The SURFsecureId Production and Test environments use different AuthnContextClassRef identifiers.

Production environment

Click here for the SAML 2.0 metadata for the Production environment.

Click here for the supported AuthenticationConextClassRef identifiers.

Most SAML 2.0 libraries are able to use these metadata. If not, use the information here

`EntityID`	`https://sa-gw.surfconext.nl/authentication/metadata`
`Metadata`	`https://metadata.surfconext.nl/surfsecureid-metadata.xml`
`signing certificate`	-----BEGIN CERTIFICATE----- MIIDsjCCAhoCCQDaq/SxtExjXTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBn YXRld2F5X3NhbWxfaWRwMB4XDTIwMDQwOTExNDE1NVoXDTI1MDQwODExNDE1NVow GzEZMBcGA1UEAwwQZ2F0ZXdheV9zYW1sX2lkcDCCAaIwDQYJKoZIhvcNAQEBBQAD ggGPADCCAYoCggGBAL7dfZ65PjUxW9yRXRoJ0PDiSh2J0WZ792krxj00jJkyB/eF PnVg5hTVbt85qDkkZuiK8Ym0Suzeo1PA46fRALhnajQ22GQzK1mybQIAXZbs739g 49QAnoKY+wQW205EPtuQ8Y7BqFg+fmXKKo4gTlpX3FP5PTp18no99kKcCbx8hq9E faBKdlPOGvFJUFnTalcSm3djHnmn+/KuIMXM4HEgQ6fgHlqsJPWAxBqKBWxvQdTd e56dr2T64qNyj7t3u54rTCaip6c3vyTB80w8CK9M5mTTqp/Z+kxqhb255UUpLW1h zySgPfzSE4jtr05olkW+d4oMONKqYxlouUPhoUN5YBL3a1H0c8ns+hg1x5hBB5tW QpwY34ZpH+43RflHXdJ6/MxCY7odMuvcua/4iTyRXPkPoGleqguHx9RVe/yFGa+N vTZIo4YBoOESgcDyjU+XrlkmWmyMpYkn6TPdYMKo/bMQkFAE48JhREdpvHWpIrT1 PfUiCy/SLWy0HN0wCQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBgQCPrFBvw53LMd5w 2VpdmZCJuHg09uIu5F3Cy8eGg+hTLtb2CC9f66Ue/CsH4qrBFGSuBWdSBWS3fzVw mPYbI882J7JtLXZCOyZFMVKaL2kk5D5pP8/NBCam9+cDnJ4zjYJJS3wcY2VMjH24 fNYu+Fix6p4mL8o8itTCqJhb4zz4Ft8GZigxD8DXB/jYUTHWtS5ubMs/mOwxuQ2U E7QFdeE064TqSPpRVI8PBPxetRy5n00/JGFNou/pivUTavRMA3LZpIkxzlcddzf2 zUSaWnAGf1JoPxRWjMq5F1C/hZvW7qDX0jrYK7UE3oXi4NHrER0EUFwCS0PrDQRd DEYs/kVZmPsMT9thR0l11B7xU8xFOaYYOdP1tCY2jqBruspx9ApnRI+es5j8Lr/q TbILTe3pVdNgWoNIeIBj2mINQQp0O0TqXSzbWO+nLJSkbZhPZAXyX9ZP00aU4Sbn kkGJ29xWeqSL+Jh+rUSyMFU16Ri7gHZce+3VgkgyzvSBQFjfG6U= -----END CERTIFICATE-----
`SingleSignOnService` `Location`	`https://sa-gw.surfconext.nl/authentication/single-sign-on`
`SingleSignOnService` `Binding`	`urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect`

You can use Onegini for testing.

Second Factor Only (SFO) endpoint

For Second Factor Only (SFO) authentication you must use a different endpoint with different metadata.

Click here for the SAML 2.0 metadata for the SFO endpoint of the production environment.

Click here for the supported AuthenticationConextClassRef identifiers.

