Page tree
Skip to end of metadata
Go to start of metadata
The SURFsecureId Production, Pilot and Test environments use different  AuthnContextClassRef  identifiers.


Production environment

On juli 2nd 2020 the signing certificate of SURFsecureID production was be replaced. For more information see SURFsecureID Key Rollover

The metadata of the SURFsecureID production environment was moved to a new location. All metadata is now hosted on https://metadata.surfconext.nl.

Click here for the SAML 2.0 metadata for the Production environment.

Click here for the supported AuthenticationConextClassRef identifiers.

 Most SAML 2.0 libraries are able to use these metadata. If not, use the information here
EntityID https://sa-gw.surfconext.nl/authentication/metadata

Metadata

https://metadata.surfconext.nl/surfsecureid-metadata.xml

signing certificate
-----BEGIN CERTIFICATE-----
MIIDsjCCAhoCCQDaq/SxtExjXTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBn
YXRld2F5X3NhbWxfaWRwMB4XDTIwMDQwOTExNDE1NVoXDTI1MDQwODExNDE1NVow
GzEZMBcGA1UEAwwQZ2F0ZXdheV9zYW1sX2lkcDCCAaIwDQYJKoZIhvcNAQEBBQAD
ggGPADCCAYoCggGBAL7dfZ65PjUxW9yRXRoJ0PDiSh2J0WZ792krxj00jJkyB/eF
PnVg5hTVbt85qDkkZuiK8Ym0Suzeo1PA46fRALhnajQ22GQzK1mybQIAXZbs739g
49QAnoKY+wQW205EPtuQ8Y7BqFg+fmXKKo4gTlpX3FP5PTp18no99kKcCbx8hq9E
faBKdlPOGvFJUFnTalcSm3djHnmn+/KuIMXM4HEgQ6fgHlqsJPWAxBqKBWxvQdTd
e56dr2T64qNyj7t3u54rTCaip6c3vyTB80w8CK9M5mTTqp/Z+kxqhb255UUpLW1h
zySgPfzSE4jtr05olkW+d4oMONKqYxlouUPhoUN5YBL3a1H0c8ns+hg1x5hBB5tW
QpwY34ZpH+43RflHXdJ6/MxCY7odMuvcua/4iTyRXPkPoGleqguHx9RVe/yFGa+N
vTZIo4YBoOESgcDyjU+XrlkmWmyMpYkn6TPdYMKo/bMQkFAE48JhREdpvHWpIrT1
PfUiCy/SLWy0HN0wCQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBgQCPrFBvw53LMd5w
2VpdmZCJuHg09uIu5F3Cy8eGg+hTLtb2CC9f66Ue/CsH4qrBFGSuBWdSBWS3fzVw
mPYbI882J7JtLXZCOyZFMVKaL2kk5D5pP8/NBCam9+cDnJ4zjYJJS3wcY2VMjH24
fNYu+Fix6p4mL8o8itTCqJhb4zz4Ft8GZigxD8DXB/jYUTHWtS5ubMs/mOwxuQ2U
E7QFdeE064TqSPpRVI8PBPxetRy5n00/JGFNou/pivUTavRMA3LZpIkxzlcddzf2
zUSaWnAGf1JoPxRWjMq5F1C/hZvW7qDX0jrYK7UE3oXi4NHrER0EUFwCS0PrDQRd
DEYs/kVZmPsMT9thR0l11B7xU8xFOaYYOdP1tCY2jqBruspx9ApnRI+es5j8Lr/q
TbILTe3pVdNgWoNIeIBj2mINQQp0O0TqXSzbWO+nLJSkbZhPZAXyX9ZP00aU4Sbn
kkGJ29xWeqSL+Jh+rUSyMFU16Ri7gHZce+3VgkgyzvSBQFjfG6U=
-----END CERTIFICATE-----
SingleSignOnService Location https://sa-gw.surfconext.nl/authentication/single-sign-on
SingleSignOnService Bindingurn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

You can use Onegini for testing.

