OpenAthens Guide: OpenAthens Terminology

• The term “domain” refers to the part of the URL that is unique to the identity provider without the HTTP:// or anything after the domain. An example of a domain is liberty.edu, Liberty University’s domain.
• “Link structures” refers to several components that construct a URL. These components, such as HTTPS, www., domain, and the target destination, create the specific link structure that comprises every URL.
• The term “target” within a URL refers to the page the URL intends to send the user. Link structures can vary from service providers, and technical support staff must familiarize themselves with how specific vendors structure their links to resolve access issues. Usually, links will have recurring characters such as dashes and forward slashes found in most link structures. However, these characters can change if a link is encoded.
• The term “encoding” refers to changing certain characters in a URL, such as a dash or a dot, into encrypted characters, such as a percentage sign, that are easier for a computer to read. Links created using the OpenAthens link generator tool are encoded to provide more reliable access to electronic resources.

• There are three distinct types of organizations that serve a role in authenticating users to access electronic resources; Identity Providers (IDPs), Service Providers (SPs), and intermediary organizations that provide authentication, such as OpenAthens (OA).
• Identity Providers are usually universities or large organizations seeking secure access to the electronic resources that service providers offer.
• Service Providers have the electronic resources or digital content that identity providers want to provide their users. 

• “SAML” is a term that refers to the security assertion markup language that is used with OpenAthens authentication. SAML was created to allow organizations to send attributes of the organization’s users to OpenAthens and service providers.
• The term “attributes” refers to information that can be transmitted and used for things such as mapping permissions that are used for identifying elements from users such as email address, first name, last name, and more. These attributes usually come from an identity provider’s local directory and are sent through redirector links.
• "Redirector links" take users to a target location through an intermediary organization, such as OpenAthens. Therefore, when a user executes a redirector link, OpenAthens performs a login authentication check. If the user is from an approved identity provider, the user is sent to the electronic resource specified in the URL’s target. Redirector links contain the entity ID of the identity provider, which is checked against the federation, then forwards the user to the target.
• The term “single sign on” (SSO) refers to a single task that requires users to enter their credentials, usually a username and password, to confirm that they are a member of an organization.

There are three primary forms of authentication provided by OpenAthens.

1. “Proxied access,” which refers to a user accessing an electronic resource through IP authentication. Subsequently, “IP authentication” is a form of authentication that uses a unique string of characters to indicate where the user is coming from to check if the user is attempting to access an electronic resource from an approved identity provider.
2. "Federated access,” which refers to a group of entities that have all agreed to share their metadata within a trusted host, making it easier within that federation to connect and provide access to their electronic holdings. Organizations that want to set up federated access with service providers must have an entity ID and unique scope that provides identities for the organization’s users. An entity ID is a unique ID that federations use to distinguish between organizations. Every organization that uses federated access has a unique entity ID. An organization’s entity ID usually contains the organization’s domain within the entity ID, but the entity ID can be anything, and there is no standardization or requirement in this area. An organization can have multiple scopes depending on how many sub-organizations fall under the larger organization.
3. "Bilaterally connected access.” This form of authentication is essentially a federated connection between two organizations. Bilateral connections require organizations to send each other their metadata and consume that metadata to create a connection between the service provider and the organization to create a secure connection.