Most SAML 2.0 libraries are able to use these metadata. If not, use the information here

`EntityID`	`https://sa-gw.surfconext.nl/second-factor-only/metadata`
`Metadata`	`https://metadata.surfconext.nl/surfsecureid-sfo-metadata.xml`
`signing certificate` (download certificate as PEM .crt file)	-----BEGIN CERTIFICATE----- MIIDsjCCAhoCCQDaq/SxtExjXTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBn YXRld2F5X3NhbWxfaWRwMB4XDTIwMDQwOTExNDE1NVoXDTI1MDQwODExNDE1NVow GzEZMBcGA1UEAwwQZ2F0ZXdheV9zYW1sX2lkcDCCAaIwDQYJKoZIhvcNAQEBBQAD ggGPADCCAYoCggGBAL7dfZ65PjUxW9yRXRoJ0PDiSh2J0WZ792krxj00jJkyB/eF PnVg5hTVbt85qDkkZuiK8Ym0Suzeo1PA46fRALhnajQ22GQzK1mybQIAXZbs739g 49QAnoKY+wQW205EPtuQ8Y7BqFg+fmXKKo4gTlpX3FP5PTp18no99kKcCbx8hq9E faBKdlPOGvFJUFnTalcSm3djHnmn+/KuIMXM4HEgQ6fgHlqsJPWAxBqKBWxvQdTd e56dr2T64qNyj7t3u54rTCaip6c3vyTB80w8CK9M5mTTqp/Z+kxqhb255UUpLW1h zySgPfzSE4jtr05olkW+d4oMONKqYxlouUPhoUN5YBL3a1H0c8ns+hg1x5hBB5tW QpwY34ZpH+43RflHXdJ6/MxCY7odMuvcua/4iTyRXPkPoGleqguHx9RVe/yFGa+N vTZIo4YBoOESgcDyjU+XrlkmWmyMpYkn6TPdYMKo/bMQkFAE48JhREdpvHWpIrT1 PfUiCy/SLWy0HN0wCQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBgQCPrFBvw53LMd5w 2VpdmZCJuHg09uIu5F3Cy8eGg+hTLtb2CC9f66Ue/CsH4qrBFGSuBWdSBWS3fzVw mPYbI882J7JtLXZCOyZFMVKaL2kk5D5pP8/NBCam9+cDnJ4zjYJJS3wcY2VMjH24 fNYu+Fix6p4mL8o8itTCqJhb4zz4Ft8GZigxD8DXB/jYUTHWtS5ubMs/mOwxuQ2U E7QFdeE064TqSPpRVI8PBPxetRy5n00/JGFNou/pivUTavRMA3LZpIkxzlcddzf2 zUSaWnAGf1JoPxRWjMq5F1C/hZvW7qDX0jrYK7UE3oXi4NHrER0EUFwCS0PrDQRd DEYs/kVZmPsMT9thR0l11B7xU8xFOaYYOdP1tCY2jqBruspx9ApnRI+es5j8Lr/q TbILTe3pVdNgWoNIeIBj2mINQQp0O0TqXSzbWO+nLJSkbZhPZAXyX9ZP00aU4Sbn kkGJ29xWeqSL+Jh+rUSyMFU16Ri7gHZce+3VgkgyzvSBQFjfG6U= -----END CERTIFICATE-----
`SingleSignOnService` `Location`	`https://sa-gw.surfconext.nl/second-factor-only/single-sign-on`
`SingleSignOnService` `Binding`	`urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect`

Metadata signing certificate

The metadata above of SURFSecureID production is signed with a key that corresponds to the public key embedded in the following certificate. You can use this certificate to verify that the metadata you use from SURFsecureID is valid.

SURFconext metadata signing certificate

Test environment

Click here for the SAML 2.0 metadata for the Test environment.

Click here for the supported AuthenticationConextClassRef identifiers.

Most SAML 2.0 libraries are able to use these metadata. If not, use the information here

