On this page we provide a list of the technical requirement that a service provider's SAML implementation must meet in order to connect to the SURFsecureID gateway.

Sending the Authentication Request

To initiate a authentication the SP must send a SAML 2.0 AuthnRequest to the SingleSignOnService Location of the SURFsecureID gateway. This location can be found in the SAML 2.0 metadata for SURFsecureID Metadata for Service Providers.

The SP must send a SAML 2.0 AuthnRequest using the urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect binding. Other bindings are not supported.
The AuthnRequest must be signed using signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. Other signature algorithms are not supported
The AuthnRequest must not be encrypted

Page tree

Service Provider Techical Requirements

Sending the Authentication Request