This will show you how to configure Moodle to accept OpenAthens logins using the SAML2 Single sing on plugin from their plugins directory. Other plugins may be available and should work in similar ways - this is the one we used on vle.openathens.net.
The plugin will use the URL you are accessing Moodle at during setup for various things, so make sure you sign into Moodle using the externally facing URL it has (or will have if it isn't yet live) before installing the plugin.
This assumes you are using OpenAthens accounts or that local accounts map data to standard fields.
If you are mapping additional data fields, it is the target name of the OpenAthens attribute that you need to copy over.
Upload the metadata file you downloaded from the SAML2 plugin's settings page
This will create the basic custom resource using the values in the metadata. If it doesn't have a suitable name, you can edit the details to change it, and add a description or logo.
This will now release the attributes that Moodle is expecting, but only to your Moodle.
Until you click the eye icon to enable the plugin (on Moodle's Site administration > Plugins > Authentication page) you will only be able to test using the test button on that page. Both IdP login functions should pass wiht a cheerful 'Authed!' and a list of attributes.
When you're ready to go live, review your plugin settings for things such as dual login and auto-create users, and then click on the eye icon to enable it.
Once the basic resource exists, that is all the system need to work unless you are using restrictive mode (see below). You can edit the details of the custom SAML resource in any way you need to.
All types of custom resources can be made available to sub-organisations by opening the detail view and changing the setting on the visibility tab:
If you are running in restrictive mode, the custom resource MUST be included in at least one of the permission sets used by anyone who should gain access or OpenAthens will block access at the authentication point.
If you have sub-organisations you MUST ALSO set the visibility setting described above and allocate it to permission sets under those sub-organisations. The cascade option may be useful.
Whilst our service desk will always try to be helpful, they can only support the OpenAthens end of this kind of connection.