Before users can use your service, their Identity Providers need to be coupled with your service. This is done by SURFconext Support, after the Identity Provider has given explicit permission. Generally the less attributes your service requires (in accordance with the minimal disclosure principle of SURFconext), the quicker they will give this permission.
...
IdP's have the possibility to restrict access to a service. With SURFconext Authorisation Rules (Dutch), key users at the institutions can restrict certain users, or user groups to have access to the service. This functionality can't be operated by Service Providers, but with deliberation with the institution, arrangements can be made.
...