Page tree
Skip to end of metadata
Go to start of metadata

Update SURFconext Metadata Signing Certificate

The new SURFconext SAML metadata is signed with a new certificate. If your SAML library verifies the signature on the metadata you must switch to this new certificate before importing the new SURFconext metadata. The certificate can be downloaded from:

The fingerprints of this certificate are:

    SHA-1 Fingerprint: 73:64:05:95:BA:DA:C5:D2:F9:B5:87:DE:4A:1C:2B:E0:52:F5:D1:47
    SHA-256 Fingerprint: 4B:05:FF:75:00:6A:36:47:79:EA:7E:45:26:B2:6A:64:B4:0E:57:F1:00:D9:6A:5A:21:D8:02:07:F3:43:4D:0E

Please contact SURFconext support if you require additional verification of this new certificate.

For the test environment, similar information is available from https://metadata.test.surfconext.nl.

Update SURFconext SAML Metadata

See below table on how current URLs can be replaced with the new locations. Current URLs can optionally contain a string "key:default" or "key:20140505". Those are all equivalent to the URL without the extra string. Nearly all SPs use the first URL in the table.

Production and staging environments
OldNew
https://engine.surfconext.nl/authentication/idp/metadata(key:<some string>)
https://metadata.surfconext.nl/idp-metadata.xml
https://engine.surfconext.nl/authentication/proxy/idps-metadata/(key:<some string>)https://metadata.surfconext.nl/idps-metadata.xml
https://engine.surfconext.nl/authentication/proxy/idps-metadata/(key:<some string>)?sp-entity-id=urn:example.orgplease contact support@surfconext.nl
Test environment
OldNew
https://engine.test.surfconext.nl/authentication/idp/metadata(key:<some string>)https://metadata.test.surfconext.nl/idp-metadata.xml
https://engine.test.surfconext.nl/authentication/proxy/idps-metadata/(key:<some string>)https://metadata.test.surfconext.nl/idps-metadata.xml
https://engine.test.surfconext.nl/authentication/proxy/idps-metadata/(key:<some string>)?sp-entity-id=urn:example.orgplease contact support@surfconext.nl

The new SURFconext SAML metadata contains:

  • a different SAML signing certificate
  • a different SingleSignOnService location

If your SAML library can import metadata these will be updated automatically when you configure the new URL.

After updating, you must have a new certificate and the SingleSignOnService Location will contain "20181213" (for the production and staging environment of SURFconext) or "20190208" (for the test environment of SURFconext).

If logging in still works, you have completed the migration and no further actions are required.

NB: SURFconext's entityID does not change. This continues to be  "https://engine.surfconext.nl/authentication/idp/metadata" (for the production and staging environment of SURFconext) or "https://engine.test.surfconext.nl/authentication/idp/metadata" (for the test environment of SURFconext).

More information

  • No labels