This page will guide you through the contractual parts that need to be taken care of prior to connecting your service to the production environment of SURFconext you will need to sign a 'Connection Agreement' or in Dutch an 'Aansluitovereenkomst'. The procedure for SURFnet members is also outlined. Either way, this is something you want to have sorted out before promoting your service to production and before you are going to connect to institutions. Since this is not that hard, let's get to it.
Every time a user logs in via SURFconext, user-information is transferred from the institution, via SURFconext, to your service. Based on what you agreed, as a Service Provider you may receive data from the Identity Provider/Attribute Provider:
- for the authentication (the proof of authentication by the Identity Provider);
- for authorisation decisions within your service;
- about the group memberships of a user if such is required for cooperation and authorisation within the service provided;
- extra data from a user relevant to the service.
We basically have two situations:
- You are a SURFnet member (an institution): please read here what to check for
- In other cases, you most likely will need to sign a SURFconext connection agreement, see below.
- SURFnet does not sign a data processing agreement (DPA, Dutch: verwerkersovereenkomst) with service providers: if a DPA is necessary, that needs to be signed between you as supplier of the service and every institution.
SURFconext Connection Agreement (Dutch: aansluitovereenkomst)
A contract needs to be signed before promoting your service to the SURFconext production environment to document rights and obligations of involved parties. You can download the template to see in advance what the agreement entails.