On this page we provide a list of the technical requirement that a service provider's SAML implementation must meet in order to connect to the SURFsecureID gateway.
Sending the Authentication Request
To initiate a authentication the SP must send a SAML 2.0 AuthnRequest to the SingleSignOnService Location of the SURFsecureID gateway. This location can be found in the SAML 2.0 metadata for SURFsecureID Metadata for Service Providers.
- The SP must send a SAML 2.0 AuthnRequest using the
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirectbinding. Other bindings are not supported.
- The AuthnRequest must be signed using signature algorithm
. Other signature algorithms are not supported
- The AuthnRequest must not be encrypted