Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

If you are a UK based education organisation you may want to join the UK education specific 'UK Access Management federation for Education and Research' (sometimes called the UK fed).

Their website has all the The first thing to do is check if you have UK fed enabled in OpenAthens and have our service desk enable it if not. To check: access the administration area and go to Management > Connections. Look for entry in the federations section in the top left and keep the page open so you can reference the details later.


If there is no existing registration our service desk can quickly add one. Your 'scope' must be the same across all federations but your entityID can be different in the UK fed if you need it to match an existing entity - e.g. if you are upgrading from Shibboleth. If you do not specify an entityID, our service desk will duplicate your OpenAthens federation entityID (recommended).

Now you are ready to register with the UK fed.

Their website should be your source of details:

We include here Here we have the relevant bits of information for the second part, where were are the about us that you will need to tell them about your 'outsourced IdP'


. This may be all you need if you are already a member.

The name of the external organisation providing the outsourcing service



"Eduserv OpenAthens"

The entityID of the identity provider which the external organisation proposes to use on behalf of the applicant.


Use the entityID displayed in your administration area for the UK fed as described above. E.g.

If the domain name contained within the entityID belongs to the applicant rather than to the external organisation, an explicit statement by the applicant approving the use of the entityID by the external organisation.

Yes, I am happy for Eduserv to do that "I want Eduserv to manage this entity on my behalf."

Any identifier assigned to the applicant by the external organisation.

Repeat your entityID here.

A contact person (name and email address) within the external organisation.

"OpenAthens Service Desk -"

The security domain(s) that the applicant grants authorisation to the external organisation to assert on its behalf. This normally corresponds to the applicant's registered DNS domain(s). This should be specified in lower case.






You will need to know your OpenAthens domain name. This is usually the same as the scope registered against your domain organisation as seen on the organisation summary.

Metadata address:


E.g. if your OpenAthens domain is, your SAML 2 metadata address will be:

If you want to view this in your browser you may need to add a ?browser parameter to the end of the link, e.g.

Manually specifying connection settings

The metadata address should be sufficient for most SAML targets, however some may instead want you to specify endpoints, certificates and other data manually instead. If they do:

Endpoints / SSO address:


If you are a single organisation, use the scope displayed in your administration area for the UK fed as described above. E.g. ""

If you are a consortia organisation, or have organisational units that will need to be identified as different to service providers, or may have later, or if you are unsure, add a wildcard to your scope. E.g. "*"

Anything else?

They do not ask for this, but it would be helpful to include your metadata address which for them will be



This will be the x509 certificate in the metadata, topped and tailed as follows. This is sometimes called PEM format.

Code Block
Issuer / IDP issuer / identifier

Your entityID, e.g.

Binding / Binding type / IDP Binding

This should be 'Redirect' rather than 'Post'.metadata-idp/domain/c/ukfed where 'domain' is your OpenAthens domain (usually the same as your scope). If you are unsure, our service desk can help. This is slightly different from the metadata address you would use for a custom SAML application