Configuring Sign-on to OpenAthens


If your institution uses OpenAthens, you can configure Evergreen to sign patrons in to OpenAthens using their Evergreen account. This will let them connect to OpenAthens resources seamlessly once they have logged in to Evergreen. Patrons are assigned an OpenAthens identity dynamically based on their Evergreen login, and do not need accounts created manually in OpenAthens.

Registering your Evergreen installation with the OpenAthens service

Using your OpenAthens administrator account at, complete the following steps:

  1. Register a local authentication connection for Evergreen:

    1. Go to ManagementConnections.

    2. Under Local authentication click Create.

    3. In the wizard that appears, select Evergreen as the local authentication system type (or API if Evergreen is not listed) and click Configure.

    4. For Display name, enter the name of your Evergreen portal that your patrons will be familiar with. They will need to be able to recognize and select this name from a list of sign-in options on OpenAthens.

    5. For Callback URL enter https://<HOSTNAME>/eg/opac/sso/openathens where <HOSTNAME> is the public hostname of your Evergreen installation, and click Save. (If you have installed Evergreen somewhere other than /eg, modify the URL accordingly.)

    6. On the details page that appears, take a copy of the Connection ID and Connection URI that have been generated. You will need these when configuring Evergreen.

  2. Generate an API key:

    1. Go to ManagementAPI keys and click Create.

    2. For Name, enter 'Evergreen' or whatever name you use for your Evergreen portal internally, and click Save.

    3. Take a copy of the 36-character key that has been generated. You will need this when configuring Evergreen.

Full OpenAthens documentation, including screenshots, for local authentication API connections is available at

Configuring Evergreen

OpenAthens sign-on is configured in the staff client under Local AdministrationOpenAthens Sign-on.

To make a connection, confirm the library location is correct and select New Sign-on to OpenAthens.

OpenAthens Admin

Set the values as follows:

  • Owner - The organization within your library hierarchy that owns the connection to OpenAthens. If your whole consortium has signed up to OpenAthens as a single customer, then you would select the consortium. If only one regional library system or branch is the OpenAthens customer, select that. Whichever organization you select, the OpenAthens connection will take effect for all libraries below it in your organizational hierarchy. A single OpenAthens sign-on configuration normally equates to a single domain in the OpenAthens service. If in doubt, refer to your OpenAthens account manager or implementation partner.

  • Active - Enable this connection (enabled by default). N. B. Evergreen does not support more than one active connection to OpenAthens at a time per organization. If more than one connection is added per organization, Evergreen will use only the first connection that has Active enabled.

  • API key - The 36-character OpenAthens API key that was generated in step 2 above.

  • Connection ID - The numerical Connection ID that was generated for the OpenAthens local authentication connection in step 1 above.

  • Connection URI - The Connection URI that was generated for the OpenAthens local authentication connection in step 1 above.

  • Auto sign-on - Controls when patrons are signed on to OpenAthens:

    • enabled (recommended) - As soon as a patron logs in to Evergreen, they are signed in to OpenAthens. This happens via a quick redirect that the user should not notice.

    • disabled - The patron is not signed in to OpenAthens to start with. When they first access an OpenAthens-protected resource, they will need to search for your institution at the OpenAthens log-in page and choose your Evergreen portal as the sign-in method (they will see the name you entered as the Display name in step 1 above). Evergreen will then prompt for log-in if they have not already logged in. After that, they are signed in to OpenAthens and OpenAthens redirects them to the resource.

  • Auto sign-out - Controls whether the patron is signed out of OpenAthens when they log out of Evergreen. If enabled the patron will be sent to the OpenAthens sign-out page when they log out of Evergreen. You can optionally configure the OpenAthens service to send them back to your home page again after this; the setting can be found at under PreferencesDomainAfter sign out.

  • Unique identifier field - Controls which attribute of patron accounts is used as the unique identifier in OpenAthens. The supported values are 'id' and 'usrname', but you should leave this set to the default value of 'id' unless you have a reason to do otherwise. It is important that this attribute does not change during the lifetime of a patron account, otherwise they would lose any personalized settings they have saved on third-party resources. It is also important that you do not reuse old patron accounts for new users, otherwise a new user could see personalized settings saved by an old user.

  • Display name field - Controls which attribute of patron accounts is displayed in the OpenAthens portal at (This is where you can see which accounts have been used and what use patrons are making of third-party resources.) The supported values are 'id', 'usrname', and 'fullname'. Whichever you choose, OpenAthens will only use it within your portal view; it won’t be released to third-party resources.

  • Release X - One setting for each of the attributes that it is possible to release to OpenAthens. Depending on your user privacy policy, you can configure any of these attributes to be released to OpenAthens as part of the sign-on process. None are enabled by default. OpenAthens in turn doesn’t store or release any of these attributes to third-party resources, unless you configure that separately in the OpenAthens portal. You have to configure this in two stages. Firstly, mapping Evergreen attributes to OpenAthens attributes, and secondly, releasing OpenAthens attributes to third-party resources. See the OpenAthens documenation pages at and You will need to know the exact names of the attributes that are released. These are listed in the following table:

Setting Attribute released Description

Release prefix


the patron’s prefix, overriden by the preferred prefix if that is set

Release first name


the patron’s first name, overriden by the preferred first name if that is set

Release middle name


the patron’s middle name, overriden by the preferred middle name if that is set

Release surname


the patron’s last name, overriden by the preferred last name if that is set

Release suffix


the patron’s suffix, overriden by the preferred suffix if that is set

Release email


the patron’s email address

Release home library


the shortcode of the patron’s home library (e.g. 'BR1' in the Concerto sample data set)

Release barcode


the patron’s barcode

Click Save to finish creating the connection. (If you can’t see the connection you just created for a branch library, enable the "+ Descendants" option.)

The below screenshot is an example of what the form may look like once filled out.

OpenAthens Admin

Network access - server

As part of the sign-on process, Evergreen makes a connection to the OpenAthens service to transfer details of the user that is signing on. To avoid revealing the private API key and to avoid the risk of spoofing, this data does not go via the user’s browser. You need to open up port 443 outbound in your firewall, from your Evergreen server to

Network access - web client

If you restrict internet access for your web client machines, you need to open up port 443 outbound in your firewall, from your web clients to the following three domains:





To delegate OpenAthens configuration to other staff users, assign the ADMIN_OPENATHENS permission.