SURFconext, provided by SURF, is a federated identity management service for secondary vocational-, higher education and research in the Netherlands. With SURFconext, users can authenticate at services using their institutional account.
Advantages of SURFconext for Service Providers:
- Connecting once makes your service available to all connected institutions.
- Fast and easy access for more than 1 million users.
- Certainty about identity of users.
- Less user administration.
- A single point of contact with one connection.
- A long-time trusted partner of education and research institutions.
- Connecting is easy.
- Double security through SURFsecureID.
- A single link provides strong authentication for all institutions. As an extra advantage, authentication tools are issued by the institutions locally.
- You will have tools at your disposal such as the Service Provider Dashboard to test your service on our test environment instantly with test IdP's with fictional users.
SURFconext also facilitates the exchange of group information. Pre-defined groups like student teams working on a specific course or ad-hoc collaborations can be defined in SURFconext Teams. Services can use these to facilitate collaboration for groups.
Connecting to SURFconext is free of charge.
Connect with ease
We have a step-by-step guide to get you started. Read this so you will have a head start. Whatever you do, if you want to connect, get in touch with us so we can plan an intake so we can get to know each other.
Connecting to SURFconext is not complicated but you do need to prepare yourself. We have all the necessary information at your disposal in the links below.
There are several aspects to go through when connecting to SURFconext. From a technical point of view, read the following:
- This schematic overview gives an overview how Single Sign-on (SSO) with SURFconext benefits your service.
- SURFconext uses the standards SAML and OpenID Connect to make single sign on easy. The basics of SAML are explained and you will find technical details of SAML authentication requests, responses and assertions. If you are going to use OpenID Connect, read about the OpenID Connect basics.
- Find out more about the authentication flows of both SAML and OpenID Connect.
- How to connect your service to SURFconext. Here you will learn all you need to know from acquiring a contract to setting up your first service with SURFconext.
- Get to know our tools to manage your services with ease, such as our SP Dashboard. You will be able to manage and overview all your instances in one easy to use place and test those instances with our test IdP's and debug your instance using only your browser.
- If you don't have a contract yet but you can't wait to get going, start connecting your service to our test environment for which you do not need a contract.
- Once connected, you can explore additional features.
- Attributes can supply your service with the required user info to make your service work. What attributes are, which are available in SURFconext and examples how to make use of them is described here.
- More than one institution, also known as identity providers, can connect to your service through SURFconext. The Where-Are-You-From (WAYF) selection page helps you with this. When a user logs in to your service, the user will see a list of all institutions connected to your service. If the user has an account with a connected institution, the user simply selects the institution and connects to your service with a single click. The preferred way is to let SURFconext show this page, but you can also make your own.
Getting your service to work with guest accounts and the advanced user management such as group memberships can be found here:
- How to create guest accounts for users from outside SURF.
- VOOT is a service allowing you to retrieve information about users, groups and memberships of groups. As you will be shown, this can make working with groups and giving rights and permissions much easier.
Besides the technical part, you will also need to go through the formal part as shown on these pages:
- A contract needs to be signed before users can make use of your service. You can read more about that in the 'contractual part.'
- How to create interest for your service and deliver us the correct details of your service.
- How Identity Providers can connect to your service.
- When and via which channels we communicate with connected Service Providers