly
  • [MDP-4158] - Self-registration link display missing from the management menu
  • [MDP-4159] - Corrected the date format used on the account list pages
  • [MDP-4194] - Unable to edit account details when there were multiple hyphens in telephone fields

Release date: 7 February 2017

Notable bug fixes and other enhancements:
  • [MDP-2801] - LDAP Status Indicator error messages made more helpful.

Release date: 15 December 2016

New features:
FeatureAvailable toNotes
Any resources with an access URL can now work with the IP bypass function of the redirectorAllAllows more resources to be used with bypass zones. See: Redirector IP bypass zones
Resources can be configured to skip the IP bypass functionAllFor resources that do not support IP auth and OpenAthens access at the same time they can be set to ignore any IP bypass zones you have set up.
Custom attributes can now be deletedAllSee: Schema editor
Notable bug fixes and other enhancements:
  • [MDP-3075] - Bad-word password enforcement now case insensitive
  • [MDP-3605] - The Redirector intermittently failed to fetch the syntax for some resources
  • [MDP-3723] - Elastic search re-indexing more tolerant of ongoing operation
  • [MDP-3733] - Was possible to have conflicting activation codes in certain circumstances
  • [MDP-3819] - NHS England account approval email was having issues with token replacement
  • [MDP-3861] - Select all > Action was not available on quicksearch results
  • [MDP-3870] - Ability to create custom SAML resources was not available to all users
  • [MDP-0000] - Happy holidays to all our readers

Release date: 16 November 2016

New features:
FeatureAvailable toNotes
Releasable attributes can be aliasedAllAllows attributes to be released under different names without having to duplicate data. See Attribute release
Local directory connections that map to sub-organisations now have the same permission set and suspend rule options as unmapped connectionsLocal directory usersSee: Organisation mapping
All core attributes are now available on the release policy page for release or aliasingAllYou can now release fields such as title and telephone should you wish
Notable bug fixes and other enhancements:
  • [MDP-3185] - Local connections mapped to sub-organisations were not always using the correct permission set
  • [MDP-3365] - The bulk upload failure report is updated to only include data columns from the original upload
  • [MDP-3588] - Deleting an organisation did not remove it from any organisation mapping
  • [MDP-3609] - Updated org-list page:
  • [MDP-3617] - Dashboard button numbers could vary from search result numbers in certain circumstances
  • [MDP-3742] - Custom attributes were not searchable in certain circumstances
  • [MDP-3765] - Organisation mappings could not be added in certain circumstances
  • [MDP-3785] - Email templates that contained cc or bcc fields had stopped being sent

Release date: 6 October 2016

Notable bug fixes and other enhancements

Release date: 4 October 2016

Notable bug fixes and other enhancements
  • [MDP-3554] - Quicksearch did not return results for full email addresses
  • [MDP-3567] - Can now sort search results by the Owner field
  • [MDP-3668] - NHS England account eligibility changes did not update the search index correctly

Release date: 13 September 2016

Notable bug fixes and other enhancements
  • MDP-3568 - Date formats are now consistent across the system. All parts of the interface now all use the international ISO-8601 format, matching that used in the API, downloads and upload functions (YYYY-MM-DD)
  • MDP-3554 - Quick-search updated to run a prefix search across first name, last name as well as username. See: About search
  • MDP-3338 - The connections page was showing the domain's scope whether or not the organisations had a unique scope (display issue only)

Release date: 23 August 2016

Notable bug fixes and other enhancements
  • MDP-3073 - If a users session expired on (old) they had difficulty signing in again without closing their browser
  • MDP-3521 - Removed customised resources view in MyAthens for customer domains that had this enabled

Release date: 17 August 2016

Major new features
FeatureAvailable toNotes
Improved search function - speed and flexibilityAll

Search results are now almost instant for even the largest domains.In-field operators are now available.

See: About search

Maximum number of accounts that can be downloaded in one go has been increasedAllThe search improvements have meant the limit can be increased from ~20k to 70k
Improvements to groupsAll

New group management page

Search results can be filtered by group and have a new action available to allocate groups

Redirector improvements for customers in the UK Access Management federationUK federation membersA default federation can be set for situations where there would be differences in entityIDs or access URLs between the federations.

