Like most SAML SPs, OpenAthens Keystone can also interact with SAML identity providers outside of a federation context. With OpenAthens, this is done by adding their metadata to what is effectively a mini federation we create that is specific to your connections. To do this:
- In the publisher dashboard select your connection
- Scroll down to the identity providers section
- Click on the additional identity providers link
- Add a new entity via the green button at the top. You can link to or upload their metadata - or use the ellipsis menu next to an existing entry to view or update metadata
- Affirm the certificate is ok
- Back on the connections page: if it is not already set, toggle the switch on the additional identity providers line to 'Allow'
- Save the changes to the connection
That identity provider will then become available to all of your connections and the applications that use them. Your addition will not cause that IdP to become available for any other publishers.
You will also need to provide the IdP with your metadata or in some cases named details.
Providing metadata or details to the IdP
In most cases they'll want a metadata address or file. This can be taken from the same connections page - scroll up to the SAML connector section and use the ellipsis menu next to the entityID to access the metadata. You can choose wither logos are embedded or linked, and copy a link or the metadata as needed.
If the IdP needs specific items of data though:
entityID: on the connections page, also in the first line of your metadata
SSO endpoint: find this line in your metadata and copy the location part from your metadata:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://connect.openathens.net/YOURDOMAIN/CONNECTION_ID/auth/rcv/saml2/post" index="1" isDefault="true"/>
X509 certificate: appears twice in the metadata in a <ds:X509Certificate> element.
Updating IdP certificates
The certificates for additional identity providers must be kept up to date to avoid access issues. When a certificate that belongs to one of your additional identity providers is due to expire:
- Find the IdP in your list of additional identity providers
- Update the metadata through the ellipsis menu
Anything to watch out for?
There is a 1MB size limit on each metadata upload. If you are trying to add a federation that doesn't appear to be available, contact our support team.
It can take up to six hours for the changes to propagate fully. From that point:
- OpenAthens Keystone is done
- OpenAthens Wayfinder will need up to 5 minutes more