| Section |
|---|
| Column |
|---|
| The Test Environment is the playground for testing new services with SURFconext. It is in no way connected to the production environment of SURFconext and thus not connected to real identity providers and real users. In the Test environment test-IP's and test-accounts are available. Connecting to it is simple |
|
...
1. Import the metadata (SAML Only)
...
and a contract at this point is not necessary so you can start testing immediately. At this point you should have prepared your application so it supports SAML or OpenID Connect. This page will show you how you can define your test instance on our test environment. Both SAML and OpenID Connect will be depicted.
On this page you will find the steps necessary to define your service in SURFconext. You will need to do the following: - Configure your service for SURFconext using SAML or OpenID Connect
- Register your SAML/OpenID Connect enabled service in the SP dashboard
- Test your connection with fictional IdP's, fictional users and fictional attribute values
If you have succeeded to go through these steps you have successfully connected your service to the test environment of SURFconext! To start you will need to configure your service with SURFconext specific parameters. SAMLFor your service, you need to import the Entity Descriptor of the SURFconext IdP Proxy of our test environment in your Service Provider. Depending on the software you use, you must import the metadata |
|
...
...
place a file with this information on a |
|
...
...
Image Removed
that is accessible by the service. |
|
| Expand |
|---|
| title | Using the SP Form (deprecated)? |
|---|
|
Using the (old) SP form? Configure this metadata in your Service Provider: depending on the software used, you must import the metadata file or URL or you must place it on a specific location.  Image Removed
|
2. Register your service (SAML only)
After the intake (by telephone), SURFconext team will provide access to the SP Dashboard. Here you can independently manage your service(s) on the SURFconext platform.
2* OpenID Connect
| Note |
|---|
The SP registration form is not yet ready for OpenID Connect. If you wish to use OpenID Connect, please send an email to support@surfconext.nl, with the following information: - URL to your service
- Redirect URL
- Name of the service
- Description of the service
- Logo URL of the service
- Which attributes (claims) you need
|
3. Configure your service (OpenID Connect only)
| Warning |
|---|
The Public SAML metadata or the 'Entity Descriptor' of the SURFconext IdP proxy for the test environment differs from the production environment. The following applies: Service Providers that are connected to the 'Test Environment' of SURFconext can not and will not be connected to both identity providers on the production environment and the test environment. The user profiles from IdP's on the test environment are fictional or unverified. Real users, with their profiles can only connect to your service through the production environment of SURFconext. Once verified that you are connected to the production environment you must use the entity descriptor of the production environment as mentioned above. |
OpenID ConnectVia the SP Dashboard you'll get |
|
...
the necessary data for OpenID Connect, which are: |
|
...
...
Configure your service with these data to enable access through OpenID Connect. The scope "openid" is sufficient to get all configured claims. | Warning |
|---|
As you might expect the OpenID Connect configuration as found in the .well-known URL differs from test to production. A small but essential difference: |
2. Register your SAML/OpenID Connect enabled service in the SP dashboardAfter the intake by telephone, the SURFconext team will add you to a team. If you have confirmed the membership of this team, members have access to designated services in the SP Dashboard. You can manage entities of the service you have been granted accesses to. If you are a member of multiple teams you will see the according services.  Image Added
| Warning |
|---|
| Not provided by the import URL but necessary to promote a service to production is a solid motivation of each attribute used. Read our wiki 'Attribute best practice' to get to know more. In short, we want you to use as few attributes as possible and as privacy preserving as possible. If you use too many, SURFconext can decline promotion of the service to production and ultimately an institution can decline your request to connect to the service. |
| Anchor |
|---|
| 3. Test your connection |
|---|
| 3. Test your connection |
|---|
|
|
|
...
3. Test your connection with fictional IdP's, fictional users and fictional attribute valuesAfter logging in to your service, you will see the WAYF-screen with the available test Identity Providers |
|
...
. SURFconext supplies two test IdP's: - SURFconext Test IdP
- SURFconext Mujina IdP
SURFconext Test IdP |
|
...
This test IdP allows you to test various login and attribute scenarios, common when dealing with
|
|
...
SAML Identity Providers. Several fictitious user accounts are available with attributes matching real world scenarios. The users are also members of groups that you can use to test retrieval |
|
...
...
...
' is not available in the Production environment |
|
...
. SURFconext Mujina Identity Provider
This test IdP lets you impersonate every possible user. You are able to select attributes and values of your choice. This is a great way of testing all attributes available to SURFconext. You can add the attributes as shown in the pull-down on the login page of Mujina. The attributes you can use are described in detail on our attributes page. | Info |
|---|
Take the following into account when using our Mujina Identity Provider: |
 Image Added Image Added
Back to startReturn our step by step guide to continue to connect your service. |
| Column |
|---|
| Navigate | Page Tree |
|---|
| root | Documentation for Service Providers |
|---|
| searchBox | true |
|---|
|
|
|