Using OpenAthens for SAML Single Sign On

This article includes information to assist organisations who use OpenAthens for SAML Single Sign On (both via SAML Federations and via bilateral trust)

Please not that Digital Theatre+ is not federated within the OpenAthens Federation.

Digital Theatre+ supports authentication using OpenAthens using either SAML Federations (such as UK Access Management Federation, InCommon or EduGain) or bilateral (1:1) trust.

Requesting SAML Single Sign On

Please use this form to start the process:

Allocate the Digital Theatre+ application


Required attributes

Customers wishing to authenticate via SAML Single Sign On will need to release either:

For direct (bilateral/1:1) configurations:

  1. Subject Name ID or another attribute containing a persistent identifier for the user that has the syntax of an email address.

For federated configurations:


  1. eduPersonPrincipalName (and the value matches an email syntax), or,
  2. eduPersonTargetedID and eduPersonScopedAffiliation (which OpenAthens releases by default)


Supporting information

Information to provide Digital Theatre+

For access via SAML Federation (e.g. UKAMF, InCommon, EduGain)

Please provide the entity ID associated with your organisation, so that we may access your metadata via the Metadata Explorer Tool.  For example:

For access via bilateral (1:1) custom SAML trust

Please provide the URL to your Identity Provider's Metadata XML file.  For example:

Supporting information

Configuring OpenAthens for access via SAML Federations

Restrictive mode

  • You will need to allocate the Digital Theatre+ resource.  You can do this by searching for the resource in the catalogue using our Service Provider entity ID:


Permissive mode

  • You do not need to allocate the resource.

Configuring OpenAthens for access via bilateral (1:1) trust

  • You will need to upload the Service Provider Metadata XML file that will be provided by our support team to create a custom SAML resource in your catalogue. You 
    reply to the support email thread, or if you have not started the process, open a new request via
  • Instructions for doing this are available in the OpenAthens Identity Documentation
  • If your OpenAthens instance is in restrictive mode, you will need to allocate it as described above