Second Factor Only (SFO) endpoint

For Second Factor Only (SFO) authentication you must use a different endpoint with different metadata.

Click here for the SAML 2.0 metadata for the SFO endpoint of the production environment.

Click here for the supported AuthenticationConextClassRef identifiers.

 Most SAML 2.0 libraries are able to use these metadata. If not, use the information here
EntityID https://sa-gw.surfconext.nl/second-factor-only/metadata
Metadata

https://metadata.surfconext.nl/surfsecureid-sfo-metadata.xml

-----BEGIN CERTIFICATE-----
MIIDsjCCAhoCCQDaq/SxtExjXTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBn
YXRld2F5X3NhbWxfaWRwMB4XDTIwMDQwOTExNDE1NVoXDTI1MDQwODExNDE1NVow
GzEZMBcGA1UEAwwQZ2F0ZXdheV9zYW1sX2lkcDCCAaIwDQYJKoZIhvcNAQEBBQAD
ggGPADCCAYoCggGBAL7dfZ65PjUxW9yRXRoJ0PDiSh2J0WZ792krxj00jJkyB/eF
PnVg5hTVbt85qDkkZuiK8Ym0Suzeo1PA46fRALhnajQ22GQzK1mybQIAXZbs739g
49QAnoKY+wQW205EPtuQ8Y7BqFg+fmXKKo4gTlpX3FP5PTp18no99kKcCbx8hq9E
faBKdlPOGvFJUFnTalcSm3djHnmn+/KuIMXM4HEgQ6fgHlqsJPWAxBqKBWxvQdTd
e56dr2T64qNyj7t3u54rTCaip6c3vyTB80w8CK9M5mTTqp/Z+kxqhb255UUpLW1h
zySgPfzSE4jtr05olkW+d4oMONKqYxlouUPhoUN5YBL3a1H0c8ns+hg1x5hBB5tW
QpwY34ZpH+43RflHXdJ6/MxCY7odMuvcua/4iTyRXPkPoGleqguHx9RVe/yFGa+N
vTZIo4YBoOESgcDyjU+XrlkmWmyMpYkn6TPdYMKo/bMQkFAE48JhREdpvHWpIrT1
PfUiCy/SLWy0HN0wCQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBgQCPrFBvw53LMd5w
2VpdmZCJuHg09uIu5F3Cy8eGg+hTLtb2CC9f66Ue/CsH4qrBFGSuBWdSBWS3fzVw
mPYbI882J7JtLXZCOyZFMVKaL2kk5D5pP8/NBCam9+cDnJ4zjYJJS3wcY2VMjH24
fNYu+Fix6p4mL8o8itTCqJhb4zz4Ft8GZigxD8DXB/jYUTHWtS5ubMs/mOwxuQ2U
E7QFdeE064TqSPpRVI8PBPxetRy5n00/JGFNou/pivUTavRMA3LZpIkxzlcddzf2
zUSaWnAGf1JoPxRWjMq5F1C/hZvW7qDX0jrYK7UE3oXi4NHrER0EUFwCS0PrDQRd
DEYs/kVZmPsMT9thR0l11B7xU8xFOaYYOdP1tCY2jqBruspx9ApnRI+es5j8Lr/q
TbILTe3pVdNgWoNIeIBj2mINQQp0O0TqXSzbWO+nLJSkbZhPZAXyX9ZP00aU4Sbn
kkGJ29xWeqSL+Jh+rUSyMFU16Ri7gHZce+3VgkgyzvSBQFjfG6U=
-----END CERTIFICATE-----
SingleSignOnService Location https://sa-gw.surfconext.nl/second-factor-only/single-sign-on
SingleSignOnService Bindingurn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

Metadata signing certificate

The metadata above of SURFSecureID production is signed with a key that corresponds to the public key embedded in the following certificate. You can use this certificate to verify that the metadata you use from SURFsecureID is valid.

