Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • The SAML standard allows multiple AuthnContextClassRef elements to be specified in the RequestedAuthnContext. Currenly SURFsecureID will only look at the first AuthnContextClassRef element.
  • Specifying an AuthnContextClassRef other than one the of the defined authentication levels for SFO will result in an error.
  • The SAML standard allows a Comparision attribute to be added to the the RequestedAuthnContext element. Currently SURFsecureID does not interpret the value of this attribute and behaves as if "minimum" was specified as value for the Comparison attribute, which is a deviation of the SAML standard which specifies "exact" as the default. "minimum" means that the authentication context in the authentication statement that is returned after a successfull successful authentication will either be the requested authentication context, or the the authentication context of a stronger (i.e. higher level) authentication. SURFsecureID currently always returns the authentication context corrsponding to the highst highest level at which the user could be authentictated.


An example code for using SFO with SimpleSAMLphp can be found at: