Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

When you're ready to go live, check both the live and visible boxes and then save. Your new connection should be available on the authentication point in a few seconds.

Testing

Since OpenAthens accounts will still work if entered (see below), some sites are happy to test by setting the connector to live & visible for periods of time. You can also use debug mode to make all connections visible and selectable by you without anything being visible to your users. 

How to use LDAP alongside

...

OpenAthens accounts or other connections

If this is your only local connection, once you set this as both live and visible it becomes the expected way for users to sign into OpenAthens where the system knows the user is yours - e.g. where the user has selected your organisation from a WAYF on a federated resource or remembers a users previous choice. Where the system does not know the user is yours only the OpenAthens account login will appear, but the user can find you via the search box at which point a button that takes - once selected the user to you becomes availableis taken to your connection.

Users with OpenAthens accounts from your organisation can still sign in by entering their username and password in the same login box as the LDAP accounts.

Should you need to show more than one LDAP option, the user will see a drop down list above the credentials boxes. This will contain all LDAP connections set as live and visible.

If you have a mix of LDAP and SAML connections - e.g. LDAP for students and ADFS for staff, this is presented as a selection box in an overlay. Local connections are remembered if chosen.

Image Added

In these cases, selecting the OpenAthens option will show the first LDAP connection and the OpenAthens credentials will be accepted there.

What the fields are for
Anchor
fields
fields
FieldExplanation

Name

The name of the connection as it will appear to users at our authentication point.

Directory type

Used to set default values in other places on the form.

Server host

The address where OpenAthens can connect to your server. This address will need to be accessible by our services from outside of your network.

Server port

The port that your server uses for LDAP traffic. You can specify a non-standard port if necessary.

Connection type

The form of security used. StartTLS is the standard but ldaps:// can be chosen if you prefer.

Admin bind DN

The full distinguished name of a user that can connect and view all the users you need to authenticate, e.g:

cn=openathens,cn=users,dn=ad,dn=yourdomain,dn=net

Bind password

The password for the user specified in the admin bind

Base DN

The distinguished name of your directory, e.g:

dn=ad,dn=yourdomain,dn=net

Filter

Allows you to specify the username field, plus limitations where necessary. The field you identify as =${uid} will be used as the username in login dialogs
DIsplay name attributeThis defaults in AD to be 'sAMAccountName' and in LDAP to 'cn'. It is the value displayed in account lists and audit where you would normally see the OpenAthens username. You can choose any attribute.
Unique user attributeThis should be an attribute that will always be unique to that user and it is used in the generation of targetedIDs. It defaults in AD to 'objectGUID' and in LDAP to 'cn'. If you are migrating from another local authentication system, you may want this to match your old setting.
Salt value

The salt used to generate a targetedID for users authenticated by this connection.

You might edit it if you were migrating from something like OpenAthens LA to MD so that your users can have the same targetedID value when they change systems. If you set it to blank the connection will use the same salt as your MD accounts.

Modifying this after you go live will change the identifiers seen by service providers for your users... which is rarely desirable.

Status

Not live = Can only be used in debug mode.

Live and not visible = Can only be used in debug mode.

Live & visible = production ready. Users will be able to access this login at the authentication point. If you have only one connection it will become the default login whenever your organisation is known (e.g. for any resources where access involves your entityID).Live and not visible = testing mode. Will work with the supplied test URL (when available), but the authentication point will only use OpenAthens accounts.Not live = cannot be used. The visibility setting is ignored.

Changes to the status usually take effect within moments.

Create local accounts

Automatically - any user authenticated by your system is deemed ok and will be accepted by the system

Manually - only user IDs you have previously uploaded will be accepted by our systems. See how to limit which local accounts can sign in

...