Skip to main content
Skip table of contents

Edit an application

Select from the applications list to edit an application. Local and external applications have slightly different options


Details tab


When you are ready to go live in the OpenAthens federation you can set this to live. It always appears for external applications, but will not appear for local applications until the OpenAthens federation is added to the connection.

What will happen then is...

  • The logo and access URL fields become mandatory
  • Use of https for endpoints is enforced
  • On save you will see a preview of how your resource will appear to your customers
  • Our service desk will be alerted to run some tests and approve your appearance in the OpenAthens federation. 

A description of your product or service. It appears below the application name when seen by customers. See also: What makes a good resource description?

These must be a jpg, png or gif of at least 128 x 128px and less than 10MB. Ideally square with a transparent background.


Only used by the Wayfinder discovery service. These must be a jpg, png or gif of at least 400 x 50px, and less than 10MB. Ideally with a transparent background.

Information URL

This is not required, but if you want to you can add a link to a description or sales page where potential subscribers can find out how to purchase access

Access URL

The general access URL will be retired in the future but at the moment it is still necessary. 

The simplest thing that will suit the users is to find the point in your general login flow that would send a user to a WAYF and use that URL.

If this is not possible, it is acceptable to enter a general landing page as the access URL so long as the user can gain access from there. 

Linking tab

This is all about the OpenAthens Redirector. If you support both WAYFless access and deep linking (article level linking) then you are redirector compatible. The redirector provides our mutual customers with a consistent link format that they can use in place of a proxy mask in applications such as link resolvers and removes any need for them to use proxy servers to access your site.

What you enter here are tokenised access URLs and the internet domains that use them - e.g.


Any target addresses using the listed domains will use the tokenised URL for access. There are two tokens:

  • {entity} - the customer's entityID will be inserted here
  • {target} - the page the customer wants the end-user to end up on

If you have any difficulty with these, our service desk will be happy to help.

There is no facility to insert non-federation identifiers for customers as tokens.

Tabs for specific types of application

SAML endpoints (External applications only - e.g. Shibboleth)

This will list the endpoints specified in your metadata and provide an option to edit or remove them using the dots menu. You can also add more SAML endpoints should you need to (e.g. for development boxes or load balanced services). If necessary you can manually set the index value. Changes can take up to 6 hours to be reflected in the federation metadata.

Local applications have a similar option on their connection.

<SAML> entity tab (External applications only - e.g. Shibboleth)

This will display the metadata as it will appear in the federation once published. 

Configuration tab (Keystone only)  

How to configure your web application

This link brings up the basic implementation steps. It is the same information that was displayed when you created the application record and is available in several flavours.

Client ID

This is the ID used to configure your OpenID Connect instance when you add OpenAthens as a provider.

Client secret

This is the secret used to secure your OpenID Connect instance when you add OpenAthens as a provider.

Application URL

The root of your application without a trailing slash, e.g:

Redirect URL

This is where your OpenID Connect instance expects us to return the user after authentication, e.g:

Login URL

This is the link that would initiate a user login in your OIDC application - i.e. the OIDC handler that is invoked when you hit the login button. It is required to support WAYFless access.


Keystone supports the sharing of connections so that multiple apps can use the same SAML connection in a federation.

Discovery tab (Keystone only) 


OpenAthens Wayfinder is the default and recommended organisation discovery option. 

Authorised domains:  these are only used if you add the Wayfinder embed script to your site. You can leave them blank otherwise. See Embedding OpenAthens Wayfinder for details on how to configure your site to use embedded Wayfinder.

SeamlessAccess integration: enables SeamlessAccess integration with OpenAthens Wayfinder. You will need to add the SeamlessAccess button to your web application before enabling this functionality.

Other central discovery service

Enter the URL of your chosen discovery service. It must support the SAMLDS protocol. 

Single identity provider 

Specify a single entityID to use for all logins. Ideal for single site applications such as VLEs and during testing.

Attributes tab (All applications) 

This is where you can specify the attributes that your application expects IdPs to release. These attributes are categorised as either required or optional and must be from the list of standard eduPerson attributes. Attributes added here will appear in your application metadata.

In line with federation best practices, you should not set attributes containing personally identifiable information as 'required'. Typical required attributes are eduPersonTargetedID (unique to the user) and eduPersonScopedAffiliation (provides role@organisation information). 

Keystone apps: entity categories and privacy policy links you have specified on your connection will display here for convenience.

External applications such as Shibboleth: the entity categories and privacy policies displayed in this tab are taken from the metadata when you upload it. 

IdP Support tab (All applications)

Here you can add any support email addresses and specify your preferred activation method for the application. This is to make it easier for your customers and your support people when customers want to enable access.

For Keystone applications, any email addresses added here will also be added to the application metadata.

Preferred activation method

The preferred activation method is how you want your OpenAthens customers to contact you about enabling access. The idea is to minimise back and forth between our mutual customer and your support team by making sure they send the information you need to where it needs to go. You can choose one of four options:


Specify the email address to write to. You can include parameters if you wish, e.g. subject 

Add any other details in the boxes below. There's a check box for when a customer's subscription ID is important to specify 


Specify the web address of the portal, including the protocol (e.g. https), and some basic instructions


Specify the web address of the form, including the protocol (e.g. https)


This is any process not covered by the other three

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.