Versions Compared

Old Version 3

changes.mady.by.user Unknown User (urn:collab:person:surfguest.nl:d09fa6a3-58f5-48a7-aa62-17f02489c888)

Saved on

compared with

New Version 4

changes.mady.by.user Unknown User (urn:collab:person:surfguest.nl:d09fa6a3-58f5-48a7-aa62-17f02489c888)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Federated authentication means that a user logs in on another location (an Identity Provider) then that of the accessed service (a Service Provider). SURFconext is located between those locations. Each of the providers has only one trusted connection with SURFconext: this is why this is called a hub-and-spoke federation. The connections are 'trusted', because both the Service Provider and the Identity Provider have identified themselves to SURFconext by exchanging metadata. These metadata contain all the information necessary for one entity to send a message to another (like endpoint locations, bindings and signing certificates).

SURFconext couples the SP and the IP depending on specific rules.

SURFconext login flow.png

Authentication process in steps

  1. A user accesses a Service Provider and is required to log in. The Service Provider redirects the user to SURFconext with a SAML 2.0 authentication request.
     
  2. SURFconext needs In order to determine where to send the user for authentication. This is done by showing , SURFconext shows the user a "Where Are You From?" (WAYF) page with the all Identity Providers that have access to the service. 
     
  3. The user chooses the institution that is his Identity Provider. After that he is redirected to that IdP with a SAML 2.0 authentication request.
     
  4. The Identity Provider authenticates the user, usually by asking the user to enter his credentials. After validating, the Identity Provider redirects the user to SURFconext with a SAML 2.0 response message saying . The message says the user authenticated and containing contains the user's users attributes.
     
  5. SURFconext validates the response message from the Identity Provider. If valid, SURFconext makes a number of alterations, for example rewriting the user's identifier and adding or modifying attributes. According to the attribute release policy applied, SURFconext determines the attributes that are allowed through to the Service Provider.
    The user is redirected to the Service Provider with a SAML 2.0 response message.
     
  6. The Service Provider validates the response message from SURFconext. If valid, the Service Provider can extract the necessary information and allow the user to access the service's secured content.