RE: OpenAthens doppelgänger ?

Wessel, Keith kwessel at
Fri Dec 3 23:18:20 UTC 2021

Yes, Sir, as the metadata states, OpenAthens has permission to assert to SPs. Thus the importance of getting the display name right in discovery interfaces to (hopefully) prevent people fro possibly getting duplicate identities in SPs or simply confusing them with two paths into different systems. Usually, though, users won’t be able to log into the same SPs with both OpenAthens and your home IdP. The bigger risk is that they’ll select the wrong IdP and get an error because, say, OpenAthens isn’t configured to talk to the non-library SP that the user is trying to access incorrectly.

As for lessons, start simple. Explain IdP discovery and show how the user can get themselves stuck. Also might want to show them how OpenAthens can send users to your IdP, too, instead of acting as its own IdP. That won’t solve the discovery problem, but it will at least give you a more uniform user experience. In that mode, OpenAthens acts more like a proxy. At least I think it can do that. I try not to be an expert on it.

Keith, happily working at an institution clinging to EZProxy… and amazed that happily and EZProxy can go in the same sentence

From: users <users-bounces at> On Behalf Of IAM David Bantz
Sent: Friday, December 3, 2021 4:36 PM
To: Shib Users <users at>
Subject: RE: OpenAthens doppelgänger ?

Good perspective (make friends) Keith.

Aren’t scoped assertions from the OpenAthens IdP going to be “<;!!DZ3fjg!pU5ELXxS5ED2i0rL4VRp8aPSt9bec250bFvipM2ytcupNY405zNBi6-yCQX1B2gJMQ$>”?
They are not, though; they are paying customers of the for profit organization.

What sort of thing would be apprpriate to "teach to" the Library liaison to OpenAthens?

On 03Dec2021 at 13:30:33, "Wessel, Keith" <kwessel at<mailto:kwessel at>> wrote:
Depends on how many of your users are using discovery interfaces that list both as well as what the display name is for the OpenAthens entity. At the least, this sounds like an opportunity to make a friend at whichever of your campuses’ libraries is the contact for your OpenAthens configuration. It’s definitely a teachable moment.


From: users <users-bounces at<mailto:users-bounces at>> On Behalf Of IAM David Bantz
Sent: Friday, December 3, 2021 4:27 PM
To: Shib Users <users at<mailto:users at>>
Subject: OpenAthens doppelgänger ?

I haven’t been paying enough attention to OpenAthens. I just realized there is an OpenAthens federated identity provider from a for-profit organization with an entity ID and scope referring to my institution. That seems to mean that consumers of information from the OpenAthens IdP may conclude, informally from the entity ID, and more correctly based on the scope, that the assertion is about a member of my institution. As I say, I haven’t paid enough attention to OpenAthens, so maybe I need some ’splaining, but this seems to me wrong on many levels. Is it? How concerned should I be?

<md:EntityDescriptor … entityID="<;!!DZ3fjg!ss-gBE2VLSfEpyRTMYK5VOFdx_pSW4e5k8U7hArZhtkos3tYM5uHlFUeBd-KTek2sw$>”>
…<shibmd:Scope regexp=“false"><;!!DZ3fjg!ss-gBE2VLSfEpyRTMYK5VOFdx_pSW4e5k8U7hArZhtkos3tYM5uHlFUeBd8wANqQ8g$></shibmd:Scope>

<EntityDescriptor … entityID="<;!!DZ3fjg!ss-gBE2VLSfEpyRTMYK5VOFdx_pSW4e5k8U7hArZhtkos3tYM5uHlFUeBd8wANqQ8g$>">
… <shibmd:Scope regexp="false"><;!!DZ3fjg!ss-gBE2VLSfEpyRTMYK5VOFdx_pSW4e5k8U7hArZhtkos3tYM5uHlFUeBd8wANqQ8g$></shibmd:Scope>

David St. Pierre Bantz
University of Alaska (<;!!DZ3fjg!ss-gBE2VLSfEpyRTMYK5VOFdx_pSW4e5k8U7hArZhtkos3tYM5uHlFUeBd8wANqQ8g$> !)
For Consortium Member technical support, see<;!!DZ3fjg!pU5ELXxS5ED2i0rL4VRp8aPSt9bec250bFvipM2ytcupNY405zNBi6-yCQVYq5Ltmg$>
To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list