Version 1.2 (16 June 2023)
SURF operates a hub-and-spoke identity federation (SURFconext) on behalf of educational and research institutions in the Netherlands.
This document describes the Registration practices for both Identity Providers and Service Providers, as well as information on metadata aggregation for eduGAIN.
1. Identity Provider Practices
1.1 Identity Provider Registration Practices
Only institutions that belong to the SURF target group may join SURF and thus join SURFconext. The SURF target group consists of:
- Research universities
- University hospitals and tertiary medical teaching hospitals (STZs)
- Hogescholen (i.e. “universities of applied sciences”)
- MBO schools (i.e. “senior secondary vocational education institutions”)
- Research institutes and comparable institutions
- Other institutions financed by the Dutch Ministry of Education, Culture and Science.
For an Identity Provider to join the SURFconext, the following requirements must be met:
- The institution must have signed the SURFconext Identity Provider contract.
- The institution must have passed technical validation to the SURFconext test environment.
- The institution must provide technical and administrative contact information.
SURFconext operates an opt-in model for institutions, where the institution must agree explicitly to be connected to a specific Service Provider and to release attributes to this specific Service Provider.
1.2 Identity Provider Registration Practices for eduGAIN
There are no additional eduGAIN practices for Identity Providers.
2 Service Provider Practices
2.1 Service Provider Registration Practices
For a Service Provider to join the SURFconext, the following requirements must be met:
- The Service Providers must have signed the SURFconext Service Provider contract.
- The Service Provider must provide SURFconext with a description of the service.
- The Service Provider must provide SURFconext with a description of the technical and administrative contact details.
- The Service Provider must provide SURFconext with the list of minimally required attributes for using the service.
2.2 Service Provider Registration Practices for eduGAIN
The practices below are in addition to the “Service Provider Registration Practices” above.
- SURFconext will only publish metadata to eduGAIN for Service Providers that are connected to the SURFconext production environment.
- The Service Provider must explicitly request to connect to eduGAIN through SURFconext.
- The Service Provider must provide eduGAIN compliant SAML 2.0 metadata to SURFconext.
- Updates to the metadata provided by the Service Provider that is re-published by SURFconext to eduGAIN are reviewed by the SURFconext operational team at least every working day and published after approval.
SURFconext validates the Service Provider information including the attribute requirements, before accepting the Service Provider to the production environment.
3. SURFconext Metadata Aggregate for eduGAIN
SURFconext maintains an aggregate of all metadata it exposes to eduGAIN on the following location:
The metadata document signature can be validated using the following X.509 certificate: