When you are connecting to an application that is not part of a federation, such as a custom SAML resource, you may need to supply that application with your metadata address. Metadata is available for both SAML 2 and the older SAML 1.1 standards. Where there is a choice, SAML 2 is the one to select.
You will need to know your OpenAthens domain name. This is usually the same as the scope registered against your domain organisation as seen on the organisation summary.
E.g. if your OpenAthens domain is institution.ac.uk, your metadata address will be:
If you have sub-organisations that have different entityIDs you may need to access their metadata - e.g. if setting up a custom SAML resource that they will access. The metadata address is essentially the same but with a
...where the number at the end is the unique ID shown on their organisation account's permissions tab. If manually specifying endpoints (see below) you would also add the
The metadata address should be sufficient for most SAML targets, however some may instead want you to specify endpoints, certificates and other data manually instead. If they do:
You can copy these from the metadata, but they will look like this:
If unsure, the SAML 2 one is almost always the one to use.
This will be the x509 certificate in the metadata, topped and tailed as follows. This is sometimes called PEM format.
-----BEGIN CERTIFICATE----- Hi7cUUpCAqagAwIBAgIEVOxCIjANBgkqhkiG9w0BAQsFADCBoDEoMCYGCSqGSIb3DQEJARYZYXRo ZW5zaGVscEBlZHVzZXJ2Lm9yZy51azELMAkGA1UEBhMCR0IxETAPBgNVBAgMCFNvbWVyc2V0MQ0w CwYDVQQHDARCYXRoMRAwDgYDVQQKDAdFZHVzZXJ2MRMwEQYDVQQLDApPcGVuQXRoZW5zMR4wHAYD VQQDDBVnYXRld2F5LmF0aGVuc2Ftcy5uZXQwHhcNMTUwMjI0MDkyMDA2WhcNMjUwMjI0MDkyMDA2 WjCBoDEoMCYGCSqGSIb3DQEJARYZYXRoZW5zaGVscEBlZHVzZXJ2Lm9yZy51azELMAkGA1UEBhMC R0IxETAPBgNVBAgMCFNvbWVyc2V0MQ0wCwYDVQQHDARCYXRoMRAwDgYDVQQKDAdFZHVzZXJ2MRMw EQYDVQQLDApPcGVuaXRoZW5zMR4wHAYDVQQDDBVnYXRld2F5LmF0aGVuc2Ftcy5uZXQwggEiMA0G CSqGSIb3DQEBAQUAn4IBDwAwggEKAoIBAQCandpa4o0Njtw1DqbrrNTfOVe1PqyXIIVmDrJ6VUR/ mokXXu+m5Gm+1f+3ayN5IA2YMn9Z8Yo37JQjIHs+xVS3q4nT1ewS7S3en1pdXKsH1WnUnVWUmpl9 WJZrUwi5i8X80LNyd7PmudhuKNEATGUXkA/xWCkk2d8jf91hy7Qu+HA8LOKtdbbNigErh2IY/YuN WUVUqgGbMH5BGr7ZahPrz+Vwcf9lhPW+tKpKpZEzJfQiq8EoPaeMXEpKWBEErm67gkWFCA5VhfcJ LqFjQEC3pWOxt5rZRS8gl/Z33VSJZVzY5jWcQzmGaLXPHXyiKPmixl6+DjGlUM0ylNF7GvtDAgMB AAEwDQYJKoZIhvcNuQELBQADggEBAFhmhujLZueiJ6F7mQCpfB0Hj4Y8FyFUUc8NMAt5Set7H4DK SSl4shcqisZBa5yTlyenYwkmBszvCWs6Yeep+zJmCR62cb/f1M32oMzLm02OlznWMkE8/IajGmdx TnB6Z/XcdMMIiCeoe4kqe5KMd5oRAyNskHYZ+8kzhs2zTveR+rqCtYxa/AYpwf7n0VQR9clBSNCI T4BCRi10aPE531VIsl4ljY3CwNoZ4lQTU/0aj8O4j68V2neiQb8lewAii0b2xoyOGYP4okd7T2tl 4gl2noVbCvYNjd6GYze/w4lgwiemkby7wu5sN1lEudgKDV+H54wU29ZIyDEFM6DDNE4= -----END CERTIFICATE-----
Your entityID, e.g.
This should be 'Redirect' rather than 'Post'.