When you connect to SURFconext you will have to make sure your service supports one of the open standards our platform supports for authentication. The following two protocols are available for use with SURFconext:

  • SAML 2.0
  • OpenID Connect

You must consider what to use. SAML and OpenID Connect are both open web standards for identity online. Which one you choose depends on what your platform supports and the application you will build. In SAML, the user is redirected from the Service Provider (SP) to the Identity Provider (IdP) through SURFconext for sign in. In OpenID Connect, the user is redirected from the Relying Party (RP) and our OpenID Connect Gateway to the Identity Provider for sign in. Take note that the SAML SP is always a website. The OpenID Connect RP is either a web or mobile application, and is frequently called the 'client' because it extends an OAuth 2.0 client. If you build a mobile app, you will most likely use OpenID Connect. OpenID Connect is a 'profile' of OAuth 2.0 specifically designed for attribute release and authentication. Whatever you use, with SURFconext the IdP controls the login to avoid exposing secrets like passwords to the website or app.

There are lot's ready to use plugins and libraries available. Don't try to build your own implementation; use what is available and thoroughly tested. If you don't know what to do and you can go both ways, take the characteristics below into account to help you decide:

SAML Most mature choice
Supports eduGAIN and other federations
OpenID ConnectModern protocol with broad library support
Easier to implement but less feature rich
Recommended choice for use with mobile apps


When you decide to go for SAML, have a look at our page that depicts the preparation with SAML 2.0.

OpenID Connect

When opting for OpenID Connect, you can continue on our page that depicts the preparation with OpenID Connect.

Mobile use (OpenID Connect)

When you build a mobile app you should use OpenID Connect. We have some guidelines that will help you connect to SURFconext

Back to start

Return our step by step guide to continue to connect your service.


  • No labels