Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

OpenAthens Cloud SP Keystone is our hosted Service Provider option. It is middleware that allows an OpenID Connect Relying Party to be used in SAML federations without the need to understand SAML. As long as your OpenID Connect relying party meets the basic requirements there should be no problem using it with OpenAthens Cloud SPKeystone.

See also: What is OpenAthens Cloud SPKeystone

Basic OpenID Connect requirements

Whichever OpenID Connect client, plug-in or framework you are using, it...


  • be OpenID Connect based on OAuth2 rather than plain OpenID.
  • support daily key rotation
    • i.e. the keys published at our jwks endpopint endpoint will change every 24 hours. This is usually handled automatically by whichever OpenID Connect framework you are using. 


  • support multiple providers so that OpenAthens Cloud SP Keystone can be used alongside any other OpenID Connect login options you do or may want to provide .


  • (e.g. Google).

What would you like to do today?