SURFconext supports OpenID Connect (OIDC) for Service Providers or Relying Party (RP) in OIDC terminology:
- For OIDC, more standard implementations are available that can easily be integrated into an (existing) application; connecting to SURFconext therefore is easier as with SAML.
- OIDC is a RESTful API-like service; it is less complex than SAML.
- In mobile apps OIDC is the defacto standard.
Note that OIDC is not yet supported for interfederation via eduGAIN. If you intend to enable your Service Provider for that, use SAML. SURFconext connects the SP and the IdP based on specific rules and does not authenticate users: this is done by the connected Identity Providers. The basic authentication flow in OpenID Connect is depicted below:
We strongly advise you not to build your own OpenID Connect implementation, but use one of the products off the shelf. The official OpenID website provides an overview of certified implementations.
This section contains technical background information for OpenID Connect. The basics of OpenID Connect are explained and you can also read about the components that are part of the protocol as used in SURFconext.
More information: http://openid.net/connect/
Learn more on using OpenID Connect with SURFconext:
- OpenID Connect features
- Resource server / API security
- Redirect URLs
- Refresh Tokens - What are they and when to use them