OpenAthens IdP elements
OpenAthens also provides a hosted identity provider used by all our Identity customers and if you are purely a service provider there are two touchpoints for you to know about:
Creating test accounts
You are almost certainly going to be adding your application to the OpenAthens federation at some point and you are going to want to test that it works with the system that our mutual customers are using.
Here are the basic steps to create two test accounts, one with a role and one without. There are complete instructions on all of the functions in the Identity documentation:
- Access the user-administration area at https://admin.openathens.net.
- From the menu bar select Resources > Permission sets
- You should have one already called default - this will provide a role of 'member' for all accounts it is assigned to
- You will want to add one more permission set with a different role
- Click add
- Name it
- From the list of roles, choose the any other role that appeals to you
- Save
- Click add
- Now we have two permission sets with differences in the roles, we can create some test accounts that will act in different ways:
- Accounts > Add > Personal
- Fill in the mandatory details on the first two tabs
- Skip the optional details tab if you like
- On the fourth tab, select or clear the checkboxes until you have only one permission set selected
- Save and repeat twice more to create one with the other permission set and one with no permission set.
- Accounts > Add > Personal
What we achieve with these three accounts are two that will provide you with a scoped attribute on access (but different roles), and one that will not provide a role (and consequently, no scope for you to authorise on).
These give you many test options and should cover all the ways your resource might work. There are additional test accounts with a different scope our service desk can give you access to when you're ready.
If you are using OpenAthens Keystone
OpenAthens accounts from your own domain will work without further changes
If you are using other software (such as Shibboleth)
If you are not ready to add the OpenAthens federation metadata to your SP, you can add the metadata for just your own OpenAthens IdP: https://login.openathens.net/saml/2/metadata-idp/YOUR_OPENATHENS_API_NAME
Controlling access to the publisher dashboard
If you only have one application and you managed it in-house then using one set of credentials is probably ok and the default settings will support this.
If you have different people or groups working on different applications though, you may want to limit access to the application configuration and to do this you first need to create some administrator accounts in the user-admin area and then assign one or more of them to each application.
The accounts section of the publisher dashboard is usually sufficient to add or remove such accounts, but if you need to perform any detailed operations you will need to find these accounts in the Identity interface as follows:
- Access the Identity administration area at https://admin.openathens.net.
- From the menu bar select Accounts > List
- or use the big accounts button on the homepage
- or enter the full account username in the search box at the top of the page
- or use the big accounts button on the homepage
- The results will be split over four tabs - select the tab saying administrator
- Click on any username to view or edit the details
- Save when done