A federated customer is likely to tell you up front what their federation entityID and scope are. They will look like this:

  • EntityID - https://idp.theirdomain.net/something
  • Scope - theirdomain.net

They will be used to this being sufficient information for federated suppliers (which you will appear to be thanks to OpenAthens Keystone).

Their entityID will appear under the standard claim 'realmName', but might represent a consortium of organisations so you should expect to read their scope from the claim 'derivedEduPersonScope' for authorisation decisions.

They may also ask if there are any other attributes you need them to release, or that might improve the user experience. They will be able to release them under whatever name you choose, however it will be easiest for them to use the standard attribute names in their federation - e.g. eduPersonEntitlement.