OpenAthens SP and OpenAthens Keystone will make the configuration of SAML and the OpenAthens federation easy, but you will still need to become part of any other access management federation where you want to interact with your customers - e.g. universities and colleges who are only in their own national federations.
Since all the other federations are national research and education network (NREN) based, your best first step is to join one that is part of eduGAIN as this can potentially take care of all of the other the ones you need.
The exact method of joining a federation can vary, but those variables are only generally about how you apply and what information they want - e.g. some will want a formal letter on headed paper, some may want proof that you own the internet domain in your entityID, most will perform some form of procedure to confirm you are who you say you are and some will just not tell you how to register entities until you are a signed up member. This page covers the technical information you would need to supply them to register your entity, and translates some of the terminology they are likely to use.
|Entity||The SAML service provider|
|EntityID||An identifier for the entity that is unique within a federation||Read this from the connection record in the publisher dashboard.|
|Display name||What you want your service to appear as in their metadata||The published metadata uses the connection name you have set in the SP dashboard and whilst you will usually want this to match it doesn't have to.|
|Metadata||An XML document that describes the entity|
Automatically generated metadata
|Where we have published your SAML metadata||See next table|
|Federation metadata||An aggregated set of all the entities' metadata in a federation||Once you have registered your entity in a federation, you would appear in that federations metadata. If that federation is part of eduGAIN the data can then propagate to other member federations - depending on how often they update their metadata this could take several days.|
|If they ask for...||Say...||Notes|
|Metadata address||The address where your metadata can be accessed. There should not be a requirement for it to be linkable which is why we're not in any rush to make it available.|
OpenAthens SP or OpenAthens Keystone
|If you want you can describe it as generic SAML, but the endpoints will give it away|
These are the targetedID and scoped affiliation values discussed elsewhere which between them will usually be able to tell you everything you need for authorisation.
This is probably all that you need to tell them, but depending on your application you may want to specify more.
|SAML versions supported||Whilst OpenAthens SP can support the older SAML1.1 standard, we recommend that you not enable that support and let it die in peace. ||Keystone will only support||.|
|Certificate thumbprint||Read from your connection record in the publisher dashboard||If they ask for this it is to confirm that the certificate in your the metadata you sent them is correct. Hover over the certificate in the interface to read it to them.|
|Encryption or Signing certificates||Copy from your connection record in the publisher dashboard|
They are more likely to ask for the fingerprint (above), but if they ask for this there are two options. You could copy the x509 certificate from your published metadata of course, but the connection record is the more correct pace to go. Hit hit the