On this page we provide a list of the technical requirement that a service provider's SAML implementation must meet in order to connect to the SURFsecureID gateway.
Sending the Authentication Request
To initiate a authentication the SP must send a SAML 2.0 AuthnRequest to the SingleSignOnService Location of the SURFsecureID gateway. This location can be found in the SAML 2.0 metadata for SURFsecureID Metadata for Service Providers.
- The SP must send a SAML 2.0 AuthnRequest using the
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
binding. Other bindings are not supported. - The AuthnRequest must be signed using signature algorithm
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
. Other signature algorithms are not supported - The AuthnRequest must not be encrypted