Like most SAML SPs, OpenAthens Keystone can also interact with SAML identity providers outside of a federation context. With OpenAthens, this is done by adding their metadata to what is effectively a mini federation we create that is specific to your connections. To do this:

  1. In the publisher dashboard select your connection

  2. Scroll down to the identity providers section

  3. Click on the additional identity providers link

  4. Add a new one via the green button at the top. You can link to or upload their metadata - or use the ellipsis menu next to an existing entry to view or update metadata

  5. Affirm the certificate is ok

  6. Back on the connections page: if it is not already set, toggle the switch on the additional identity providers line to 'Allow'

  7. Save the changes to the connection

That identity provider will then become available to all of your connections and the applications that use them. 

Your addition will not cause that IdP to become available for any other publishers.

Updating IdP certificates

The certificates for additional identity providers must be kept up to date to avoid access issues. When a certificate that belongs to one of your additional identity providers is due to expire:

  1. Find the IdP in your list of additional identity providers
  2. Update the metadata through the ellipsis menu 
Anything to watch out for?

It can take up to six hours for the changes to propagate fully. From that point:

  • OpenAthens Keystone is done
  • OpenAthens Wayfinder will need up to 5 minutes more