Notable bug fixes and other enhancements
  • [MDP-2736] - Including an apostrophe in a name on the move accounts dialog no longer breaks the filter
  • [MDP-3203] - Issues with the display of Advanced Search and Join Requests in Google Chrome
  • [MDP-3376] - Validation was excluding some characters from endpoint URLs incorrectly
  • [MDP-2796] - Deleting accounts after a select-all did not work
  • [MDP-3081] - Where our partners provide first line support, the log-a-query link in the admin area can now point to them directly
  • [MDP-3328] - SPs expecting the old SAML1 attribute name for scopedAffiliation in a SAML2 response can now receive it.
  • [MDP-1865] - Signing out of the admin area now presents a login again option.

Release date: 13 July 2016

Notable bug fixes and other enhancements
  • [MDP-3274] - When the user now logs out user sessions are now terminated on the new and old authentication point
  • Generating of stats reports have now been limited to a 5 year period. If you require reports before this period please contact the service desk

Release date: 15th June 2016

Notable bug fixes and other enhancements
  • [MDP-3078] - LDAP driver bug for local accounts with Arabian characters meant that users details were not being displayed correctly;
  • [MDP-3184] - Logging in with an Organisation Mapped Connection using a sub-organisation did not work;
  • [MDP-3195] - Using the list users in a permission set link was causing a bad request error to be returned to the user;
  • [MDP-3197] - An issue with the LA API Connector creating local accounts when the attributes list was not present caused a 500 error.

Release date: 24 May 2016

Major new features
FeatureAvailable toNotes
Ability to map end-users to sub-organisations when using a Local Authentication connector.LDI Enabled customers

Allows users to be visible to their organisation administrators rather than just to the domain administrator.

Where organisations have different identifiers for separate resource subscriptions, users present those identifiers on resource access.

Ability to specify a URL to direct end-users to after signing out.All customersA domain level setting bypasses the standard OpenAthens sign-out page and directs users to any suitable page
Ability to upload images to be used in MyAthens panels has been removed.All customersImages used in MyAthens panels must now be linked from an https source.
Notable bug fixes and other enhancements
  • MDP-2879 - Attempting to login to the Admin area with an invalid account type will display a relevant error on the new Authentication Point.
  • MDP-3076 - Error when uploading domain logos for customizing the AP.
  • MDP-2977 - When editing a new mapping rule on a local authentication connector, cancelling the edit removed the rule.
  • MDP-2245 - Redirector link generator has been improved to automatically remove any trailing spaces from the target url being generated.

Release date: 5 April 2016

Notable bug fixes and other enhancements
  • [MDP-2858] – Addresses the issue where users SSO session was incorrectly being removed when using the redirector after logging in with MyAthens.

Release date: 31 March 2016

Notable bug fixes and other enhancements
  • [MDP-2822] – Validation prevented customers from adding links to the custom text on the customised Authentication Point;
  • [MDP-2843] -  When customising the AP login page the show registration link not being removed when this option is disabled.

Release date: 23 March 2016

Notable bug fixes and other enhancements
    • [MDP-2831] - Display issues for any Domain account that did not have a scope defined caused the account information not to be displayed correctly.

Release date: 18 March 2016

  • [MDP-2803] - Certain user accounts were unable to login to the SP Dashboard
  • [MDP-2802] - When bulk moving accounts upon selecting the organisation to move the accounts too the name would change incorrectly to the Organisations ID

Release date: 17 March 2016

  • [MDP-2797] - Users cannot bulk move accounts as the bulk account action fails.

Release date: 17 March 2016

Major new features
FeatureAvailable toNotes
/wiki/spaces/Libraries/pages/5079148DA Users

If you wish to migrate from your DA connection and still keep personalisation please contact your Account Manager in the first instance.

