OpenAthens Keystone will make the configuration of SAML and the OpenAthens federation easy, but you will still need to become part of any other access management federation where you want to interact with your customers - e.g. universities and colleges who are only in their own national federations.
Since all the other federations are national research and education network (NREN) based, a good first step is to join one that is part of eduGAIN as this can help with many of the technical aspects.
eduGAIN is a collaboration between many of the national research and education federations to share metadata which means that you only have to join one of their member federations to appear in the others. Member federations can pick and choose, and some are more inclusive than others so it's not guaranteed you'd appear in all of them. The member agreements of each federation are far from universal though, so whilst the technical aspect of joining a federation is easier, you will often still need to become a member of the federation(s) your customers are in - e.g. for all parties to be bound by the same trust framework - even if they are not the 'registration authority'.
These pages from eduGAIN will tell you more:
They recommend joining the federation in your home country as that will make communication during the joining process much easier.
A useful way of seeing which federations have you (or your customers) in their metadata is to use REFED's metadata explorer:
The exact method of joining a federation can vary, but those variables are generally about how you apply and what information they want - e.g. some will want a formal letter on headed paper, some may want proof that you own the internet domain in your entityID, most will perform some form of procedure to confirm you are who you say you are and some will just not tell you how to register entities until you are a signed up member. This page covers the technical information you would need to supply them to register your entity, and translates some of the terminology they are likely to use.
|Entity||The SAML service provider|
|EntityID||An identifier for the entity that is unique within a federation||Read this from the connection record in the publisher dashboard.|
|Display name||What you want your service to appear as in their metadata||The published metadata uses the connection name you have set in the SP dashboard and whilst you will usually want this to match it doesn't have to.|
|Metadata||An XML document that describes the entity||May not be necessary if you and they are both in EduGAIN|
Automatically generated metadata
|Where we have published your SAML metadata||See next table|
|Federation metadata||An aggregated set of all the entities' metadata in a federation||Once you have registered your entity in a federation, you would appear in that federations metadata. If that federation is part of eduGAIN the data can then propagate to other member federations - depending on how often they update their metadata this could take several days.|
If / when they ask for...
|If they ask for...||Say...||Notes|
|Metadata address or file|
The address where your metadata can be accessed.There should not be a requirement for it to be linkable but they often prefer it.
Get the link or download it from the connection (SAML connector section, menu by the entityID). Choose the version with inline or hosted logos as per their requirements.
If you've already joined an eduGAIN federation and appear in that aggregate, you can tell them that instead. You can check via the refeds link mentioned earlier.
|If you want you can describe it as generic SAML, but the endpoints will give it away.|
These are the targetedID and scoped affiliation values discussed elsewhere which between them will usually be able to tell you everything you need for authorisation.
This is probably all that you need to tell them, but depending on your application you may want to specify more.
|SAML versions supported|
|Certificate thumbprint||Read from your connection record in the publisher dashboard|
If they ask for this it is to confirm that the certificate in the metadata you sent them is correct. Hit the dots next to the certificate to view it.
|Encryption or Signing certificates||Copy from your connection record in the publisher dashboard|
They are more likely to ask for the fingerprint (above), but if they want this in a separate email from your metadata, hit the dots menu next to your entityID on the connections tab to view your metadata and copy the x509 certificate from there. Top / tail it with begin and end tags as below: