Skip to content

OpenAthens

OpenAthens is a managed service Single Sign-On (SSO) system that enables users to access multiple online resources, such as libraries, academic journals, and other websites, using a single username and password.

Similar to Shibboleth, OpenAthens is designed to simplify the authentication process for users across different institutions, providing a seamless and secure login experience.

Overview

Comparison with Shibboleth

Here's a comparison between Shibboleth and OpenAthens:

Feature Shibboleth OpenAthens
Type Open-source Managed service
Hosting Self-hosted Cloud-based
Setup Complex, requires IT resources Easy, managed by OpenAthens
Standards SAML SAML, OAuth, OpenID Connect
Cost Free (but needs maintenance) Paid subscription

To create a link where the user is first authenticated via OpenAthens and then redirected to a specific page on our platform, you can use the following URL format:

https://go.openathens.net/redirector/statista.com?url=<url-encoded-target-page>

For example:

https://go.openathens.net/redirector/statista.com?url=https%3A%2F%2Fwww.statista.com%2Foutlook%2Fconsumer-markets

This tool helps create OpenAthens redirect links by automatically encoding your target URL.


  1. 
                
    
            

    







Technical Architecture


This section explains how OpenAthens works from a technical perspective.


Components


    

  1. Identity Provider (IdP): This is the central authentication server responsible for managing user identities and credentials.
    2. 

  2. Service Providers (SPs): These are the online resources, such as libraries or academic journals, that users want to access.
    3. 

  3. OpenAthens Server: This is the core component of OpenAthens, which acts as a proxy between the IdP and SPs.
    4. 



Authentication Flow


Here's what happens when a user tries to access an SP using OpenAthens:


    

  1. User Requests Access: The user navigates to an SP (e.g., a library website) and clicks on a link that uses OpenAthens SSO.
    2. 

  2. OpenAthens Redirect: The browser is redirected to the OpenAthens server, which requests the user's authentication credentials from the IdP (Step 3).
    3. 

  3. IdP Authentication: The IdP prompts the user for their username and password, or alternatively, may use other forms of authentication such as OpenID Connect or Shibboleth.
    4. 

  4. Authentication Response: If the user enters valid credentials, the IdP responds with an authentication token to the OpenAthens server.
    5. 

  5. OpenAthens Validation: The OpenAthens server validates the received authentication token against a list of trusted IdPs and retrieves the relevant user information (e.g., username, email address).
    6. 

  6. SSO Session Creation: If validation is successful, the OpenAthens server creates an SSO session for the user on behalf of the SP.
    7. 

  7. SP Access Grant: The OpenAthens server redirects the browser to the SP with a set of attributes (e.g., username, affiliation) and an access token that allows the SP to verify the user's identity.
    8. 

  8. SP Resource Access: The user is now authenticated by the SP and can access the requested resource.
    9. 



Technical Protocols


OpenAthens uses various protocols to facilitate communication between components:


    

  • SAML (Security Assertion Markup Language): for authentication and attribute exchange
    • 

  • OAuth 2.0: for authorization token management
    • 

  • OpenID Connect: as an alternative authentication protocol (optional)
    • 

  • Shibboleth: as a proprietary authentication protocol (optional)
    • 



Keep in mind that this is a simplified explanation, and actual implementations may vary depending on specific configurations and customizations of the OpenAthens system.


Statista's OpenAthens License


We have purchased our own OpenAthens license to better support our customers by understanding how the system works.


Administration Portals


OpenAthens provides two main administration interfaces:


Resource Configuration Portal


    

  • URL: https://admin.openathens.net/
    • 

  • Purpose: Configuration of resources (like Statista) and authentication methods
    • 

  • You should have gotten an personal account to log in to this portal, but if you haven't, please reach out to Christoph.
    • 



However there is a generic "admin" user, but only Christoph receives the 2FA code to log in.


    

  • Admin Username: statadm
    • 

  • Password: Stored in Bitwarden
    • 



Service Provider Configuration Portal


    

  • URL: https://sp.openathens.net/
    • 

  • Purpose: Configuration if we were to leverage OpenAthens instead of Auth0 as our authentication infrastructure service
    • 

  • Admin Username: statadm
    • 

  • Password: Stored in Bitwarden
    • 



Test User Credentials


For testing purposes, we have set up a test user:







  

    
    

      Last updated: March 24, 2026 at 10:39
    

    
    
    
    

      By: Axel Tetzlaff