Registering an OpenAthens Identity Provider
This page is aimed at new Identity Providers (IdP) using the hosted OpenAthens IdP, if you have an existing Identity Provider you are migrating to OpenAthens, then we recommend you follow one of the following pages;
OpenAthens represents a variety of SAML-based identity and access management solutions. It is a Single Sign-On product designed to aid access management to subscription-based digital content. OpenAthens (a Jisc enterprise) provides managed identity services to 2,600 organizations in over 50 countries.
You must register your OpenAthens IdP's metadata with us in order to interoperate with other SPs in the UK federation. You may need to configure more features once your IdP is registered, for example to configure and test attribute release policies.
Before sending the information required for registration, listed below, you must ensure the following:
- You are signed up to use the OpenAthens service, and ready to use the UK federation. see OpenAthens guidance on how to join the UK Access Management federation
- Your organization controls the domain in the entityID and scopes associated with your IdP
- You need to consider how your IdP will appear in discovery services and its visibility. The UK federation CDS (Central Discovery Service) acts as a fallback for SPs that do not want to run their own discovery service. Both the CDS and local discovery services should display the IdP Organization Display Name, and may display the IdP's logo. Please review the federation's IdP listing policy.
- You have read the UK federation Operational Information page.
- You are familiar with the UK federation's Technical Recommendations for Participants, and other UK federation service documents.
Once these prerequisites have been met:
- A Management Contact for your organisation must email an IdP registration request to the UK federation Helpdesk and include the information required for registration, listed below.
- We will verify this information and perform several technical checks. We may need to communicate with the registrant to rectify any issues.
- We then authenticate the trust fabric certificate(s) in the IdP metadata by means of an email-based security procedure (see Certificate verification). The Management Contact must reply to our email before we can complete the registration.
- Once we have received the authentication email from the Management Contact, we will publish your IdP's metadata in the UK federation metadata on the next publishing run. Please take note that metadata must propagate to the services providers (SPs) your IdP will interoperate with.
- We will let you know by email once the UK federation metadata has been updated to include the information you have supplied.
You should not attempt to gain access to any live service until you have verified that your identity provider is properly configured and handling attributes correctly. You can test your IdP using the UK federation test SP.
The information required for registration should be provided in the email body of the message as plain text, please do not provide this as an attachment from your office software, if you must provide an attachment please use a text editor.
You can use the following IdP registration request link to create an email message.
- entityID: The entityID is a URI identifying your identity provider. It must be different from the entityID of any existing identity provider or service provider already in the UK federation. If your identity provider is already a member of another federation please give its existing entityID, even if it appears to be federation-specific. If it is not already a member of another federation, please consult the federation entityID policy.
- Scopes: The scopes (security domains) for which attribute assertions made by this identity provider should be considered valid. Usually there will be only one of these and it will almost always be the organisation's domain name. This should be specified in lower case.
- Visibility: Specify "yes" or "no". Please see the federation IdP listing policy for further details. If your organisation already has a registered IdP visible in the default list, we recommend that you register any additional IdP with visibility "no"
- User accountability: Specify "yes" or "no". This is a declaration whether or not the identity provider commits to observe the provisions of 'user accountability', as defined in section 6 of the federation's Rules of Membership. ("yes" may require extra work by the identity provider operator, "no" will deny your end users access to some services.)
- Software: (recommended) The SAML product name and software version of your chosen IdP software. This information enables us to gauge appropriate support levels for software in use within the federation, and we do not publish this information. You should just enter
- Logo: (recommended) The HTTPS-protected URL of an organizational logo, suitable for display on the CDS. It may also appear on a SP's discovery page when a user requires access. Please see the federation MDUI Recommendations page for more information. Please do not send image files; we do not include image files directly in the metadata.
- Organisation display name: A short name (a few words at most) to identify your IdP. This is the text which will appear in the CDS list of identity providers. The text selected should comply with these guidelines.
- Organisation URL: The URL of a web page providing a description of the organisation or organisational unit responsible for operating the identity provider.
- Support contact: The name and email address of one or more Support contacts. You may want to include a local email address or the OpenAthens helpdesk (
email@example.com) or both.
- Technical contact: The name and email address of one or more Technical contacts. You may want to include a local email address or the OpenAthens helpdesk (
firstname.lastname@example.org) or both.
- Administrative contact: The name and email address of one or more Administrative contacts. (This information is not published in the federation metadata.)
- Automatically generated metadata: The remaining information required for the registration of your IdP is in the metadata generated by your IdP installation. Please attach a file containing the metadata or include a URL where we can download the metadata from (the URL should end with
- Sirtfi compliance: If your IdP complies with the Sirtfi incident response framework, please indicate that the IdP has passed a self-assessment of Sirtfi v1.0. See our Sirtfi documentation page for more information.
- Security contact: The name and email address of a security contact. This is mandatory for Sirtfi-compliant IdPs.
- Research & Scholarship (R&S) entity category support: The UK federation encourages IdP operators to support the REFEDS R&S entity category to facilitate research collaboration. See our REFEDS R&S documentation page for more information.