When you connect to SURFconext you will have to make sure your service supports one of the open standards our platform supports for authentication. The following two protocols are available for use with SURFconext:
- SAML 2.0
- OpenID Connect
You must consider what to use. SAML and OpenID Connect are both open web standards for identity online. Which one you choose depends on what your platform supports and the application you will build. In SAML, the user is redirected from the Service Provider (SP) to the Identity Provider (IdP) through SURFconext for sign in. In OpenID Connect, the user is redirected from the Relying Party (RP) and our OpenID Connect Gateway to the Identity Provider for sign in. Take note that the SAML SP is always a website. The OpenID Connect RP is either a web or mobile application, and is frequently called the 'client' because it extends an OAuth 2.0 client. If you build a mobile app, you will most likely use OpenID Connect. OpenID Connect is a 'profile' of OAuth 2.0 specifically designed for attribute release and authentication. Either way, the IdP controls the login to avoid exposing secrets like passwords to the website or app.
There are lot's ready to use plugins and libraries available. Please don't try to build your own implementation; use what is already available and thoroughly tested. If you don't know what to do and you can go both ways, take the characteristics below into account to help you decide:
|SAML||Most mature choice|
|Supports eduGAIN and other federations|
|OpenID Connect||Modern protocol with broad library support|
|Easier to implement but less feature rich|
|Recommended choice for use with mobile apps|
When you decide to go for SAML, have a look at our page that depicts the preparation with SAML 2.0.
When opting for OpenID Connect, you can continue on our page that depicts the preparation with OpenID Connect.
Mobile use (OpenID Connect)
When you build a mobile app you should use OpenID Connect. We have some guidelines that will help you connect to SURFconext.