Pilot environment

Click here for the SAML 2.0 metadata for the Pilot environment.

Click here for the supported AuthenticationConextClassRef identifiers.

 Most SAML 2.0 libraries are able to use these metadata. If not, use the information here
EntityID https://gateway.pilot.stepup.surfconext.nl/authentication/metadata

signing certificate

(download certificate as PEM .crt file)

-----BEGIN CERTIFICATE-----
MIICwjCCAaoCCQDs1IDIiytYMTANBgkqhkiG9w0BAQUFADAjMSEwHwYDVQQDDBhT
dGVwdXAgUGlsb3QgR2F0ZXdheSBJZFAwHhcNMTUwMjI3MTA0MTU5WhcNMjUwMjI0
MTA0MTU5WjAjMSEwHwYDVQQDDBhTdGVwdXAgUGlsb3QgR2F0ZXdheSBJZFAwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDzlSzxPhG+B+o0ulUcR499NoMh
aP4oX0+zpzi2vfY+Q1qw8x6b0eeUrIk99IpMrWN74twvuQ/eIecLZXIYhG94AYGB
620OX7KMM8oCfdjc2I0lk8d+/rsxUqH0U4DDVBryrMcLjLGwe2CMncdSBuc2LCg1
5TveClC/QW/NJ6rvDiR1GoLouqx+CLBd+z2gwC+Od7YTUVY+22XrVzatzOZuz8Wd
vja4VxHzv9Qyi6ta78ah345HWLeZsIh6pRF80qX0lpPRgwQSVXNpT8IxvoL28ViV
VGkLU5SmdS3fbfLzlL5i3jHpWFcvRGPj5z8zmVZuDAka6P80WiKDVRg7gouXAgMB
AAEwDQYJKoZIhvcNAQEFBQADggEBANlnKHackl7MfHi+0lxb/ERuMkRpIGej29RS
WL0aFojNpRjN2ihnuIjp4PPk98xQCKbVeN+PWXNqrrschbUfC5ikcYP5hoU7WJrH
AWvEwmMNy1/UzcKtSgNby8loLFRzi68R92ZTumgFEBFYow9HzgC3HvDeBpRw/qFL
ZjsYqAjezTeRtafx8NIaBtKabRr5hedwUpnzldFbPqLxR1o0B/tqcUIqJOjdpEFI
Yus7VcBI6N6T1TKB4DyfqjbgzxhS5zrE1jFeKaamRWCqKUcEUfngoxQWlKd9LSBW
RXjw0aM+P22WHdxxX/1rIneV5jVgOIlRgDO0Dpxn0qie4XnIqzo=
-----END CERTIFICATE-----
SingleSignOnService Location https://gateway.pilot.stepup.surfconext.nl/authentication/single-sign-on
SingleSignOnService Bindingurn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

Second Factor Only (SFO) endpoint

For second factor only authentication you must use a different endpoint with different metadata.

Click here for the SAML 2.0 metadata for the SFO endpoint of the Pilot environment.

Click here for the supported AuthenticationConextClassRef identifiers.

 Most SAML 2.0 libraries are able to use these metadata. If not, use the information here
EntityID https://gateway.pilot.stepup.surfconext.nl/second-factor-only/metadata

signing certificate

(download certificate as PEM .crt file)

