- You have access to the OpenAthens administration site
- You have looked up your OpenAthens domain name (usually the same as your scope)
- Connect your local datastore to OpenAthens. There are several options (see: Connections). You will probably need help from your IT team for this bit.
- Contact our service desk and have them set the desired entityID value in our systems
- Contact the UK federation and have them register the additional entity
- What they need you to send them is your entityID, the 'endpoints' and certificate
- First go to your OpenAthens metadata page at https://login.openathens.net/saml/2/metadata-idp/YOUR_OPENATHENS_DOMAIN/c/ukfed
- Near the bottom you will find two lines that start with "<md:SingleSignOnService". These The URLs on those lines are the 'endppoints' you need to copy
- The certificate is the block of text just above the endpoints between <ds:X509Certificate> and </ds:X509Certificate>
- Send those, your entityID and your metadata address with a covering note to firstname.lastname@example.org.
- Contact your resource providers and give them your new entityID (and scope) so that they can update your subscription details. Some may be able to support multiple entityIDs and scoprs at the same time but many will not so you should expect to have to coordinate a changeover date. At the arranged time, your old IdP will no longer work for access to resources and your new one will. Access may be spotty for the duration of the publishers changes.
- Update links
- Your best bet is to update links to use the OpenAthens Redirector as this will (for compatible resources) allow you to simply add a target page to the end of a consistent prefix and will work out the rest in the background. If you are using a LMS or link resolver that has a proxy prefix feature, the redirector prefix can usually be inserted there.
- In other cases:
- Wafyless links that start with the SPs address will continue to work as is
- Wayfless links that started with OALA's SSO address should not need to exist any more, but if you have any that aren't compatible with the redirector that you still need to use, you can replace the OALA SSO address with the ones in the endpoints you identified in step 4. You should try the one with /saml/2/ in it first.