OpenAthens Identity
Expand all   Collapse all

Versions Compared

Old Version 25

changes.mady.by.user Unknown User (aa)

Saved on

compared with

New Version 26

changes.mady.by.user Unknown User (aa)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

FieldExplanation

Name

The name of the connection as it will appear to users at our authentication point.

Directory type

Used to set default values in other places on the form.

Server host

The address where OpenAthens can connect to your server. This address will need to be accessible by our services from outside of your network.

Server port

The port that your server uses for LDAP traffic. You can specify a non-standard port if necessary.

Connection type

The form of security used. StartTLS is the standard but ldaps:// can be chosen if you prefer.

Admin bind DN

The full distinguished name of a user that can connect and view all the users you need to authenticate, e.g:

cn=openathens,cn=users,dn=ad,dn=yourdomain,dn=net

Bind password

The password for the user specified in the admin bind

Base DN

The distinguished name of your directory, e.g:

dn=ad,dn=yourdomain,dn=net

Filter

Allows you to specify the username field, plus limitations where necessary. The field you identify as =${uid} will be used as the username in login dialogs
DIsplay name attributeThis defaults in AD to be 'sAMAccountName' and in LDAP to 'cn'. It is the value displayed in account lists and audit where you would normally see the OpenAthens username. You can choose any attribute.
Unique user attributeThis should be an attribute that will always be unique to that user and it is used in the generation of targetedIDs. It defaults in AD to 'objectGUID' and in LDAP to 'cn'. If you are migrating from another local authentication system, you may want this to match your old setting.
Salt value

The salt used to generate a targetedID. This is intended to be used when you are migrating from something like OpenAthens LA to MD and is provided so that your users can have the same targetedID value when they change systems.

Leaving it blank is usually the correct thing to do (uses the same seed as your MD accounts). Modifying this after you go live will change the identifiers seen by service providers for all your users which is rarely desirable.

Status

Live & visible = production ready. Users will be able to access this login at the authentication point. If you have only one connection it will become the default login whenever your organisation is known (e.g. for any resources where access involves your entityID).

Live and not visible = testing mode. Will work with the supplied test URL (when available), but the authentication point will only use OpenAthens accounts.

Not live = cannot be used. The visibility setting is ignored.

Changes to the status usually take effect within moments.

Create local accounts

Automatically - any user authenticated by your system is deemed ok and will be added to accepted by the system

Manually - only user IDs you have previously uploaded will be accepted by our systems. See how to limit which local accounts can log in

Example filters

Instead of specifying only a username field, the use of a filter allows compatibility with a greater variety of LDAP structures - e.g. where including all valid users requires binding to a node that will also include invalid users, the filter can be set to exclude the invalid users.

...

(&(objectCategory=Person)(|(mail=${uid})(sAMAccountName=${uid}))) - An example where the default has been modified to accept either the email address or the Windows username as the username user ID along with the object category of perosnperson. The 'or' here is signified by the easy to miss pipe just before (mail=...

(&(objectCategory=Person)(mail=${uid})(memberOf=cn=students,dc=domain,dc=com)) - An example ActiveDirectory filter still requiring the user to have an object category of person but this time using the primary email address as the username and additionally limited to users in the students security group.

...

  • There is an admin bind to your directory to discover the FQDN of the user based on whichever attribute you have defined as the userID
  • Once the user's FQDN is known, it is used with the user's password to bind for authentication and request of any mapped attributes

All connections from us will come from specified IP addresses, available from the service desk, and any changes to these would be communicated in advance.