Registering OpenAthens Keystone Service Provider Software
This page is aimed at new Service Providers (SPs) using the hosted OpenAthens Keystone SP, if you have an existing Service Provider, then there could be additional considerations and time required by us to process your request. We recommend that you retain the same `entityID` before and after migration, particularly if you either rely on additional attributes being released by IdPs or rely on the core `eduPersonTargetedID` attribute for personalisation.
OpenAthens represents a variety of SAML-based identity and access management solutions. It is a Single Sign-On product designed to aid access management to subscription-based digital content. OpenAthens (a Jisc enterprise) provides managed identity services to 2,600 organizations in over 50 countries.
You must register your OpenAthens service provider software's metadata with us in order to interoperate with IdPs registered in the UK federation. You may need to configure more features once your SP is registered, for example authorization conditions.
Before sending the information required for registration, listed below, you must ensure the following:
- Ensure that you are signed up to OpenAthens and have their Keystone product configured accordingly, and refer to OpenAthens documentation on joining other federations
- Your organization controls the domain in the entityID of your SP
- You have read the UK federation Operational Information page.
- You are familiar with the UK federation's Technical Recommendations for Participants, and other UK federation service documents.
Once these prerequisites have been met:
- A Management Contact for your organisation must email an SP registration request to the UK federation Helpdesk and include the information required for registration, listed below.
- We will verify this information and perform several technical checks. We may need to communicate with the registrant to rectify any issues.
- We then authenticate the trust fabric certificate(s) in the SP metadata by means of an email-based security procedure (see Certificate verification). The Management Contact must reply to our email before we can complete the registration.
- Once we have received the authentication email from the Management Contact, we will publish your SP's metadata in the UK federation metadata on the next publishing run. Please take note that metadata must propagate to the identity providers (IdPs) your SP will interoperate with.
- We will let you know by email once the UK federation metadata has been updated to include the information you have supplied.
- You can now test your SP using the UK federation test IdP.
The information required for registration should be provided in the email body of the message as plain text, please do not provide this as an attachment from your office software, if you must provide an attachment please use a text editor.
You can use the following SP registration request link to create an email message.
- entityID: The entityID is a URI identifying your service provider. The Shibboleth SP software will generate this for you, but you may need to change it to ensure that it conforms with requirements. It must be different from the entityID of any existing entity already in the UK federation. If your service provider is already a member of another federation please give its existing entityID, even if it appears to be federation-specific. If it is not already a member of another federation, please consult the UK federation entityID policy.
- Service Display Name: A brief name for the service. This name may be displayed on IdP login pages, and will be displayed on the Central Discovery Service (CDS) if your SP uses the CDS. Please see the federation MDUI Recommendations page for more information.
- OrganizationURL: The URL of a web page providing a description of the organisation providing the service.
- Support contact: The name and email address of one or more Support contacts. While a Support contact may be an individual, we would now recommend using a generic email address (either shared or a mailing list) with a generic title (such as 'Help desk'). You may also wish to include the OpenAthens helpdesk (
- Technical contact: The name and email address of one or more Technical contacts. While a Technical contact may be an individual, we would now recommend using a generic email address (either shared or a mailing list) with a generic title (such as 'Help desk'). You may also wish to include the OpenAthens helpdesk (
- Administrative contact: The name and email address of one or more Administrative contacts. Administrative contacts must be named individuals using unshared email addresses as they have the authority to amend or delete their entity's metadata. (Their names and email addresses are not published in the federation metadata.)
- Security contact: (recommended) The name and email address for one or more Security contacts.
- Automatically generated metadata: The OpenAthens software generates metadata matching your configuration. Please see OpenAthens documentation for the URL pointing to that metadata.
Please include that URL in your registration.
- Requested Attributes: (recommended) Include information on the attributes your SP can use. The name of the attributes only will suffice (see the Requested Attributes page for further information). We recommend inclusion of attributes as part of the registration process to facilitate interoperability, especially with IdPs registered in other federations and imported via eduGAIN.
- Software: (recommended) The SAML product name and software version of your chosen SP software. This information enables us to gauge appropriate support levels for software in use within the federation, and we do not publish this information.
- Logo: (recommended) The HTTPS-protected URL of a suitable logo. This logo may be displayed on IdP login pages, and will be displayed on the Central Discovery Service (CDS) if your SP uses the CDS. Please see the federation MDUI Recommendations page for more information. Please do not send image files; we do not include image files directly in the metadata. Note: at the current time the the OpenAthens Keystone product provided embedded logos within the metadata, we are unable to accept these, therefore you should provide one or more logo URLs.
- Description: (recommended) A short (100 character) description of the service. It may appear on the IdP login pages. Please see the federation MDUI Recommendations page for more information.
- Sirtfi compliance: If your SP complies with the Sirtfi incident response framework, please indicate that the SP has passed a self-assessment of Sirtfi v1.0. You MUST also provide the name and email address of one or more security contacts for the SP. The email addresses must be reachable from outside your organization. See our Sirtfi documentation page for more information.
- Information for Service Catalogue Send us additional information to add to our Available Services page at registration time. See How to add your Service to the list.
- Research & Scholarship (R&S) entity category: If your SP facilitates research collaboration, it may be eligible for the REFEDS R&S entity category. See our REFEDS R&S documentation page for more information.
- Data Protection Code of Conduct: If your SP is based in the EU/EEA and follows the good practices described in the GÉANT Data Protection Code of Conduct, you can assert that your SP follows the code. See our GÉANT Data Protection Code of Conduct page for more information.