`EntityID`	`https://sa-gw.test.surfconext.nl/authentication/metadata`
`Metadata`	`https://metadata.test.surfconext.nl/surfsecureid-metadata.xml`
`signing certificat` (Download certificate as PEM .crt file)	-----BEGIN CERTIFICATE----- MIIE8jCCA1qgAwIBAgIUD4MpAowfeNTa8dEJpJtl2r6PRDwwDQYJKoZIhvcNAQEL BQAwgYkxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdV dHJlY2h0MRUwEwYDVQQKDAxTVVJGbmV0IEIuVi4xEzARBgNVBAsMClNVUkZjb25l eHQxKjAoBgNVBAMMIXNhLWd3LnRlc3Quc3VyZmNvbmV4dC5ubCAyMDIwMDIyODAe Fw0yMDAyMjgxMTU1NTVaFw0yNTAyMjgxMTU1NTVaMIGJMQswCQYDVQQGEwJOTDEQ MA4GA1UECAwHVXRyZWNodDEQMA4GA1UEBwwHVXRyZWNodDEVMBMGA1UECgwMU1VS Rm5ldCBCLlYuMRMwEQYDVQQLDApTVVJGY29uZXh0MSowKAYDVQQDDCFzYS1ndy50 ZXN0LnN1cmZjb25leHQubmwgMjAyMDAyMjgwggGiMA0GCSqGSIb3DQEBAQUAA4IB jwAwggGKAoIBgQC7tTZherxOI0uI9l4aDEdZHAZb2RwGehbfGyuTzzZqDqt42YC8 MkJIa/9e3HdJw/+x3Qb7xKpqpOcFcC5Divk8RQrzdKg8eP3LqR6+x73DiCAFbMmb O2bZMqBUggTh4vY4e+gnFchQInw9Jg5wbkt5XzxFSaujeK4n8za5qxIEk9C55D7t RjHFwkJZoWTBl2wprRdbwSjwg+Bg7MO6MPXcNF9GFJ6IGaAJ3s7qUKVpvqAK6UH3 0Mx37EhWpgKmyLf72B+U8BOGDX7X2NHnHPD5qZQJyhqDLbmcEsUCYn7WozoKCibI KQIEZAdUgb9TAbUO5c5eW+dSD61RRJ97Q4/DM9Bp+6Z+I/6h26i/h5MrSmrRNYDQ cmd8kkKGop/0a08IIcTVL56X2oIJckWX3GLZDmRpssp4vI4REEy55P8EoyD943ug Pn4s6p+88cS2cAlARjV0vehNNmPkTlly1UyZ0oY5ljyvy3aadMdE1aLbdRW4axEb O4iZ/+Ym/EnfTncCAwEAAaNQME4wHQYDVR0OBBYEFFvR/86aQkE4Icbcm9XAz6Pm bHVCMB8GA1UdIwQYMBaAFFvR/86aQkE4Icbcm9XAz6PmbHVCMAwGA1UdEwQFMAMB Af8wDQYJKoZIhvcNAQELBQADggGBAARz8fvcwPEIU0pYAkOCzHhJWDzPf1Q5EAaD Fs6I1Zi7D8DN14dVjyOed61IaFMnhrv8IP0TdRLx0dgrj52ywaaDgN2MhRUCG4vD M34tca5KCdRO8AtgAZWYs3Td2Kjg+mkXyGwWIacpFzzTImflWt+dwZI0+I+y4/4g TwvC6RSuLzo1vXmtOZMkH57uTxAYeGy12vtmggMi64MlMmm/cwrxVQpQ6CClVmWu nUGaWG1MVcBt9MINLmJrCicFtegtw3i+euRH8K5SjIj702ChF+mXRqUCk+8q2Tsb zo+1EjASZTxR9HlndjUzFhXadfUMD5ZldFsFEsfP7Nv57rCoS3WAcsGjXETsclZH H+vHg4wHOXnBUiVIHB22+xxGCCfl0X+WLnjonF50in/yfD7AZJbPIpbqLzuxdojd UAjXZnlW6ngnW58Qyj1IFvTW8kDmrBEPM1jc+KoPHg94lqrSF2CT6uU3gjQN+aPm /zBnSil4Dx2aub9LOcTC5on3519edw== -----END CERTIFICATE-----
`SingleSignOnService` `Location`	`https://sa-gw.test.surfconext.nl/authentication/single-sign-on`
`SingleSignOnService` `Binding`	`urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect`

You can use Onegini as an IdP for testing.

Second Factor Only (SFO) endpoint

For second factor only authentication you must use a different endpoint with different metadata.

Click here for the SAML 2.0 metadata for the SFO endpoint of the Test environment.

Click here for the supported AuthenticationConextClassRef identifiers.

