If you are a UK based education organisation you may want to join the UK education specific UK Access Management federation (sometimes called UK fed).

Their website has all the details:

We include here the relevant bits of information for the second part, where were are the 'outsourced IdP'

 

The name of the external organisation providing the outsourcing service. This organisation must itself be a member of the federation.

Eduserv

The entityID of the identity provider which the external organisation proposes to use on behalf of the applicant. (The external organisation should be consulted to obtain this information.)

Insert here the entityID displayed in your administration area

If the domain name contained within the entityID belongs to the applicant rather than to the external organisation, an explicit statement by the applicant approving the use of the entityID by the external organisation.

Yes, I am happy for Eduserv to do that on my behalf

Any identifier assigned to the applicant by the external organisation.

Repeat your entityID here

A contact person (name and email address) within the external organisation.

OpenAthens Service Desk

The security domain(s) that the applicant grants authorisation to the external organisation to assert on its behalf. This normally corresponds to the applicant's registered DNS domain(s). This should be specified in lower case.

 

 

 

 

 

You will need to know your OpenAthens domain name. This is usually the same as the scope registered against your domain organisation as seen on the organisation summary.

Metadata address:

SAML 2 https://login.openathens.net/saml/2/metadata-idp/DOMAIN/c/ukfed

E.g. if your OpenAthens domain is institution.ac.uk, your SAML 2 metadata address will be:

https://login.openathens.net/saml/2/metadata-idp/institution.ac.uk

If you want to view this in your browser you may need to add a ?browser parameter to the end of the link, e.g.  https://login.openathens.net/saml/2/metadata-idp/institution.ac.uk?browser

Manually specifying connection settings

The metadata address should be sufficient for most SAML targets, however some may instead want you to specify endpoints, certificates and other data manually instead. If they do:

Endpoints / SSO address:
SAML 2https://login.openathens.net/saml/2/sso/DOMAIN
SAML 1.1https://login.openathens.net/saml/1/sso/DOMAIN
Certificate

This will be the x509 certificate in the metadata, topped and tailed as follows. This is sometimes called PEM format.

-----BEGIN CERTIFICATE-----
Hi7cUUpCAqagAwIBAgIEVOxCIjANBgkqhkiG9w0BAQsFADCBoDEoMCYGCSqGSIb3DQEJARYZYXRo
ZW5zaGVscEBlZHVzZXJ2Lm9yZy51azELMAkGA1UEBhMCR0IxETAPBgNVBAgMCFNvbWVyc2V0MQ0w
CwYDVQQHDARCYXRoMRAwDgYDVQQKDAdFZHVzZXJ2MRMwEQYDVQQLDApPcGVuQXRoZW5zMR4wHAYD
VQQDDBVnYXRld2F5LmF0aGVuc2Ftcy5uZXQwHhcNMTUwMjI0MDkyMDA2WhcNMjUwMjI0MDkyMDA2 
WjCBoDEoMCYGCSqGSIb3DQEJARYZYXRoZW5zaGVscEBlZHVzZXJ2Lm9yZy51azELMAkGA1UEBhMC
R0IxETAPBgNVBAgMCFNvbWVyc2V0MQ0wCwYDVQQHDARCYXRoMRAwDgYDVQQKDAdFZHVzZXJ2MRMw 
EQYDVQQLDApPcGVuaXRoZW5zMR4wHAYDVQQDDBVnYXRld2F5LmF0aGVuc2Ftcy5uZXQwggEiMA0G 
CSqGSIb3DQEBAQUAn4IBDwAwggEKAoIBAQCandpa4o0Njtw1DqbrrNTfOVe1PqyXIIVmDrJ6VUR/ 
mokXXu+m5Gm+1f+3ayN5IA2YMn9Z8Yo37JQjIHs+xVS3q4nT1ewS7S3en1pdXKsH1WnUnVWUmpl9 
WJZrUwi5i8X80LNyd7PmudhuKNEATGUXkA/xWCkk2d8jf91hy7Qu+HA8LOKtdbbNigErh2IY/YuN 
WUVUqgGbMH5BGr7ZahPrz+Vwcf9lhPW+tKpKpZEzJfQiq8EoPaeMXEpKWBEErm67gkWFCA5VhfcJ 
LqFjQEC3pWOxt5rZRS8gl/Z33VSJZVzY5jWcQzmGaLXPHXyiKPmixl6+DjGlUM0ylNF7GvtDAgMB 
AAEwDQYJKoZIhvcNuQELBQADggEBAFhmhujLZueiJ6F7mQCpfB0Hj4Y8FyFUUc8NMAt5Set7H4DK 
SSl4shcqisZBa5yTlyenYwkmBszvCWs6Yeep+zJmCR62cb/f1M32oMzLm02OlznWMkE8/IajGmdx 
TnB6Z/XcdMMIiCeoe4kqe5KMd5oRAyNskHYZ+8kzhs2zTveR+rqCtYxa/AYpwf7n0VQR9clBSNCI 
T4BCRi10aPE531VIsl4ljY3CwNoZ4lQTU/0aj8O4j68V2neiQb8lewAii0b2xoyOGYP4okd7T2tl 
4gl2noVbCvYNjd6GYze/w4lgwiemkby7wu5sN1lEudgKDV+H54wU29ZIyDEFM6DDNE4=
-----END CERTIFICATE-----
Issuer / IDP issuer / identifier

Your entityID, e.g. https://idp.institution.ac.uk/openathens

Binding / Binding type / IDP Binding

This should be 'Redirect' rather than 'Post'.