SURFconext, provided by SURFnet, is a federated identity management service for secondary vocational-, higher education and research in the Netherlands. With SURFconext, users can authenticate at services using their institutional account.
Advantages of SURFconext for Service Providers:
- Connecting once makes your service available to all connected institutions.
- Fast and easy access for more than 1 million users.
- Certainty about identity of users.
- Less user administration.
- A single point of contact with one connection.
- A long-time trusted partner of education and research institutions.
- Double security through SURFsecureID.
- A single link provides strong authentication for all institutions. As an extra advantage, authentication tools are issued by the institutions locally.
SURFconext also facilitates the exchange of group information. Pre-defined groups like student teams working on a specific course or ad-hoc collaborations can be defined in SURFconext Teams. Services can use these to facilitate collaboration for groups.
Connecting to SURFconext is free of charge.
The underlying pages are meant for Service Providers and describe the aspects of connecting your service to SURFconext.
From a technical point of view, the following is depicted:
- This schematic overview gives an overview of the Authentication flows of SURFconext.
- Find out more about the authentication flows of both SAML and OpenID Connect.
- How to connect your service to SURFconext. Here you will learn all you need to know from signing a contract to setting up your first SAML enabled service.
- Make use of our different the environments: Test and Production.
- If you don't have a contract yet but you can't wait to get going, start connecting your service to our test environment for which you do not need a contract.
- Once connected, you can explore additional features.
- SURFconext uses standards to make single sign on possible. You can choose between SAML and OpenID Connect. The basics of SAML are explained and you will find technical details of SAML authentication requests, responses and assertions. If you are going to use OpenID Connect, read about the OpenID Connect basics and the OpenID connect authentication flow.
- Attributes can supply your service with the required user info to make your service work. What attributes are, which are available in SURFconext and examples how to make use of them is described here.
- More than one institution, also known as identity providers, can connect to your service through SURFconext. The Where-Are-You-From (WAYF) selection page helps you with this. When a user logs in to your service, the user will see a list of all institutions connected to your service. If the user has an account with a connected institution, the user simply selects the institution and connects to your service with a single click. The preferred way is to let SURFconext show this page, but you can also make your own.
Getting your service to work with guest accounts and the advanced user management such as group memberships can be found here:
- How to create guest accounts for users from outside SURFnet.
- VOOT is a service allowing you to retrieve information about users, groups and memberships of groups. As you will be shown, this can make working with groups and giving rights and permissions much easier.
Besides the technical part, you will also need to go through the formal part as shown on these pages:
- A contract needs to be signed before users can make use of your service. You can read more about that in the 'contractual part.'
- How to create interest for your service and deliver us the correct details of your service.
- How Identity Providers can connect to your service.
- When and via which channels we communicate with connected Service Providers
If you still haven't found what you were looking for, have a look at our Frequently asked questions .