This is an example using G Suite (formally Google Apps) of how to set up and configure a SAML source to sign into OpenAthens.
In your dashboard you will want to add a custom SAML app. At the time of writing this can be found under:
Apps > SAML Apps > Add > setup my own custom app
The wizard will give you an option to download the metadata. This is an excellent time to do so as you will need it when you configure the OpenAthens end.
The fields you will need to complete are:
Field | |
---|---|
Application name | Anything that makes sense to you |
Description | Anything that makes sense to you |
ACS URL | You will need to come back to this later. To get through the wizard enter something like ' |
EntityID | You will need to come back to this later. To get through the wizard enter something like ' |
Start URL | Leave empty |
Signed Response | True |
Name ID | Use primary email |
If you cancel the wizard before you finish, you will need to re-download the metadata next time as it will be subtly different.
You will need to set up attribute mapping for at least the email address at this point. Make a note of the attribute name you choose. If you will need more information than just the email in OpenAthens such as given names, you can set them up at the same time or come back later. Attribute names are case sensitive.
Now that the OpenAthens connection has been set up you can update the ACS and EntityID placeholders you used in your G Suite SAML app.
Referring to the metadata address you copied from the admin area, you will have something that looks like this:
https://login.openathens.net/saml/2/metadata-sp/yourdomain.net/la/1234
It is the last bit you're interested in (yourdomain.net/la/1234
) as that will form part of the ACS URL and entityID of your connection that you are specifying in the G Suite SAML App. Update these to match that part of your metadata address:
Field | |
---|---|
ACS URL | https://login.openathens.net/saml/2/acs/yourdomain.net/la/1234 |
EntityID | https://login.openathens.net/saml/2/metadata-sp/yourdomain.net/la/1234 |
You will need to allocate the app to your users before it will work.
This sets up the basics and will use any default permission sets. You can at this point progress to testing if you wish, but many will want to set additional attributes to be released by G Suite such as a display name.
If you created additional attribute mappings within G Suite, you can map them on the Attributes tab - see: Attribute mapping.
If you want to assign permission sets based on attributes passed by G Suite, see: Permission set rules.
If you are not already using OpenAthens in production you can simply set the connection as live, visible and default.
If you already have active users you have two options:
Once you are happy that it is working, return to the connection and set it as live and visible. If it is to be your only login option, also set it as default and unset the OpenAthens account option on the domain preferences page if you had set it.
Whilst our service desk will always try to be helpful, they can only support the OpenAthens part of this. |