Introduction

Since the start of 2020 SURFconext can use SURFsecureID for two factor authentication natively, without requiring SPs to connect to SURFsecureID gateway directly. For SPs that currently authenticate to the SURFsecureID gateway directly (endpoint sa-gw.surfconext.nl) we recommend switching to SURFconext (endpoint engine.surfconext.nl or connect.surfconext.nl) for authentication. There are several advantages for an SP to using SURFconext directly:

  • You can manage your SP connection using the SURFconext SP dashboard. Institutions can see all relevant SURFsecureID settings of your service in the IdP Dashboard.
  • A wider range of authentication options is available. More SAML options are supported and authentication using OpenID Connect is available as well.
  • We will be adding new authentication features to SURFconext only.

The difference between the two authentication options is illustrated here.

We will not be making any changes to SPs connected to SURFsecureID anymore or add new service providers. When changes are required we will migrate the service to SURFconext.

The SURFsecureID SAML signing key will expore in 2025 and SPs will not have the option to do a gradual rollover as is possible with SURFconext.

Differences between SURFconext and SURFsecureID

SURFconext offers all authentication features pertaining to two factor authentication that are offered by SURFsecureID. SURFconext has wider support and includes all features that are offered by SURFsecureID.

  • If you dynamically ask for a Level of Assurance in your authentication request, the same feature is available on the SURFconext endpoint. SURFconext does not require the Authnrequest to be signed (but it may be if you so desire).
  • If you have a statically configured Level of Assurance on the side of SURFsecureID, we can make the same configuration for your SP in SURFconext.

Migration

Migrate your service to SURFconext, and enable SURFsecureID there. The difference is illustrated here.

The process consists of two steps:

Step 0 - Connect your test environment

If you do not already have a connection to the SURFconext Test environment, you may want to make such a connection now so you can test the changes in your SAML configuration first. Contact support@surfconext.nl to register a service on the Test environment of SURFconext.

Step 1 – Contact SURFconext support

Contact support@surfconext.nl and inform them you want to migrate your service from SURFsecureID to SURFconext. Provide the EntityID of the service(s) in question.

SURF will make the necessary changes in SURFconext and SURFsecureID to allow you to do a seamless migration of your SP from SURFsecureID to SURFconext at a time that suits you.

Step 2 – Change the SAML configuration of your SP

Update the SAML configuration of your SP to use SURFconext as IdP instead of SURFsecureID.

Preferably you configure SURFconext as your Identity Provider automatically, by using a SAML 2.0 metadata file at https://metadata.surfconext.nl/idp-metadata.xml. The metadata for the test environment can be found at  https://metadata.test.surfconext.nl/idp-metadata.xml. How you enter the metadata in your software depends on the software used. Generally you import the metadata file or place it in a specific location. 

If your software cannot process the metadata file automatically, you must configure the necessary information manually:

Step 3 - Inform us when you are done

If you are done and are authenticating directly on SURFconext, let us know so we can clean up the configuration in the SURFsecureID gateway.

  • No labels