Versions Compared

Old Version 32

changes.mady.by.user Pieter van der Meulen

Saved on

compared with

New Version 33

changes.mady.by.user Pieter van der Meulen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The normal SURFconext (engine.surfconext.nl) and SURFsecureID (sa-gw.surfconext.nl) are both SAML proxies. If you are migrating a SP This page describes the differences between SURFconext and SURFsecureID that are relevant for a SAML service provider (SP) that is migrating from SURFconext to SURFsecureID, you should be aware that there are differences between these two SAML proxiesor that is using both simultaneously.

Please note that SURFsecureID does not yet support OpenID Connect whereas SURFconext does. If you must use OpenID Connect, an OpenID Connect - SAML proxy may be an option (like SaToSa).

Architecture

SURFconext (engine.surfconext.nl) and SURFsecureID (sa-gw.surfconext.nl) are both SAML proxies. The image below shows how SURFconext and SURFsecureID relate to each other.

Your SP connects to the IdP side of the proxy. An authentication to SURFsecureID (route 1) will pass though SURFconext. This means that SURFconext functionality like consent, authorization, attribute aggregation functions just like a direct authentication to SURFconext (route 2).

A service that uses SURFsecureID directly (route 1 in the image below) thus can continue to use SURFconext for authentication (route 2 in the image below). It is your SP that, for each authentication, decides which route it wants to use. The SP will receive the same attributes and user identifiers regardless of the route it takes. To get strong authentication your SP must authenticate to SURFsecureID.

Warning
titleSecurity advice

If your SP trusts multiple IdPs (e.g. SURFconext IdP and the SURFsecureID IdP), your SP must always verify from which IdP (the Issuer) it received the SAMLResponse. If your SAML library supports the IdP initiated flow (a.k.a unsollicited unsolicited assertions), your SP could receive, and accept as valid, a SAMLResponse from any trusted IdP at any time.



Info
titleSURFsecureID and OpenID Connect

Please note that SURFsecureID does not yet support OpenID Connect whereas SURFconext does. If you must use OpenID Connect, using an OpenID Connect - SAML proxy (like SaToSa) may be an option.

Metadata

Because the SURFsecureID proxy is a separate SAML IdP from the normal SURFconext, it has different SAML 2.0 metadata. The EntityID, SAML signing certificate and Single Sign On Location are all different from the normal SURFconext.

...

  • IdP selection through metadata (transparent metadata, Dutch scoping)

Attributes

The attributes you receive from SURFsecureID come from the SURFconext. SURFsecureID requires that your SP receives the eduPersonTargetedID (EPTI) attribute. If this attribute is not present, the authentication will fail at the SURFsecureID gateway.

Note
titleeduPersonTargetedID (EPTI) is required
typeInfo

Ensure that you receive the eduPersonTargetedID (EPTI) attribute when migrating your SP from SURFconext to SURFsecureID. This attribute is required for SURFsecureID. You can ask support@surfconext.nl to enable this attribute for your SP.

Authentication Request

AssertionConsumerServiceIndex

Selecting a binding using the AssertionConsumerServiceIndex attribute is not supported.

ForceAuthn

Single Sign on for the second factor is not provided: for each authentication request with a LoA > 1 the user must always authenticate using his second factor.

Setting ForceAuthn to true may force a re-authentication of the user at the institutional IdP for the first factor, but this cannot be guaranteed.

No SessionIndex in the AuthnStatement

The SURFconext Strong Authentication gateway does not provide a SessionIndex in the SAML Response returned to the SP. More information (see at line 1107).

IdP initiated login

SURFsecureID does not support IdP initiated login (IdP-geïnitieerde login).

Because your SP can still use the SURFconext, you could first authenticatie the user there and then authenticate the user at SURFsecureID. Because the user has SSO at the IdP, and SURFconext remembers the selected IdP the user wil not get a WAYF (IdP selection screen) and does not need to reauthenticatie at the IdP.

Scoping using IDPList

Selecting IdP(s) by adding a IDPList in the Scoping element in a AuthnRequest is not supported.

Because your SP can still use the normal SURFconext, you could first authenticatie the user there and then authenticate the user at SURFsecureID. Because the user has SSO at the IdP, and SURFconext remembers the selected IdP the user wil not get a WAYF (IdP selection screen) and does not need to reauthenticatie at the IdP.

AuthenticationContext in the Assertion

After successful authentication the SURFsecureID gateway will report the level of assurance in an AuthnContextClassRef element in an AuthenticationContext in the SAML Assertion sent to the SP. 

Non-production environments use different identifiers!

Anchor
Authentication failure
Authentication failure
Authentication failure

When authentication fails, it is generally because the user:

...

Supported SAML bindings

The SAML bindings supported are limited to those in the Interoperable SAML 2.0 Web Browser SSO Deployment Profile. This means that:

...