Skip to the content
Your team may need to make changes in order to install OpenID Connect. You may also need to upgrade your subscription management system.

Install OpenID Connect on your platform

OpenID Connect allows publishers and service providers to verify the identity of the user based on the authentication performed by an authorization server. It also allows you to obtain basic profile information about the end-user in an interoperable and REST-like manner. 

Visit the OpenID Connect website for information about how to get started and for access to the code libraries.

Make sure your subscriptions management system can handle attributes

If your platform already uses IP recognition and/or an internal username/password scheme, it probably interacts with a subscription management system to control access, identify the user’s organisation and display the appropriate content. Your subscriptions management system will need to be enhanced to handle the institutional identifiers (attributes) passed by OpenAthens for authorisation in addition to the existing ways of authorising users.

Attributes, personalisation and privacy

In essence, attributes are data points exchanged between your platform and the institution during authorisation. Standard attributes allow you to differentiate between individual users by maintaining their privacy at the same time. Extended attributes like name or email are often used to provide personalisation features. But you need to make sure your privacy policy and agreement with your customer allows you to process personal data about the users.

Standard attributes

One of the major advantages of an identity federation is that a standard set of attribute names can be defined. This means that in most cases, both identity providers and service providers can use generic set-ups and do not need to maintain hundreds of separate configurations.

Extended attributes

Whilst you can make use of these attributes, you should neither expect nor require them. This is because local data protection laws, policies, user objections or other restraints may prevent an identity provider from releasing these to you. Consequently, you must not use them for authorisation. 

Find out more about attributes in the our documentation.

Implement WAYFless and deeplinking

In identity federations, the publisher or service provider platform needs to know where to send the end-user for authentication. This is called discovery. There are two ways to achieve it and doing both is recommended.

WAYF refers to 'Where Are You From'. WAYFless URLs avoid the need for the end-user to search through a long list for their organisation every time they want to login to access your content. You can create a WAYFless URL by including the federation identifier for the user's organisation in the URL eg. https://sp.yourdomain.com/path?entity=https://idp.theirdomain.com/entity.  

Deep linking means being able to link directly to a specific page or article of the user's choice in your application. Ideally, the link passes through your authorisation process so that the end-user does not have to navigate away from that landing page to log in. A great example of this is a list of links to articles in a library portal.

WAYFless access and deep linking are very popular with libraries and you should support both where possible.

Have a question?

Get in touch with your implementation team

If you have a question about onboarding, please get in touch with your onboarding lead. If you are not sure who that is, send us an email at contact@openathens.net