Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

OpenAthens SP and OpenAthens Keystone will make the configuration of SAML and the OpenAthens federation easy, but you will still need to become part of any other access management federation where you want to interact with your customers - e.g. universities and colleges who are only in their own national federations.

Since all the other federations are national research and education network (NREN) based, your best first step is to join one that is part of eduGAIN as this can potentially take care of all of the other the ones you need. 

...

The exact method of joining a federation can vary, but those variables are only generally about how you apply and what information they want - e.g. some will want a formal letter on headed paper, some may want proof that you own the internet domain in your entityID, most will perform some form of procedure to confirm you are who you say you are and some will just not tell you how to register entities until you are a signed up member. This page covers the technical information you would need to supply them to register your entity, and translates some of the terminology they are likely to use. 

...

TermMeansNotes
EntityThe SAML service provider
EntityIDAn identifier for the entity that is unique within a federationRead this from the connection record in the publisher dashboard.
Display nameWhat you want your service to appear as in their metadataThe published metadata uses the connection name you have set in the SP dashboard and whilst you will usually want this to match it doesn't have to.
MetadataAn XML document that describes the entity

Metadata address,

Automatically generated metadata

Where we have published your SAML metadataSee next table
Federation metadataAn aggregated set of all the entities' metadata in a federationOnce you have registered your entity in a federation, you would appear in that federations metadata. If that federation is part of eduGAIN the data can then propagate to other member federations - depending on how often they update their metadata this could take several days.

...

Whilst OpenAthens SP can support the older SAML1.1 standard, we recommend that you not enable that support and let it die in peace. .
If they ask for...Say...Notes
Metadata address

OpenAthens SP: https://yourdomain.com/oa/metadata

OpenAthens Keystone: Not This is not yet linkable - it can be copied form the admin site (SAML connection section of the connection)

The address where your metadata can be accessed. There should not be a requirement for it to be linkable which is why we're not in any rush to make it available.
Software

OpenAthens SP or OpenAthens Keystone

If you want you can describe it as generic SAML, but the endpoints will give it away
Requested attributes

urn:oid:1.3.6.1.4.1.5923.1.1.1.9

and

urn:oid:1.3.6.1.4.1.5923.1.1.1.10

These are the targetedID and scoped affiliation values discussed elsewhere which between them will usually be able to tell you everything you need for authorisation.

This is probably all that you need to tell them, but depending on your application you may want to specify more.

SAML versions supported

SAML 2

Keystone will only support

SAML 2


Certificate thumbprintRead from your connection record in the publisher dashboardIf they ask for this it is to confirm that the certificate in your the metadata you sent them is correct. Hover over the certificate in the interface to read it to them.
Encryption or Signing certificatesCopy from your connection record in the publisher dashboard

They are more likely to ask for the fingerprint (above), but if they ask for this there are two options. You could copy the x509 certificate from your published metadata of course, but the connection record is the more correct pace to go. Hit hit the

Awesome Icon
iconfa-ellipsis-v
next to your entityID on the connections tab and view your metadata there. Find and copy the x509 certificate from that metadata and then top / tail it with begin and end tags as below:

Code Block
-----BEGIN CERTIFICATE-----
qd87h5o8a7a475... the certificate data, etc
-----END CERTIFICATE-----

See also: