Introduction

A service can use SURFconext Strong Authentication to handle it's login, much like SURFconext is used to perform user login for services. There are only a few differences between a SURFconext and the SURFconext Strong Authentication connection. With SURFconext Strong Authentication, the login process will not only perform the first factor (username/password at the institution's Identity Provider), but also the second factor as chosen by the end user.

Usually, a Service Provider and institution together determine if strong authentication is needed for a specific service. The Service Provider connects its service to the SURFconext Strong Authentication endpoint, and the institution makes sure the users are properly registered with their strong authentication token. Institutions do not need to make any changes to their Identity Providers to implement this option.

Architecture overview

The picture below shows the relation between:

...