How to add the OpenAthens federation to common SP software
If you are already using or are planning on using other SP software within the OpenAthens federation, you will need to make it aware of the OpenAthens federation metadata. Since terminology can sometimes vary, this page will show the federation specific settings for some common SAML SP software.
This page can only be a guide - for up-to-date installation help you should refer to the documentation and provider of whichever software you are using.
First create the application record in the OpenAthens federation.
Shibboleth
Update your shibboleth2.xml file with a metadata provider:
<MetadataProvider type="XML" url="http://fed.openathens.net/oafed/metadata"
backingFilePath="oafed-metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="oafed-certificate.pem"/>
</MetadataProvider>Where oafed-certificate.pem is the x509 certificate from our metadata, saved in the same folder as your shibboleth2.xml file.
OA fed metadata x509 certificate
-----BEGIN CERTIFICATE-----
MIIDKTCCAhECFGlXdwTZbTqmWpnDe/SVSc84LjdRMA0GCSqGSIb3DQEBCwUAMFEx
CzAJBgNVBAYTAkdCMQ0wCwYDVQQKDARKSVNDMRMwEQYDVQQLDApPcGVuQXRoZW5z
MR4wHAYDVQQDDBVPcGVuQXRoZW5zIEZlZGVyYXRpb24wHhcNMjIwMTA3MTE1NTQ3
WhcNMzIwMTA1MTE1NTQ3WjBRMQswCQYDVQQGEwJHQjENMAsGA1UECgwESklTQzET
MBEGA1UECwwKT3BlbkF0aGVuczEeMBwGA1UEAwwVT3BlbkF0aGVucyBGZWRlcmF0
aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5HdGbZWikuncyVrn
Soiqhbw7jIiI62DYz9sCndRrydlnwOB3jeNO6176dAVrd8cw25SbO+NFH3PZwELK
SzfzqcTYHHyDdvWQ2zN/+w04UanxoDCCdWeQqA+Oo2yTSoZmYoIOiQ+bWUQb0DSC
dNpHyesS4DUdZonDTnPMjAm1Ulh5n5ek78GTeY/BfCWY5SM+m9AQuTU5AePDnaEv
4QNLkdplSMO3nYYTxmfTCK578MUaoCxEWYPAv0j4VsvVBeApOTJ+ICYv9AZbsHlW
uMYQwbzHn5RlnSYtESkgrHN1vR1WAqtgOIKjrLYS+hhYmaAwQ2yBSvob4UgZOok0
967e3wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBENtVCTUIox/nNOfcbmVz7XBrG
5JRe2uQqfRqljNXviYrTYSvUks+KjeaXOGgetpb2aUR3VtemXtwwisRHaFH6D2H5
OdZseMt3HQ32xwpqrEYDArBRmTrIevG31DzPq06HHC6VIBKQ5oT3+GH7FvavLiCt
jfggHYoX5YY8VGHqiGM/72+Ru0nOBz3iKWbuFBmnN/iWyC/7BSC8lEN85+stSIYS
FaQOqOpS+zcx45ytBpCyEqEYQNVBXV8HO0HrV4rL4+eEV4ttHAEuYLZRzsN+WVhX
4ezOWZhjU36DFJBPHJoUvKj/5pEXlFVbzZc2VXU8RRrZVvFa1Dy2Ht/IUbX7
-----END CERTIFICATE-----SimpleSAMLphp
You will need a signing certificate. Create one in the cert directory:
cd cert
openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pemRefer to it in your authsources.php file:
'default-sp' => array(
'saml:SP',
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
),Enable the metadata and cron modules:
touch modules/metarefresh/enable
cp modules/metarefresh/config-templates/*.php config/
touch modules/cron/enable
cp modules/cron/config-templates/*.php config/Create a directory to cache the metadata:
mkdir metadata/openathens
chmod go+rw metadata/openathensEdit config/metadatarefresh.php:
<?php
$config = array(
'sets' => array(
'uk' => array(
'cron' => array('hourly'),
'sources' => array(
array(
'src' => 'https://fed.openathens.net/oafed/metadata',
'validateFingerprint' => '49:EC:EB:FE:CA:2F:F8:A7:74:48:2D:EB:81:9A:5A:0A:B4:02:ED:91',
),
),
'expireAfter' => 60*60*24*1, // Maximum 1 days cache time.
'outputDir' => 'metadata/openathens/',
'outputFormat' => 'serialize',
),
),
);Finally set the cache to be a metadata source in config.php:
'metadata.sources' => array(
array('type' => 'flatfile'),
array('type' => 'serialize', 'directory' => 'metadata/openathens'),
),You will also need to upload your SP metadata in the publisher dashboard when you register your app. Get it from the federation tab on the simpleSAMLphp front page. If you encounter metadata loading issues you may need to increase the memory_limit and max_execution_time in your php configuration file.