/wiki/spaces/Libraries/pages/5079117SAML customers
Ability for customers who use Local Authentication options can now suspend accounts based on customisable rules.SAML, LDAP, API and LA API customers
Ability for customers to brand parts of their login page if the user has pre-discovered

Notable bug fixes and other enhancements
    • [MDP-1147] - Restricting connection creation to organisations that have unique identifiers
    • [MDP-2421] - Support for an organisation using multiple SAML/ADFS connections
    • [MDP-2488] - Allow debug users to view all / non-visible connections for their domain
    • [MDP-2489] - Allow Administrators to manage scopes of sub-organisations
    • [MDP-2620] - Metadata published at did not include scopes of unique sub-organisations
    • [MDP-2629] - Unable to customise the admin account activation email
    • [MDP-2725] - Prevent the attribute OneTimeUse from causing authentication problems. This attribute does not initiate any business logic
    • [MDP-2698] / [MDP-2645] / [MDP-2646] - Domains marked as being disabled, internal or that are owned by SP organisations will no longer appear on the organisation search at the authentication point.

Release date: 09 February 2016

Notable bug fixes and other enhancements
  • MDP-2414 - Allow Partners and Support accounts to generate activation codes for all Administrators

Release date: 02 February 2016

Major new features
FeatureAvailable toNotes
Improved account activation process is now available.All

Organisation accounts can now be created which require the account to be activated with a code so the user creating the account doesn't need to specify a password during creation.

The ability to email the organisation password has been removed.

SAML resources that are not within a federation can be added to the resource catalogueCustomers who have been migrated onto the new Authentication point (

Custom SAML resources can be added so that users can login using OpenAthens. This allows users to add targets such as GoogleApps, Moodle and many others that support SAML authentication into the resource catalogue.

See: Add and manage custom resources

Support for a redirector knowledgebase for UK federation resourcesMembers of the UK federation

Support for the redirector being used to access UK Federated resources has now been added which will extend the redirector to be usable for all our customers.

See: Getting started with the Redirector

A new API for local authentication with credentials created and managed by the customerCustomers who have been migrated onto the new Authentication point (

The local authentication API enables an application to request an OpenAthens session-initiator URL for a local account by making a simple REST call to the authentication API.

See: API connector

Management of API Keys within the Admin AreaAll

No longer need to log a support call with the Service desk to create them.

See: API keys

Customise the SAML Name ID format for specific resourcesCustomers who have been migrated onto the new Authentication point (

The attribute release policy features have been extended to allow Domain users to specify what Name ID format should be used when authenticating into a resource.

See: Attribute release

Notable bug fixes and other enhancements
  • MDP-177 - You could not set federation resources as favourites in MyAthens
  • MDP-554 - Federated connection display names were not being populated automatically when new customers were created
  • MDP-611 - Custom search panel - hidden parameters were being removed
  • MDP-911 - Token URL generated in UAT contained reference to the live authentication point for non-interactive session creation
  • MDP-1227 - Account Advanced Search Result UI could not handle organisation name with non-English characters
  • MDP-1304 - Updated password popup help box
  • MDP-1396 - Organisation name was not being displayed in MyAthens when owner is not a unique organisation
  • MDP-1852 - DA Encryption key help text had wrong information
  • MDP-1907 - Permission Sets for user were being lost when attempting to move account to the same organisation via the API
  • MDP-1936 - Improved user journey for adding of Local Authentication connections
  • MDP-1964 - Allow administrators to copy entity ID and scope from connections page
  • MDP-1985 - Account status of accounts within domain not owned by sub-organisation was not readable
  • MDP-2061 - "non-activated accounts" automatic deletion was not honouring setting on the "domain preferences" page
  • MDP-2128 - Updated restrictive mode warning dialogue
  • MDP-2246 - Account list tab read 'Accesss'
  • MDP-2268 - Refreshing custom SAML resource reset visible and hidden flags
  • MDP-2280 - Domain Manager - users now prevented from adding duplicate scope values
  • MDP-2304 - New authentication point enhanced to block accounts that are marked as ineligible
  • MDP-2402 - "Use Default Permission Set" checkbox not persisted when modifying a SAML connection
  • MDP-2422 - Allow users to view more than 10 results on organisation search on the new AP
  • MDP-2423 - User is now redirected to OpenAthens Website if user navigates to

