Understanding service provider integrations

Whether you already offer single sign-on for your products or use another method, we are here to assist you. In this guide, we explain the different ways to connect with your customers' existing systems to enhance the single sign-on experience for your users. We help you establish secure connections with your customers, providing expert advice and support every step of the way, and eliminating the need for unsafe peer-to-peer connections.

OpenAthens technologies

OpenAthens allows libraries and identity providers to connect securely to your resources, providing you with access to the needed user data, without necessarily sharing personally identifiable information (PII). We use two different methods to allow single sign-on integrations. 

  1. SAML integrations and the OpenAthens Federation

    We help service providers integrate with OpenAthens using your SAML, via Shibboleth, or SimpleSAMLPHP. We are part of the REFEDS community and we follow the same technical standards as other national federations. 

    If you are using a platform provider such as Silverchair, Atypon, Highwire, then you also have access to a SAML SP, so we can work with your platform provider to integrate you with OpenAthens. 

  2. OpenID Connect (OIDC) and OpenAthens Keystone

    Along with SAML, OIDC is fast becoming the new dominant standard in federated identity. Adding support for OIDC enables OpenAthens to connect to a wider range of identity systems and directories which organizations are increasingly starting to use. 

    You can configure an application supporting OpenID Connect. Keystone is an OpenAthens cloud hosted service we provide to publishers who do not have an existing SAML SP. Keystone uses an OIDC library to connect with your platform, so we can take care of all the SAML requirements. 

    OIDC is a common standard and is often supported on hosting services like WordPress. It will also be supported on enterprise IAM solutions like Okta, Auth0, Amazon Cognito.


Browser cookies on a laptop

Identity and Access Management solutions (IAM) 

Identity and Access Management (IAM) is like a toolbox for organizations. It is a framework of business policies, rules, ways of doing things, that answers the questions who does what, when, and why. This makes sure only the right people get into the right places at the right times. 

IAM makes life easier for employees too. They don’t have to worry about remembering lots of different passwords or getting permission for each thing they need to do. IAM could include different sign on options working at the same time, as it could be SSO, multifactor authentication. Some examples are Okta, Auth0, Amazon Cognito, Shibboleth, Microsoft Entra, Google Workspace and OpenAthens. 

Discover our Keystone product
Two people working on a computer

How can you support single sign-on to your products?

Most customers or subscribers will have a SAML-based identity provider or single sign-on solution, and therefore, we recommend registering your product in SAML-based federations. 

  • If your product already supports SAML-based authentication: You can often register it directly in a federation. 
  • If your product does not support SAML-based authentication: You won’t be able to register it in a federation. To sort this, OpenAthens has Keystone, a product that helps you implement or integrate OIDC clients, allowing the outsourcing of the operation of the SAML service provider to OpenAthens. This allows you to register in a federation.  
  • If you use a platform provider, or third-party provider for the hosting and running of your product: You can ask them to enable SAML directly or integrate with Keystone. 

What are 1:1 SAML connections?

Have you heard of 1:1, bilateral or peer-to-peer connections? They are a direct line between you and a specific identity provider or library. They make it possible to share information between SAML-enabled systems, such as libraries and publishers, without needing to join a federation. 

OpenAthens Keystone can connect to SAML sources such as Microsoft Entra, Google Workspace, Okta, OneLogin, and others so libraries and organizations do not have to issue personal accounts for their users. They can simply use their institutional, organizational or local credentials 

Federated authentication is the standard for authentication within the academic sector globally. However, you may well sell to libraries or organizations outside of that market. 1:1 SAML allows you to still connect to these customers through SSO.  

A hello sign - contact us

Do you need more information?

If you have any questions or you need more information, contact our account management team, and they will be happy to guide you and find a solution that suits your needs.

Contact your account manager

Applications we work with include:

The logos from a collection of applications we work with including: Okta, Ping Federate, Azure, Simple SAML, Office 365, Shibboleth, Onelog