If you want your service to be connected to SURFconext, metadata must be exchanged between you and SURFconext. After this your service and SURFconext will know and trust each other. The exchange of metadata is done only once: there is no exchange in the authentication process itself. The exchange is a two way process: - The Service Provider must read metadata from SURFconext.
- SURFconext must read metadata from the Service Provider.
Preferably you configure SURFconext as your Identity Provider automatically, by using a SAML 2.0 metadata file, to be downloaded here. The metadata for the test environment can be found here. How you enter the metadata in your software depends on the software used. Generally you import the metadata file or place it in a specific location. The metadata will configure your service to see SURFconext as the only IdP and will let SURFconext do the IdP discovery for you. This is the WAYF selection page. It is used for both the Test and the Production environment. If your software cannot process the metadata file automatically, you must configure the necessary information manually: To be able to configure a connection with your service, SURFconext Support needs some information about your service. This can be given by using the recommended SAML 2.0 metadata file or manually. Most SAML Service Provider enabled software can produce a metadata file. You can send the URL of the location of the metadata file on your web server to SURFconext via the SP Dashboard. SAML metadata element | Description | Restrictions | Mandatory in SAML metadata1 | Mandatory information2 | entityID | Technical name of your service | - Must be a URN, with at least one colon
- Unique within SURFconext
- An IdP and SP cannot have the same EntityID
| Y | Y | AssertionConsumingService | Endpoint where users need to be sent back to after authentication | Location: URL of your AssertionConsumingService (ACS). In production this must be HTTPS with a trusted and valid SSL certificate Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST | Y | Y | NameIDFormat | Format of the NameID you will receive when a user is authenticated via SURFconext | - urn:oasis:names:tc:SAML:2.0:nameid-format:transient or
- urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
| Optional | Y | ContactPerson - GivenName
- SurName
- EmailAddress
| Information about your administrative, technical and support contacts. | Use contactType="administrative", contactType="technical" or contactType="support" in the ContactPerson element when adding this to your metadata | Optional | Y | name | Name of your service |
| N | Y | description | Description of your service |
| N | Y | RequestedAttributes | The attributes your service requires, including the reason why it is required |
| N | Y | mdui:Logo | Logo of your service | 500 x 300 pixels, PNG format with transparent background | N | Y |
1 If you provide SURFconext Support with a SAML metadata file, these fields must be part of that file. 2 You must provide this information to SURFconext Support via the SP Dashboard. |