Release date: 10 December 2015

Notable bug fixes and other enhancements
  • MDP-2110 - 'Total activated’ column on the organisation summary page was showing the incorrect total for activated accounts

Release date: 8th December 2015

Notable bug fixes and other enhancements
  • MDP-2060 - Customized emails were being sent as plain text incorrectly which meant the HTML tags were being displayed
  •  MDP-2082 - Saving a Federated Resource that are redirectable causes display issues
  •  MDP-2085 - Removing the option that allows Administrators to delete a user group and the accounts in it at the same time

Release date: 27 October 2015

Major new features

The Administration Area and the DSP area are now authenticated using the new Authentication point at

Notable bug fixes and other enhancements
  • MDP-1613 / MDP-1719 - Terminology updates in the Administration Area
  • MDP-1525 - Date range picker now takes into account from 'From' date when setting the value of the 'To' date
  • MDP-1719 - Organisation ID attribute is now called Organisation Number
  • MDP-1713 - Non-live federated resources are now not visible in the resource catalogue (e.g. test and development versions)

Release date: 15 October 2015

Notable bug fixes and other enhancements
  • MDP-1708 - Users were not able to remove attachments from customized email templates
  • MDP-1709 - Incorrect error message being displayed when a bulk upload failed
  • MDP-1710 - Data issue caused some users to not be able to save domain preference modifications

Release date: 1 October 2015

Major new features
FeatureAvailable toNotes
RedirectorAllCompatible resources can be deep linked by putting a target URL at the end of a customer specific, consistent link.
Release policy editor
(core attributes)
AllControl which core attributes are released to service providers
Schema editorMostAllows collection and storage of custom attributes in our systems
Not available to users of custom self-registration
New authentication point*Federated usersThose that exclusively use federated resources via the LDAP and ADFS integration can move to using the new authentication point
Release policy editor
(custom attributes)
Federated usersAbility to release custom attributes to service providers as well as core attributes.
Requires new authentication point which is being released on the 6th October.
LDAP integrationFederated users

Use a LDAP server (including Active Directory) instead of creating and managing OpenAthens accounts.

Requires new authentication point which is being released on the 6th October.

ADFS integrationFederated users

Use Active Directory Federation Server instead of creating and managing OpenAthens accounts.

Requires new authentication point which is being released on the 6th October.

* At this time the new authentication point is enabled to authenticate with federated resources. The features that depend on the new authentication point will be made available to other users in later releases.

Notable bug fixes and other enhancements
  • MDP-136 - if you leave a page and have not saved changes there is now a warning message
  • MDP-409 - resource catalogue now searches on entityID as well as name and description
  • MDP-607 - Line feeds removed from Redirect SAML Requests
  • MDP-1229 - MyAthens preferences were not cleared when a unique organisation reverted to an organisation
  • MDP-1360 - updated organisation delete process - now deletes accounts owned by organisation instead of moving them
  • Columns in list views are now remembered across sessions
  • Some minor terminology changes

Release date: Thursday 11 December 2014

New features
  • Updated password policy
  • Updated bulk upload validation (duplicate passwords & other checks)
  • DA details visible on Connections page
  • Enter now executes the search on the search page
  • Data download updated to XLSX format to avoid problems with spreadsheet software changing date formats
  • Custom self-registration users can view details in the administration pages
  • Public contact details moved into the administrator account
  • Search results limit trigger raised from 10,000 to 20,000 results
  • Help text and test button added to access URL field on resources
Bug fixes
  • OPP-1361. Restrictive mode no longer incorrectly blocks certain resources
  • OPP-2212. Bulk upload template: Permission set validation no longer blocks text entry  
  • OPP-1938. Federated resources that had a description of over 255 characters couldn't be modified
  • OPP-1997. Catalogue search results would be lost when accessing resource details in the same window

Release date: Friday 28 November 2014

Withdrawn features
  • Athens agent protocol
This affects
  • Posting to the Authentication Point. Sites using this should update to using the API for non-interactive sign in - see: about the REST API
  • Athens agent resources