Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleDisplay the process for keeping the same entityID

Prerequisites

  • The authentication store you are connecting to OpenAthens is the same one you were using with OALA and will be passing the same user identifier (if maintaining user IDs).
  • You have access to the OpenAthens administration site
  • You have access to the OALA administration console
  • You have looked up your OpenAthens domain name (usually the same as your scope)

Process

  1. Connect your local datastore to OpenAthens. There are several options (see: Connections). You will probably need help from your IT team for this bit. 

    1. If you are using ADFS to replace an ActiveDirectory connection and were using objectSid as the user identifier there is an extra step, otherwise you just need to make sure that ADFS is sending the required attributes and you enter the claim names exactly.
       
  2. Over and above the standard setup of your connection you will need to: 

    1. Set the 'Unique user' attribute to be an attribute or claim containing the same value as the username field on OALA's authentication store tab

    2. Set the 'Salt value' to match the salt on the targetedID attribute(s) on the attributes tab

  3. Contact our service desk and ask them to update your entityID in our systems if it is different from OALA

    1. The default method will have you appear in the OpenAthens federation. This is usually desirable for things like the redirector but can lead to some organisation discovery pages being inconsistent which login point they send the user to during the time between the changes happening in both federations. If you are affected and the period between updates will mean a significant impact on your users we can leave your entityID out of the OpenAthens federation until a point after the change.

  4. Contact the UK federation and have them update your entity. 

    1. What they need you to send them is your entityID, the new 'endpoints' and new certificate

      1. First go to your OpenAthens metadata page at https://login.openathens.net/saml/2/metadata-idp/YOUR_OPENATHENS_DOMAIN/c/ukfed 

      2. Near the bottom you will find two lines that start with "<md:SingleSignOnService". These The URLs on these lines are the 'endppoints' you need to copy

      3. The certificate is the block of text just above the endpoints between <ds:X509Certificate> and </ds:X509Certificate> 

    2. Send those, your entityID and the metadata address with a covering note to service@ukfederation.org.uk.  

  5. Update links

    1. Your best bet is to update links to use the OpenAthens Redirector as this will (for compatible resources) allow you to simply add a target page to the end of a consistent prefix and will work out the rest in the background. If you are using a LMS or link resolver that has a proxy prefix feature, the redirector prefix can usually be inserted there.

    2. In other cases:

      1. Wafyless links that start with the SPs address will continue to work as is

      2. Wayfless links that started with OALA's SSO address should not need to exist any more, but if you have any that aren't compatible with the redirector you can replace the OALA SSO address with the ones in the endpoints you identified in step 4. You should try the one with /saml/2/ in it first.   

...

Expand
titleDisplay the process for using a different entityID

Prerequisites

  • You have access to the OpenAthens administration site
  • You have looked up your OpenAthens domain name (usually the same as your scope)

Process

  1. Connect your local datastore to OpenAthens. There are several options (see: Connections). You will probably need help from your IT team for this bit. 

  2. Contact our service desk and have them set the desired entityID value in our systems

  3. Contact the UK federation and have them register the additional entity

    1. What they need you to send them is your entityID, the 'endpoints' and certificate

      1. First go to your OpenAthens metadata page at https://login.openathens.net/saml/2/metadata-idp/YOUR_OPENATHENS_DOMAIN/c/ukfed 

      2. Near the bottom you will find two lines that start with "<md:SingleSignOnService". These The URLs on those lines are the 'endppoints' you need to copy

      3. The certificate is the block of text just above the endpoints between <ds:X509Certificate> and </ds:X509Certificate> 

    2. Send those, your entityID and your metadata address with a covering note to service@ukfederation.org.uk

  4. Contact your resource providers and give them your new entityID (and scope) so that they can update your subscription details. Some may be able to support multiple entityIDs and scoprs at the same time but many will not so you should expect to have to coordinate a changeover date. At the arranged time, your old IdP will no longer work for access to resources and your new one will.  Access may be spotty for the duration of the publishers changes.

  5. Update links

    1. Your best bet is to update links to use the OpenAthens Redirector as this will (for compatible resources) allow you to simply add a target page to the end of a consistent prefix and will work out the rest in the background. If you are using a LMS or link resolver that has a proxy prefix feature, the redirector prefix can usually be inserted there.

    2. In other cases:

      1. Wafyless links that start with the SPs address will continue to work as is

      2. Wayfless links that started with OALA's SSO address should not need to exist any more, but if you have any that aren't compatible with the redirector that you still need to use, you can replace the OALA SSO address with the ones in the endpoints you identified in step 4. You should try the one with /saml/2/ in it first.   

...