Skip to main content
Skip table of contents

How to join other federations

OpenAthens Keystone will make the configuration of SAML and the OpenAthens federation easy, but you will still need to become part of any other access management federation where you want to interact with your customers - e.g. universities and colleges who are only in their own national federations.

Since all the other federations are national research and education network (NREN) based, a good first step is to join one that is part of eduGAIN as this can help with many of the technical aspects. 

eduGAIN

eduGAIN is a collaboration between many of the national research and education federations to share metadata which means that you only have to join one of their member federations to appear in the others. Member federations can pick and choose, and some are more inclusive than others so it's not guaranteed you'd appear in all of them. The member agreements of each federation are far from universal though, so whilst the technical aspect of joining a federation is easier, you will often still need to become a member of the federation(s) your customers are in - e.g. for all parties to be bound by the same trust framework - even if they are not the 'registration authority'. 

These pages from eduGAIN will tell you more:

They recommend joining the federation in your home country as that will make communication during the joining process much easier. 

A useful way of seeing which federations have you (or your customers) in their metadata is to use REFED's metadata explorer:

Methods

The exact method of joining a federation can vary, but those variables are generally about how you apply and what information they want - e.g. some will want a formal letter on headed paper, some may want proof that you own the internet domain in your entityID, most will perform some form of procedure to confirm you are who you say you are and some will just not tell you how to register entities until you are a signed up member. This page covers the technical information you would need to supply them to register your entity, and translates some of the terminology they are likely to use. 

Terminology

TermMeansNotes
EntityThe SAML service provider
EntityIDAn identifier for the entity that is unique within a federationRead this from the connection record in the publisher dashboard.
Display nameWhat you want your service to appear as in their metadataThe published metadata uses the connection name you have set in the SP dashboard and whilst you will usually want this to match it doesn't have to.
MetadataAn XML document that describes the entityMay not be necessary if you and they are both in EduGAIN

Metadata address,

Automatically generated metadata

Where we have published your SAML metadataSee next table
Federation metadataAn aggregated set of all the entities' metadata in a federationOnce you have registered your entity in a federation, you would appear in that federations metadata. If that federation is part of eduGAIN the data can then propagate to other member federations - depending on how often they update their metadata this could take several days.

If / when they ask for...

If they ask for...Say...Notes
Metadata address or file


The address where your metadata can be accessed.  The metadata they're asking for can be copied form the admin site (SAML connection section of the connection (dots menu next to the entityID). There should not be a requirement for it to be linkable but they often prefer it.

Get the link or download it from the connection (SAML connector section, menu by the entityID). Choose the version with inline or hosted logos as per their requirements.

If you've already joined an eduGAIN federation and appear in that aggregate, you can tell them that instead. You can check via the refeds link mentioned earlier.

Software

OpenAthens Keystone

If you want you can describe it as generic SAML, but the endpoints will give it away. 
Requested attributes

urn:oid:1.3.6.1.4.1.5923.1.1.1.9

and

urn:oid:1.3.6.1.4.1.5923.1.1.1.10

These are the targetedID and scoped affiliation values discussed elsewhere which between them will usually be able to tell you everything you need for authorisation.

This is probably all that you need to tell them, but depending on your application you may want to specify more.

SAML versions supported

SAML 2


Certificate thumbprintRead from your connection record in the publisher dashboard

If they ask for this it is to confirm that the certificate in the metadata you sent them is correct. Hit the dots next to the certificate to view it.

Encryption or Signing certificatesCopy from your connection record in the publisher dashboard

They are more likely to ask for the fingerprint (above), but if they want this in a separate email from your metadata, hit the dots menu next to your entityID on the connections tab to view your metadata and copy the x509 certificate from there. Top / tail it with begin and end tags as below:

CODE
-----BEGIN CERTIFICATE-----
qd87h5o8a7a475... the certificate data, etc
-----END CERTIFICATE-----

See also: 

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.