Skip to main content
Skip table of contents

SAML interoperability requirements

Introduction

If you have existing SAML identity provider software it is possible to use that to sign in to OpenAthens.

This page specifies what your IdP software must be configured to support in order to successfully connect to OpenAthens and is based on the Interoperable SAML 2.0 Web Browser SSO Deployment Profile which is the specification OpenAthens adheres to.

Requirements

  • We RECOMMEND using SAML 2.0
  • A SAML 2.0 metadata document MUST be made available via a URL or xml file
  • Metadata MUST contain an <md:IDPSSODescriptor> element
  • Metadata SHOULD NOT contain an <md:SPSSODescriptor> element
  • The urn:oasis:names:tc:SAML:2.0:nameid-format:transient name identifier format MUST be supported
  • A persistent user identifier attribute MUST be passed to OpenAthens as part of the attribute statement. This value MUST be consistent for a given user account between different logins.
  • When receiving a SAML request (<saml2p:AuthnRequest>) from OpenAthens the HTTP-REDIRECT binding MUST be supported
  • SAML responses (<saml2p:Response>) to OpenAthens MUST be sent using the HTTP-POST binding and MUST be signed
  • Additional attributes MAY be passed to us as part of the attribute statement to categorise users within OpenAthens

Metadata for local connections into OpenAthens

This is specific to your connection and is available from the connection in the admin interface on the relying party tab.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close