SURFconext, provided by SURFnet, is a federated identity management service for secondary vocational-, higher education and research in the Netherlands. With SURFconext, users have to authenticate only once at their own institution. After that they can have access to all services connected to SURFconext.
Advantages of SURFconext:
- Connecting once to the platform makes your service available to all connected institutions (connected IdP's).
- Fast and easy access for more than 1 million users.
- Certainty about identity of users.
- Less user administration.
- A single point of contact with one connection.
- A long-time trusted partner of education and research institutions.
- Double security through SURFsecureID.
- A single link provides strong authentication for all institutions. As an extra advantage, authentication tools are issued by the institutions locally.
SURFconext also facilitates the exchange of group information. Pre-defined groups (e.g. student teams working on a specific course) or ad-hoc collaborations can be defined in SURFconext Teams, from which services can use them to facilitate collaboration for these groups.
Connecting to SURFconext is free of charge.
This manual is meant voor Service Providers and describes:
- A Schematic overview and the Authentication flows of SURFconext.
- The different environments of SURFconext (test, staging, production).
- How to connect your service to SURFconext.
- The contractual part.
- What attributes are available within SURFconext.
- How to create interest for your service and deliver us the correct details of your service.
- How Identity Providers can connect to your service.
- How to create guest accounts for users from outside SURFnet.
- The Where-Are-You-From (WAYF) selection page. When a user logs in to your service, he will see a list of all institutions connected to your service, from which he can choose. By default SURFconext provides this page, but you can also make your own one.
- VOOT, the service allowing you to retrieve information about users, groups and memberships of groups. As you will discover, this can make working with groups (giving rights and permissions) much easier.
- SURFconext uses standards to make single sign on possible. Service Providers can choose between SAML and OpenID Connect. The basics of SAML are explained and you will also find also all technical details of SAML authentication requests, responses and assertions. If you wish to use OpenID Connect, refer to the OpenID Connect basics and the OpenID connect authentication flow.
- When and via which channels we communicate with connected Service Providers
- Answers on Frequent Asked Questions.
In the rest of this introduction you will find:
- A schematic overview of the relation between Service Providers, Identity Providers and SURFconext.
- An explanation in steps of the authentication flow.
- Schematic overview
- Authentication flows
- How to connect your service
- Additional features
- SAML reference
- OpenID Connect reference
- Contact information
- SURFconext mailings (SP)
- SHA-256 migration