Updating metadata or relying party certificates for SAML local connectors

We are updating our encryption certificate within our metadata. If your organisation uses a SAML based local connector to sign users into OpenAthens, you may need to take immediate action to prevent disruption to service.

Updates must be in place before Monday 3 February 2025

We periodically have to update the certificate used to secure messages between OpenAthens and SAML based local directory services. Each certificate lasts several years.

In the months before the update takes effect, we’ll contact you about the changes you’ll need to make. When you get such a notice, be sure to pass it to the people who can make the changes. It will probably include a link to this page.

What does your organisation need to do?

The steps you need to take vary between the directory software at your end.

Some do not store the OpenAthens certificate by default, and will not require any action. E.g:

Microsoft Azure/Entra - no action required
Google Workspace - no action required
Okta - no action required

For the rest, including ADFS and Shibboleth, the best option is to consult its documentation to determine how to update the OpenAthens certificate. Terms can vary but might include:

connecting to a service provider
relying party trust

If your system allows you to add the new certificate alongside the outgoing one in your system, you can avoid downtime for your users.

Updating the certificate by refreshing the OpenAthens metadata

In many systems you can take care of this just by refreshing the OpenAthens metadata. Your local directory may have stored the URL, but if it has not:

In the OpenAthens administration area https://admin.openathens.net:
- Go to Management > Connections
- Select your connection
- Go to the Relying party tab
- Copy the URL for this connections metadata

If you have multiple SAML connections, you will need to repeat these steps for every connection.

Updating the certificate manually

In the case of us updating the certificate, we will have told you what the new one is (see below). You can also extract it from the metadata URL described above.

Support

Our service desk are always happy to help but may be busier than usual near to a certificate change.

Current certificate

This will become the old certificate

View summary

Issued To: E=athenshelp@eduserv.org.uk, C=GB, ST=Somerset, L=Bath, O=Eduserv, OU=OpenAthens, CN=gateway.athensams.net
Issued By: E=athenshelp@eduserv.org.uk, C=GB, ST=Somerset, L=Bath, O=Eduserv, OU=OpenAthens, CN=gateway.athensams.net
Serial Number: 54 ec 42 22
Issued On: Tue Feb 24 2015 09:20:06 GMT+0000 (Greenwich Mean Time)
Expires On: Mon Feb 24 2025 09:20:06 GMT+0000 (Greenwich Mean Time)
SHA-256 Fingerprint: 32 9d 94 4c 88 db 14 98 4d b2 91 78 df ad 3b 39 da 80 01 1a 75 50 2a 80 d5 69 9b 57 7c 9b b2 aa
SHA-1 Fingerprint: 0e ae 65 d2 77 e2 63 b7 17 be 07 1a 5d 85 25 75 21 29 da 8d

New certificate details

This certificate example is the one [being] made live on 3 February 2025 12:00 UTC

Not Before: Apr 9 13:15:36 2024 UTC

Not After : Apr 9 13:15:36 2034 UTC

Serial number: 33e64f9cd5aef2c20b113d3cf08a36c34d80e715

CODE