Connections
The connections page is about how OpenAthens products like Keystone work in multiple federations. External applications such as Shibboleth don't have a separate connection here because their appearance in other federations isn't managed by us.
When you select a connection you can make the following adjustments:
Application:
The name of the application record(s) using this connection.
Rules (OpenAthens Keystone only)
Allows you to toggle rulesets on and off. Changes take place immediately after saving.
Common EduPerson and Extended EduPerson - translates the attribute names commonly used in educational federations to OpenID Connect claims. See: eduPerson attributes
The one with a long name extracts some useful identifiers from the main eduPerson attribute used in federations
SAML Connector:
Entity
This is the entityID of your application and defaults to applicationURL/oa/metadata
or applicationURL/oa/entity.
If you change this, make sure to save changes and confirm the page has updated. You almost certainly will not want to change this once you are live.
The dots menu gives you access to view the entity metadata so you can download it or copy the published address to send to federations you are joining, or direct 1:1 connections.
The entity metadata has two options for logos. Inline (default) stores logo and banner as base64 encoded png images in the metadata, whilst hosted presents the banner as a URL and drops the logo. The reason for the choice is that some federations you might want to join insist on logos being hosted rather than embedded.
Certificate
This is your metadata certificate. The same certificate is used for signing and encryption, and a federation might ask you to confirm its thumbprint when you register with them.
The dots menu gives you access to view the certificate details.
Privacy policies
Allows you to add and remove links to your privacy policy in the metadata. You can specify one link per language.
This is a recommended action by most federations at the moment, and it is very likely to become a requirement.
Linking to your privacy policy is already a requirement if you are asserting the GÉANT Data Protection Code of Conduct entity category (see: https://geant3plus.archive.geant.net/Pages/uri/V1.html).
OpenAthens:
Allow sign-in for OpenAthens Test identity providers
This adds the application to the OpenAthens test federation. It is enabled by default for new connections and is automatically switched off when the application goes live in the OpenAthens federation.
Allow sign-in for live OpenAthens identity providers
This will signal inclusion in the OpenAthens federation once the application is set as live on the application page and approved. It will then be visible to all OpenAthens IdPs.
Other federations
This section is about other federations you might be in or become a member of. Enable them here and their metadata will be added to your configuration, however that is all. The switch does not register you in that federation and you will still need to take steps to appear there. See: How to join other federations
1:1 connections
This is for those SAML IdPs that you want to connect to who are not in a common federation (it is up to you to determine the weight of numbers that will make it easier for you to join any given federation than configure IdPs separately). See: Entities that are not in a federation
See also:
Entity categories:
This section allows you to indicate in your metadata which entity categories you support. Once saved you'll be able to see changes immediately in the metadata view under the menu by the entityID, but it will take up to 6 hours for them to appear in the published OpenAthens federation metadata. You will need to tell any other federations you are registered in about the change (education federations that include you via EduGAIN will pick up the change from the update to the federation you are registered in).
Most entity categories signify compliance with a set of rules or behaviours, so it's best to leave these turned off until everything else is in place.