SURFconext, provided by SURFnet, is a federated identity management service for secondary vocational-, higher education and research in the Netherlands. With SURFconext, users can authenticate at services using their institutional account.
Advantages of SURFconext for Service Providers:
- Connecting once to the platform makes your service available to all connected institutions (connected IdP's).
- Fast and easy access for more than 1 million users.
- Certainty about identity of users.
- Less user administration.
- A single point of contact with one connection.
- A long-time trusted partner of education and research institutions.
- Double security through SURFsecureID.
- A single link provides strong authentication for all institutions. As an extra advantage, authentication tools are issued by the institutions locally.
SURFconext also facilitates the exchange of group information. Pre-defined groups (e.g. student teams working on a specific course) or ad-hoc collaborations can be defined in SURFconext Teams, from which services can use them to facilitate collaboration for these groups.
Connecting to SURFconext is free of charge.
This manual is meant for Service Providers and describes the aspects of connecting your service to SURFconext.
From a technical point of view, the following is depicted:
- How to connect your service to SURFconext, both formally and technically.
- This Schematic overview gives an overview of the Authentication flows of SURFconext.
- The use of different the environments of SURFconext (test and production).
- If you don't have a contract but you can't wait to get going, start connecting your service to our test environment for which you do not need a contract.
- Attributes can supply your service with the required user info to make your service work. What attributes are, which are available in SURFconext and examples how to make use of them is described here.
- More than one institution also known as identity providers can connect to your service through SURFconext. The Where-Are-You-From (WAYF) selection page helps you with this. When a user logs in to your service, the user will see a list of all institutions connected to your service. If the user has an account with a connected institution, the user simply selects the institution and connects to your service with a single click. The preferred way is to let SURFconext show this page, but you can also make your own.
- SURFconext uses standards to make single sign on possible. Service Providers can choose between SAML and OpenID Connect. The basics of SAML are explained and you will also find also all technical details of SAML authentication requests, responses and assertions. If you wish to use OpenID Connect, refer to the OpenID Connect basics and the OpenID connect authentication flow.
Getting your service to work with guest accounts and the advanced user management such as group memberships can be found here:
- How to create guest accounts for users from outside SURFnet.
- VOOT is a service allowing you to retrieve information about users, groups and memberships of groups. As you will be shown, this can make working with groups and giving rights and permissions much easier.
Besides the technical part, you will also need to go through the formal part as shown on these pages:
- A contract needs to be signed before users can make use of your service. You can read more about that in the 'contractual part.'
- How to create interest for your service and deliver us the correct details of your service.
- How Identity Providers can connect to your service.
- When and via which channels we communicate with connected Service Providers
If you still haven't found what you were looking for, have a look at our Frequently asked questions.
In the rest of this introduction you will find:
- A schematic overview of the relation between Service Providers, Identity Providers and SURFconext.
- An explanation in steps of the authentication flow.
- Schematic overview
- Authentication flows
- How to connect your service
- Additional features
- SAML reference
- OpenID Connect reference
- Contact information
- SURFconext mailings (SP)
- SHA-256 migration