-----BEGIN CERTIFICATE-----
MIICwjCCAaoCCQDs1IDIiytYMTANBgkqhkiG9w0BAQUFADAjMSEwHwYDVQQDDBhT
dGVwdXAgUGlsb3QgR2F0ZXdheSBJZFAwHhcNMTUwMjI3MTA0MTU5WhcNMjUwMjI0
MTA0MTU5WjAjMSEwHwYDVQQDDBhTdGVwdXAgUGlsb3QgR2F0ZXdheSBJZFAwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDzlSzxPhG+B+o0ulUcR499NoMh
aP4oX0+zpzi2vfY+Q1qw8x6b0eeUrIk99IpMrWN74twvuQ/eIecLZXIYhG94AYGB
620OX7KMM8oCfdjc2I0lk8d+/rsxUqH0U4DDVBryrMcLjLGwe2CMncdSBuc2LCg1
5TveClC/QW/NJ6rvDiR1GoLouqx+CLBd+z2gwC+Od7YTUVY+22XrVzatzOZuz8Wd
vja4VxHzv9Qyi6ta78ah345HWLeZsIh6pRF80qX0lpPRgwQSVXNpT8IxvoL28ViV
VGkLU5SmdS3fbfLzlL5i3jHpWFcvRGPj5z8zmVZuDAka6P80WiKDVRg7gouXAgMB
AAEwDQYJKoZIhvcNAQEFBQADggEBANlnKHackl7MfHi+0lxb/ERuMkRpIGej29RS
WL0aFojNpRjN2ihnuIjp4PPk98xQCKbVeN+PWXNqrrschbUfC5ikcYP5hoU7WJrH
AWvEwmMNy1/UzcKtSgNby8loLFRzi68R92ZTumgFEBFYow9HzgC3HvDeBpRw/qFL
ZjsYqAjezTeRtafx8NIaBtKabRr5hedwUpnzldFbPqLxR1o0B/tqcUIqJOjdpEFI
Yus7VcBI6N6T1TKB4DyfqjbgzxhS5zrE1jFeKaamRWCqKUcEUfngoxQWlKd9LSBW
RXjw0aM+P22WHdxxX/1rIneV5jVgOIlRgDO0Dpxn0qie4XnIqzo=
-----END CERTIFICATE-----
SingleSignOnService Location https://gateway.pilot.stepup.surfconext.nl/second-factor-only/single-sign-on
SingleSignOnService Bindingurn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect


Test environment

On April 15th 2020 the signing certificate of SURFsecureID test will be replaced. For more information see SURFsecureID Key Rollover

The metadata of the SURFsecureID test environment was moved to a new location. All metadata is now hosted on https://metadata.test.surfconext.nl.

Click here for the SAML 2.0 metadata for the Test environment.

Click here for the supported AuthenticationConextClassRef identifiers.

 Most SAML 2.0 libraries are able to use these metadata. If not, use the information here
EntityID https://sa-gw.test.surfconext.nl/authentication/metadata
Metadatahttps://metadata.test.surfconext.nl/surfsecureid-metadata.xml

signing certificat

(Download certificate as PEM .crt file)

