Skip to end of metadata
Go to start of metadata

We assume you've read Connecting services to the SCZ-environment before reading the info below.

Setting up SAML

When you provide a service that users can access via a web browser, you can connect it using the SAML-protocol or OpenID Connect. On this page we share the recipe to connect such a service using SAML:

  • When opting for SAML, we recommend using the native SAML capabilities of the application. You configure the SCZ proxy metadata as IdP and send us your SP metadata either as URL or attachment via mail.
  • If this is not possible, the application should be configured to consume environment variable REMOTE_USER as authenticated user. It is then the responsibility of the webserver or application server to take care of authentication and set the REMOTE_USER accordingly. For apache webserver, two modules can be used: mod_mellon and shibboleth of which the first is relatively easier to implement and configure. It is possible to hand over more attributes using environment variables, but depends on the application and server of choice. For Shibboleth, the European AARC project has a training.
  • As a last resort, any PHP based application can be modified to rely on authentication by SimpleSAMLphp library. If your application is not PHP based, there may be other libraries available for your environment of choice, but access to source code is required or at least a well defined authentication API.


After setting up your environment, you need to configure your software using the IdP metadata of the SCZ platform and supply the SCZ team with the metadata of your SP.

The SAML metadata of the SCZ is located at

The SAML metadata of your service ( either as URL or xml file) should be sent by email to, specifying what service you want to connect to the SCZ environment. 

Depending on other priorities, we will import your meta data as soon as possible, but within 5 working days.

Getting user information

Once the metadata has been exchanged, you should be able to authenticate via de SCZ.  However, the only information about a user you will receive is a unique identifier.

To get more information about a user (name, email, etc), the service should be added to a collaboration.  In order to do this, log in to COmanage and select your collaboration.  If you don't have a collaboration set up yet, please contact

In you collaboration, go to Configuration/Services and add a new service.  The information entered here is mainly for display purposes to the use of your collaboration, except for the parameter Service Label, which should contain the literal identityid of your service.

Once you have added this service, you need to manually reprovision your users.  This is an unfortunate problem with COmanage, which we will address soon.  Go to Settings/Provisioning targets.  Find the ZoneProvisioner target in the list and press its "Reprovision all" button.

Once this is done, users who are a member of your collaboration are able to log in to the service with a full attribute set.

More info

Since the SCZ environment is actively being worked on, this documentation might not be totally accurate at the time you read this. If you run into difficulties or have any other questions, please email . 

  • No labels