...
The SURFconext identifier is built from identifiers that the IdP of the user sends to SURFconext during authentication:
urn:collab:person:{{urn:mace:terena.org:attribute-def:schacHomeOrganization}}:{{urn:mace:dir:attribute-def:uid}}
where:
...
Example: urn:collab:person:some-organisation.example.org:m1234567890
SAML Response
...
Level: authentication strength
See explanation at "Levels of Assurance".
Implementation
SFO must be implemented at the SP. The authentication protocol is similar to the one used by the Strong Authentication gateway. The main difference is that the SP must send the identifier of the user in the Subject element of the SAML AuthnRequest (see description of AuthnRequest, line 2017).
...
An example code for using SFO with SimpleSAMLphp can be found at: https://github.com/SURFnet/Stepup-SFO-demo