Skip to main content
Skip table of contents

OpenAthens Keystone

OpenAthens Keystone is our hosted Service Provider option. It is middleware that allows an OpenID Connect Relying Party to be used in SAML federations without the need to understand SAML. As long as your OpenID Connect relying party meets the basic requirements there should be no problem using it with Keystone.

See also: What is OpenAthens Keystone

Basic OpenID Connect requirements

Whichever OpenID Connect client, plug-in or framework you are using, it...

MUST

  • be OpenID Connect based on OAuth2 rather than plain OpenID.
  • support daily key rotation
    • i.e. the keys published at our jwks endpoint will change every 24 hours. This is usually handled automatically by whichever OpenID Connect framework you are using. 

SHOULD

  • support multiple providers so that Keystone can be used alongside any other OpenID Connect login options you do or may want to provide (e.g. Google).

MAY

  • utilise PKCE (Proof Key for Code Exchange)

What would you like to do today?

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.