This section assumes a basic level of familiarity with the Azure interface. Whilst our service desk will always try to be helpful, they can only support the OpenAthens end of the connection.
You will need
Access to your Microsoft Azure portal
Access to the OpenAthens admin interface as the domain administrator
Add an application to Azure
Go to Active Directory > Enterprise applications > All applications section, click the new application button, search for and select OpenAthens.
Download and save your Azure metadata from the signing certificate section via the 'Metadata XML' link
Still within the application you are creating, select the users and groups option > add to configure who will be able to access OpenAthens. You should enable at least your own test account at this stage. You can enable additional users or groups later.
Configure OpenAthens settings
For complete details see the SAML connector page, but the short version is:
Log into the OpenAthens admin area as the domain administrator
Go to Management > Connections > Add and select the SAML connector
Upload the metadata file you saved from Azure earlier
Set the unique user mapping to use Subject NameID instead of an attribute by using the radio button. The identifiers that OpenAthens passes to resources for your users is based on this, so if you want to select a different attribute as the unique identifier you will want to do so before you roll this out to your users.
Go to the </>relying party tab and copy the link displayed there - it will look similar to:
Finally: set the status and save.
If you have no existing OpenAthens users you can select live, visible and default under status and start testing as soon as you have saved.
If you have existing OpenAthens users, leave those three checkboxes cleared when you save or you will stop existing users from being able to sign in. You can still test, but will need to use debug mode - see: How to use debug mode.
Finish the basic set-up in Azure
On the OpenAthens application integration page select the single sign-on option and set:
Single Sing-on Mode > select 'SAML-based Sign-on'.
OpenAthens Domain and URL > Identifier > enter the link you copied from the relying party tab earlier and save
You should now be able to test that signing in works and will be ready to add any additional bits you need.
Set up any additional attributes you need to send to OpenAthens
You may want to be able to do more with OpenAthens than simply sign the user in - for example you can assign permissions based on the values of the attributes you send.
In the OpenAthens application you set up in the Azure portal, go to the user attributes section and see if the attribute you want to send us is already available.