-----BEGIN CERTIFICATE-----
MIIE8jCCA1qgAwIBAgIUD4MpAowfeNTa8dEJpJtl2r6PRDwwDQYJKoZIhvcNAQEL
BQAwgYkxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdV
dHJlY2h0MRUwEwYDVQQKDAxTVVJGbmV0IEIuVi4xEzARBgNVBAsMClNVUkZjb25l
eHQxKjAoBgNVBAMMIXNhLWd3LnRlc3Quc3VyZmNvbmV4dC5ubCAyMDIwMDIyODAe
Fw0yMDAyMjgxMTU1NTVaFw0yNTAyMjgxMTU1NTVaMIGJMQswCQYDVQQGEwJOTDEQ
MA4GA1UECAwHVXRyZWNodDEQMA4GA1UEBwwHVXRyZWNodDEVMBMGA1UECgwMU1VS
Rm5ldCBCLlYuMRMwEQYDVQQLDApTVVJGY29uZXh0MSowKAYDVQQDDCFzYS1ndy50
ZXN0LnN1cmZjb25leHQubmwgMjAyMDAyMjgwggGiMA0GCSqGSIb3DQEBAQUAA4IB
jwAwggGKAoIBgQC7tTZherxOI0uI9l4aDEdZHAZb2RwGehbfGyuTzzZqDqt42YC8
MkJIa/9e3HdJw/+x3Qb7xKpqpOcFcC5Divk8RQrzdKg8eP3LqR6+x73DiCAFbMmb
O2bZMqBUggTh4vY4e+gnFchQInw9Jg5wbkt5XzxFSaujeK4n8za5qxIEk9C55D7t
RjHFwkJZoWTBl2wprRdbwSjwg+Bg7MO6MPXcNF9GFJ6IGaAJ3s7qUKVpvqAK6UH3
0Mx37EhWpgKmyLf72B+U8BOGDX7X2NHnHPD5qZQJyhqDLbmcEsUCYn7WozoKCibI
KQIEZAdUgb9TAbUO5c5eW+dSD61RRJ97Q4/DM9Bp+6Z+I/6h26i/h5MrSmrRNYDQ
cmd8kkKGop/0a08IIcTVL56X2oIJckWX3GLZDmRpssp4vI4REEy55P8EoyD943ug
Pn4s6p+88cS2cAlARjV0vehNNmPkTlly1UyZ0oY5ljyvy3aadMdE1aLbdRW4axEb
O4iZ/+Ym/EnfTncCAwEAAaNQME4wHQYDVR0OBBYEFFvR/86aQkE4Icbcm9XAz6Pm
bHVCMB8GA1UdIwQYMBaAFFvR/86aQkE4Icbcm9XAz6PmbHVCMAwGA1UdEwQFMAMB
Af8wDQYJKoZIhvcNAQELBQADggGBAARz8fvcwPEIU0pYAkOCzHhJWDzPf1Q5EAaD
Fs6I1Zi7D8DN14dVjyOed61IaFMnhrv8IP0TdRLx0dgrj52ywaaDgN2MhRUCG4vD
M34tca5KCdRO8AtgAZWYs3Td2Kjg+mkXyGwWIacpFzzTImflWt+dwZI0+I+y4/4g
TwvC6RSuLzo1vXmtOZMkH57uTxAYeGy12vtmggMi64MlMmm/cwrxVQpQ6CClVmWu
nUGaWG1MVcBt9MINLmJrCicFtegtw3i+euRH8K5SjIj702ChF+mXRqUCk+8q2Tsb
zo+1EjASZTxR9HlndjUzFhXadfUMD5ZldFsFEsfP7Nv57rCoS3WAcsGjXETsclZH
H+vHg4wHOXnBUiVIHB22+xxGCCfl0X+WLnjonF50in/yfD7AZJbPIpbqLzuxdojd
UAjXZnlW6ngnW58Qyj1IFvTW8kDmrBEPM1jc+KoPHg94lqrSF2CT6uU3gjQN+aPm
/zBnSil4Dx2aub9LOcTC5on3519edw==
-----END CERTIFICATE-----
SingleSignOnService Locationhttps://sa-gw.test.surfconext.nl/authentication/single-sign-on
SingleSignOnService Bindingurn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

You can use Onegini as an IdP for testing.

Second Factor Only (SFO) endpoint

For second factor only authentication you must use a different endpoint with different metadata.

Click here for the SAML 2.0 metadata for the SFO endpoint of the Test environment.

Click here for the supported AuthenticationConextClassRef identifiers.

 Most SAML 2.0 libraries are able to use these metadata. If not, use the information here
EntityID https://sa-gw.test.surfconext.nl/second-factor-only/metadata

signing certificate

(Download certificate as PEM .crt file)