Most SAML 2.0 libraries are able to use these metadata. If not, use the information here

`EntityID`	`https://sa-gw.test.surfconext.nl/second-factor-only/metadata`
`signing certificate` (Download certificate as PEM .crt file)	-----BEGIN CERTIFICATE----- MIIE8jCCA1qgAwIBAgIUD4MpAowfeNTa8dEJpJtl2r6PRDwwDQYJKoZIhvcNAQEL BQAwgYkxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdV dHJlY2h0MRUwEwYDVQQKDAxTVVJGbmV0IEIuVi4xEzARBgNVBAsMClNVUkZjb25l eHQxKjAoBgNVBAMMIXNhLWd3LnRlc3Quc3VyZmNvbmV4dC5ubCAyMDIwMDIyODAe Fw0yMDAyMjgxMTU1NTVaFw0yNTAyMjgxMTU1NTVaMIGJMQswCQYDVQQGEwJOTDEQ MA4GA1UECAwHVXRyZWNodDEQMA4GA1UEBwwHVXRyZWNodDEVMBMGA1UECgwMU1VS Rm5ldCBCLlYuMRMwEQYDVQQLDApTVVJGY29uZXh0MSowKAYDVQQDDCFzYS1ndy50 ZXN0LnN1cmZjb25leHQubmwgMjAyMDAyMjgwggGiMA0GCSqGSIb3DQEBAQUAA4IB jwAwggGKAoIBgQC7tTZherxOI0uI9l4aDEdZHAZb2RwGehbfGyuTzzZqDqt42YC8 MkJIa/9e3HdJw/+x3Qb7xKpqpOcFcC5Divk8RQrzdKg8eP3LqR6+x73DiCAFbMmb O2bZMqBUggTh4vY4e+gnFchQInw9Jg5wbkt5XzxFSaujeK4n8za5qxIEk9C55D7t RjHFwkJZoWTBl2wprRdbwSjwg+Bg7MO6MPXcNF9GFJ6IGaAJ3s7qUKVpvqAK6UH3 0Mx37EhWpgKmyLf72B+U8BOGDX7X2NHnHPD5qZQJyhqDLbmcEsUCYn7WozoKCibI KQIEZAdUgb9TAbUO5c5eW+dSD61RRJ97Q4/DM9Bp+6Z+I/6h26i/h5MrSmrRNYDQ cmd8kkKGop/0a08IIcTVL56X2oIJckWX3GLZDmRpssp4vI4REEy55P8EoyD943ug Pn4s6p+88cS2cAlARjV0vehNNmPkTlly1UyZ0oY5ljyvy3aadMdE1aLbdRW4axEb O4iZ/+Ym/EnfTncCAwEAAaNQME4wHQYDVR0OBBYEFFvR/86aQkE4Icbcm9XAz6Pm bHVCMB8GA1UdIwQYMBaAFFvR/86aQkE4Icbcm9XAz6PmbHVCMAwGA1UdEwQFMAMB Af8wDQYJKoZIhvcNAQELBQADggGBAARz8fvcwPEIU0pYAkOCzHhJWDzPf1Q5EAaD Fs6I1Zi7D8DN14dVjyOed61IaFMnhrv8IP0TdRLx0dgrj52ywaaDgN2MhRUCG4vD M34tca5KCdRO8AtgAZWYs3Td2Kjg+mkXyGwWIacpFzzTImflWt+dwZI0+I+y4/4g TwvC6RSuLzo1vXmtOZMkH57uTxAYeGy12vtmggMi64MlMmm/cwrxVQpQ6CClVmWu nUGaWG1MVcBt9MINLmJrCicFtegtw3i+euRH8K5SjIj702ChF+mXRqUCk+8q2Tsb zo+1EjASZTxR9HlndjUzFhXadfUMD5ZldFsFEsfP7Nv57rCoS3WAcsGjXETsclZH H+vHg4wHOXnBUiVIHB22+xxGCCfl0X+WLnjonF50in/yfD7AZJbPIpbqLzuxdojd UAjXZnlW6ngnW58Qyj1IFvTW8kDmrBEPM1jc+KoPHg94lqrSF2CT6uU3gjQN+aPm /zBnSil4Dx2aub9LOcTC5on3519edw== -----END CERTIFICATE-----
`SingleSignOnService` `Location`	`https://sa-gw.test.surfconext.nl/second-factor-only/single-sign-on`
`SingleSignOnService` `Binding`	`urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect`

You can use eduID to test SPs.

Metadata signing certificate

The metadata above of SURFSecureID test is signed with a key that corresponds to the public key embedded in the following certificate. You can use this certificate to verify that the metadata you use from SURFsecureID is valid.

SURFconext TEST metadata signing certificate

Page tree

SURFsecureID Metadata for Service Providers

Production environment

Second Factor Only (SFO) endpoint

Metadata signing certificate

Test environment

Second Factor Only (SFO) endpoint

Metadata signing certificate