This page describes the differences between SURFconext and SURFsecureID that are relevant for a SAML service provider (SP) that is migrating from SURFconext to the SURFsecureID gateway, or that is using both simultaneously.Please note that SURFsecureID does not yet support OpenID Connect whereas SURFconext does. If you must use OpenID Connect, an OpenID Connect - SAML proxy may be an option (like
SaToSa).Note that this connecting to SURFsecureID directly is deprecated for the SURFsecureID test and production environments.
Architecture
SURFconext (engine.surfconext.nl) and SURFsecureID (sa-gw.surfconext.nl) are both SAML proxies. The image below shows how SURFconext and SURFsecureID relate to each other.
...
| Warning | ||
|---|---|---|
| ||
If your SP trusts multiple IdPs (e.g. SURFconext IdP and the SURFsecureID IdP), your SP must always verify from which IdP (the |
...
| title | SURFsecureID and OpenID Connect |
|---|
...
Metadata
Because the SURFsecureID proxy is a separate SAML IdP from the normal SURFconext, it has different SAML 2.0 metadata. The EntityID, SAML signing certificate and Single Sign On Location are all different from the normal SURFconext.
...
The attributes you receive from SURFsecureID come from the SURFconext. SURFsecureID requires that your SP receives the eduPersonTargetedID (EPTI) attribute. If this attribute is not present, the authentication will fail at the SURFsecureID gateway.
...
| title | eduPersonTargetedID (EPTI) is required |
|---|---|
| type | Info |
...
SURFsecureID are supplied by SURFconext.
Authentication Request
AssertionConsumerServiceIndex
...
- First level
StatusCodeurn:oasis:names:tc:SAML:2.0:status:Responder
with second level StatusCodeurn:oasis:names:tc:SAML:2.0:status:AuthnFailed: user canceled the authentication.
or - First level
StatusCodeurn:oasis:names:tc:SAML:2.0:status:RequesterResponder
with second levelStatusCodeurn:oasis:names:tc:SAML:2.0:status:NoAuthnContext: authentication cannot be performed at the requested LoA.
...