-----BEGIN CERTIFICATE-----
MIIE8jCCA1qgAwIBAgIUD4MpAowfeNTa8dEJpJtl2r6PRDwwDQYJKoZIhvcNAQEL
BQAwgYkxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdV
dHJlY2h0MRUwEwYDVQQKDAxTVVJGbmV0IEIuVi4xEzARBgNVBAsMClNVUkZjb25l
eHQxKjAoBgNVBAMMIXNhLWd3LnRlc3Quc3VyZmNvbmV4dC5ubCAyMDIwMDIyODAe
Fw0yMDAyMjgxMTU1NTVaFw0yNTAyMjgxMTU1NTVaMIGJMQswCQYDVQQGEwJOTDEQ
MA4GA1UECAwHVXRyZWNodDEQMA4GA1UEBwwHVXRyZWNodDEVMBMGA1UECgwMU1VS
Rm5ldCBCLlYuMRMwEQYDVQQLDApTVVJGY29uZXh0MSowKAYDVQQDDCFzYS1ndy50
ZXN0LnN1cmZjb25leHQubmwgMjAyMDAyMjgwggGiMA0GCSqGSIb3DQEBAQUAA4IB
jwAwggGKAoIBgQC7tTZherxOI0uI9l4aDEdZHAZb2RwGehbfGyuTzzZqDqt42YC8
MkJIa/9e3HdJw/+x3Qb7xKpqpOcFcC5Divk8RQrzdKg8eP3LqR6+x73DiCAFbMmb
O2bZMqBUggTh4vY4e+gnFchQInw9Jg5wbkt5XzxFSaujeK4n8za5qxIEk9C55D7t
RjHFwkJZoWTBl2wprRdbwSjwg+Bg7MO6MPXcNF9GFJ6IGaAJ3s7qUKVpvqAK6UH3
0Mx37EhWpgKmyLf72B+U8BOGDX7X2NHnHPD5qZQJyhqDLbmcEsUCYn7WozoKCibI
KQIEZAdUgb9TAbUO5c5eW+dSD61RRJ97Q4/DM9Bp+6Z+I/6h26i/h5MrSmrRNYDQ
cmd8kkKGop/0a08IIcTVL56X2oIJckWX3GLZDmRpssp4vI4REEy55P8EoyD943ug
Pn4s6p+88cS2cAlARjV0vehNNmPkTlly1UyZ0oY5ljyvy3aadMdE1aLbdRW4axEb
O4iZ/+Ym/EnfTncCAwEAAaNQME4wHQYDVR0OBBYEFFvR/86aQkE4Icbcm9XAz6Pm
bHVCMB8GA1UdIwQYMBaAFFvR/86aQkE4Icbcm9XAz6PmbHVCMAwGA1UdEwQFMAMB
Af8wDQYJKoZIhvcNAQELBQADggGBAARz8fvcwPEIU0pYAkOCzHhJWDzPf1Q5EAaD
Fs6I1Zi7D8DN14dVjyOed61IaFMnhrv8IP0TdRLx0dgrj52ywaaDgN2MhRUCG4vD
M34tca5KCdRO8AtgAZWYs3Td2Kjg+mkXyGwWIacpFzzTImflWt+dwZI0+I+y4/4g
TwvC6RSuLzo1vXmtOZMkH57uTxAYeGy12vtmggMi64MlMmm/cwrxVQpQ6CClVmWu
nUGaWG1MVcBt9MINLmJrCicFtegtw3i+euRH8K5SjIj702ChF+mXRqUCk+8q2Tsb
zo+1EjASZTxR9HlndjUzFhXadfUMD5ZldFsFEsfP7Nv57rCoS3WAcsGjXETsclZH
H+vHg4wHOXnBUiVIHB22+xxGCCfl0X+WLnjonF50in/yfD7AZJbPIpbqLzuxdojd
UAjXZnlW6ngnW58Qyj1IFvTW8kDmrBEPM1jc+KoPHg94lqrSF2CT6uU3gjQN+aPm
/zBnSil4Dx2aub9LOcTC5on3519edw==
-----END CERTIFICATE-----
SingleSignOnService Location https://sa-gw.test.surfconext.nl/second-factor-only/single-sign-on
SingleSignOnService Bindingurn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

You can use Onegini as an IdP for testing.

Metadata signing certificate

The metadata above of SURFSecureID test is signed with a key that corresponds to the public key embedded in the following certificate. You can use this certificate to verify that the metadata you use from SURFsecureID is valid.



  • No labels