SSO Setup | Federated SSO

Federated SSO is an effort to allow users to access using their employee or education network IDs when they belong to an Access Federation.


Your organization’s identity provider needs to be part of the UKAMF or OpenAthens federation.

Organizations that are part eduGAIN federation and are compatible with UKAMF are supported too.

UKAMF - UK Access Management Federation or UK Federation - provides a solution for access to online services for educational and research organisations. The UKAMF is a UK-based federation.

OpenAthens is both a suite of commercial products and an access management federation, all owned by the company EduServ. The FT makes use of OpenAthens SP product to manage federated SSO as a service provider. The FT is also registered in OpenAthens Federation as a service provider. OpenAthens Federation is an international access management federation, promoted for any publisher as a service provider and any identity provider that can meet the federation requirements.

eduGAIN is a service that connects many federations around the world. The UKAMF publishes its federation metadata (participant information) to eduGAIN, as do many other federations e.g. InCommon for USA, SurfConext for Netherlands, SWAMID for Sweden. UKAMF will automatically import all eduGain metadata that meets its standards. This means most participants registered in eduGAIN are available to UKAMF. SSO integration

In order to integrate your organization IDP, we only need your IDP entity id as configured in the access management federation. We will use this id to configure the SSO access in federation metadata information entity Id:

Supported Bindings:

  • urn:oasis:names:tc:SAML:1.0:profiles:browser-post
  • urn:oasis:names:tc:SAML:1.0:profiles:artifact-01
  • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
  • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

For any queries about the FT’s FSSO service, please contact the support team Autolink feature

We support an autolink feature, this will allow existing users to login with their corporate credentials without having to do a one-off setup. In order to allow this feature, your IDP needs to send the user’s email address as part of the SAML assertions.

This can be configured in your IDP.

Appendix 1 - OpenAthens Configuration - Add email to SAML response

These are the steps in OpenAthens to add the email address to the SAML response

OpenAthens admin console:

Verify that email address is a releasable attribute:

  • Go to Schema Editor section: Menu > Preferences > Schema Editor
  • Open the Core Attributes item: Personal Account > Core Attributes
  • Verify the properties for the email field. It needs to display releasable, see image.


Add email address to the SAML response:

  • Go to Attribute Release section: Menu > Preferences > Attribute Release
  • Click edit on the Global (all resources) policy. Edit appears when you hover over the policy.
  • Click on email address. It should be displayed with a tick.
  • Click Done
  • Click on save changes.