Testing OpenAthens Keystone Login

This tutorial walks you through testing the OpenAthens Keystone integration with Auth0 across different environments.

What You'll Learn

By following this tutorial, you will:

• Access the OpenAthens login flow
• Authenticate using test credentials
• Verify successful authentication across environments

Prerequisites

• Access to the CPE_Internal collection in Bitwarden
• Basic understanding of SSO authentication flow

Test User Credentials

The test credentials are stored securely in Bitwarden.

• Username: stat_test-user
• Password: Available in the CPE_Internal collection in Bitwarden

If you don't have access to these credentials, contact the UAS team.

Step-by-Step Guide

Step 1: Choose Your Environment

Select the appropriate login URL based on which environment you want to test:

• Local: https://www.statista.test/sso/oa-deeplink?entity=https://idp.statista.com/entity
• Stage: https://stage.statista.com/sso/oa-deeplink?entity=https://idp.statista.com/entity
• Production: https://www.statista.com/sso/oa-deeplink?entity=https://idp.statista.com/entity

Step 2: Initiate Login

1. Open your chosen login URL in a web browser
2. You will be redirected to the OpenAthens login page

Step 3: Select Organization

On the OpenAthens login page:

1. Select "Statista" as the organization
2. Click "Sign in with an OpenAthens account"

Step 4: Authenticate

Enter the test user credentials:

• Username: stat_test-user
• Password: (from Bitwarden)

Step 5: Verify Login Success

After successful authentication:

1. You will be redirected to the Statista home page
2. A session will be active

Step 6: Confirm Authentication

To verify you are properly authenticated, visit the user info page for your environment:

• Local: https://www.statista.test/sso/userinfo
• Stage: https://stage.statista.com/sso/userinfo
• Production: https://www.statista.com/sso/userinfo

This page displays your authentication details and confirms your session is active.

What's Happening Behind the Scenes

When you complete this login flow:

1. OpenAthens Keystone converts the SAML authentication to OIDC
2. Auth0 receives the OIDC token and creates a session
3. The domain is extracted from your eduPersonScopedAffiliation attribute
4. The system looks up your organization based on the domain
5. You're granted access with the appropriate permissions

Next Steps

Now that you've successfully tested the OpenAthens login flow, you might want to:

• Learn about how the architecture works
• Explore how to add new OpenAthens connections
• Check the OpenAthens Keystone reference for technical details

---

Last updated: March 24, 2026 at 10:39

By: Axel Tetzlaff

📄 View source

Repository: CPE-Orga/sso-docs