If you are a non-Dutch Identity Provider, and you would like to access a Dutch Service Provider (through eduGAIN), please read on.

Federation architecture

SURFconext is a hub-and-spoke federation, which means all Identity Providers are only connected to a single Service Provider (namely: SURFconext) and all Service Providers are connected to a single Identity Provider (namely: SURFconext). However, an exception is made for Service Providers who offer their service through eduGAIN. Those entities must support mesh architecture. So if you are an Identity Provider from another federation and you would like to connect to a Service Provider from SURFconext, this happens outside of the hub. Instead, you connect to the Service Provider directly, which is normal in a mesh federation and most likely business as usual for you.

The following image describes how connecting entities within SURFconext and eduGAIN works (please click the image to see a larger version):

Common attributes in SURFconext

Service Providers in SURFconext often use these attributes:

  • urn:mace:terena.org:attribute-def:schacHomeOrganization
  • urn:mace:dir:attribute-def:eduPersonPrincipalName
  • urn:mace:dir:attribute-def:eduPersonTargetedID
  • urn:mace:dir:attribute-def:displayName
  • urn:mace:dir:attribute-def:mail

So make sure your Identity Provider is configured to release these attributes. For more info, please look at our detailed attributes page.


All Service Providers connected to SURFconext have signed agreements that are as strict as the Code of Conduct.

  • No labels