Version 1.1 (20 February 2019)
SURFnet operates a hub-and-spoke identity federation (SURFconext) on behalf of educational and research institutions in the Netherlands.
This document describes the Registration practices for both Identity Providers and Service Providers, as well as information on metadata aggregation for EduGAIN.
1. Identity Provider Practices
1.1 Identity Provider Registration Practices
Only institutions that belong to the SURFnet target group may join SURFnet and thus join SURFconext. The SURFnet target group consists of:
- Research universities
- University hospitals and tertiary medical teaching hospitals (STZs)
- Hogescholen (i.e. “universities of applied sciences”)
- Research institutes and comparable institutions
- Company R&D departments
- Other institutions financed by the Dutch Ministry of Education, Culture and Science.
For an Identity Provider to join the SURFconext, the following requirements must be met:
- The institution must have signed the SURFconext Identity Provider contract.
- The institution must have passed technical validation to the SURFconext test environment.
- The institution must provide technical and administrative contact information.
SURFnet operates an opt-in model for institutions, where the institution must agree explicitly to be connected to a specific Service Provider and to release attributes to this specific Service Provider.
1.2 Identity Provider Registration Practices for eduGAIN
There are no additional eduGAIN practices for Identity Providers.
2 Service Provider Practices
2.1 Service Provider Registration Practices
For a Service Provider to join the SURFconext, the following requirements must be met:
- The Service Providers must have signed the SURFconext Service Provider contract.
- The Service Provider must provide SURFconext with a description of the service.
- The Service Provider must provide SURFconext with a description of the technical and administrative contact details.
- The Service Provider must provide SURFconext with the list of minimally required attributes for using the service.
2.2 Service Provider Registration Practices for eduGAIN
The practices below are in addition to the “Service Provider Registration Practices” above.
- SURFnet will only publish metadata to eduGAIN for Service Providers that are connected to the SURFconext production environment.
- The Service Provider must explicitly request to connect to eduGAIN through SURFconext.
- The Service Provider must provide eduGAIN compliant SAML 2.0 metadata to SURFconext.
- The metadata provided by the Service Provider that is re-published by SURFconext to eduGAIN is updated by the SURFconext operational team by request of the Service Provider. Service Providers can request an update of their metadata by contacting the SURFconext operational team at email@example.com.
SURFnet validates the Service Provider information including the attribute requirements, before accepting the Service Provider to the production environment.
3. SURFnet Metadata Aggregate for eduGAIN
SURFnet maintains an aggregate of all metadata it exposes to eduGAIN on the following location:
The metadata document signature can be validated using the following X.509 certificate: