Page History
...
Once you set this as both live and visible it becomes your default way for users to log into OpenAthens where the system knows the user is yours - e.g. where the user has selected your organisation from a WAYF on a federated resource or remembers a users previous choice. Where the system does not know the user is yours only the OpenAthens account login will appear, but the user can find you via the search box at which point the LDAP login becomes available.
Users with OpenAthens accounts can still log in though by clicking the OpenAthens link on the page to switch their input. This gives you options for providing access to users who you do not have in your directory such as temporary users, walk-ins or test accounts for suppliers.
...
Field | Explanation |
---|---|
Name | The name of the connection as it will appear to users at our authentication point. This should be a form of your organisation name so users can find it in a list when they need to. |
Directory type | Used to set default values where Active Directory is different from the underlying LDAP standardin other places on the form. |
Server host | The address where OpenAthens can connect to your server. This address will need to be accessible by our services from outside of your network. |
Server port | The port that your server uses for LDAP traffic. You can specify a non-standard port if necessary. |
Connection type | The form of security used. StartTLS is the industry standard but ldaps:// can be chosen for older systemsif you prefer. |
Admin bind DN | The full distinguished name of a user that can connect and view all the users you need to authenticate, e.g: cn=openathens,cn=users,dn=ad,dn=yourdomain,dn=net |
Bind password | The password for the user specified in the admin bind |
Base DN | The distinguished name of your directory, e.g: dn=ad,dn=yourdomain,dn=net |
Filter | Allows you to specify the username field, plus limitations where necessary. The field you identify as =${uid} will be used as the username in login dialogs |
Unique user attribute | This should be an attribute that will always be unique to that user and it is used in the generation of targetedIDs. It defaults in AD to 'objectGUID'. |
Salt value | The salt used to generate a targetedID. This is intended to be used when you are migrating from something like OpenAthens LA to MD and is provided so that your users can have the same targetedID value when they change systems. Leaving it blank is usually the correct thing to do (uses the same seed as your MD accounts). Modifying this after you go live will change the identifiers seen by service providers for all your users which is something that is very rarely desirable. |
Status | Live & visible = production ready. Users will be able to access this login at the authentication point. It If you have only one connection it will become the default login whenever your organisation is known (e.g. for any resources where access involves your entityID). Live and not visible = testing mode. Will work with the supplied test URL (when available), but the authentication point will only use OpenAthens accounts. Not live = cannot be used. The visibility setting is ignored. Changes to the status usually go live take effect within moments. |
Example filters
Instead of specifying only a username field, the use of a filter allows comparability compatibility with a greater variety of LDAP structures - e.g. where including all valid users requires binding to a node that will also include invalid users, the filter can be set to exclude the invalid users.
...
(&(objectCategory=Person)(mail=${uid})(memberOf=cn=students,dc=domain,dc=com)) - An example ActiveDirectory filter still requiring the user to have an object category of person but this time using the primary email address as the username and additionally limited to users in the students security group.
...
- There is an admin bind to your directory discover the FQDN of the user based on whichever attribute you have defined as the userID
- Once the user's FQDN is known, that it is used to bind with the user's password for the authentication of the user and request only of the mapped attributes
All connections from us will come from specified IP addresses and any changes would be communicated in advance.