...
The second factor authentication tokens that you register in Test, Pilot or Production are separate. You can use the same token and OneGini account for Test, Pilot and Production, but you need to do the registration procedure for each environment that you wish to use.
| Warning |
|---|
If you use your Yubikey with the production environment, you must not use it for any other purpose, including using it with SURFsecureID Pilot or Test. Reusing your production Yubikey is a security risk because Yubikey OTP codes are not tied to the environment. |
| Table of Contents |
|---|
Production environment
| Note | ||
|---|---|---|
| ||
The procedure below applies to the SURFsecureID Production environment. The pilot environment and test and environment have a different policy. See Pilot environment and Test environment below. |
...
We use the same software in test as in production, and thus need to follow most of the procedural steps. For practical purposes we skip the skip the face to face part of the process. We do however need you to perform an authentication with the token to be activated. This is why we ask youto you to make an appointment so you you can perform the authentication once we initiate the activation of your token from our side.
- Register a Onegini account.
- Make sure to complete Onegini's verification process for of your mail address: this is required for registering a SURFsecureID token.
- Go to https://sa.test.stepup.surfconext.nl/ and login with your Onegini account.
- Request a second factor authentication token (SMS, tiqr or YubiKey) and complete the self-registration process until step 4 "Activation code'.
- Contact us (support@surfconext.nl) for an appointment to finish the registration (ca. 5 minutes). For the TEST environment, the appointment can be by telephone or Skype call, chat or email. You do NOT have to visit us.
- Do not forget to bring/have your activation code and second factor authentication token (SMS, tiqr or YubiKey) ready, you will need it during the activation process. The activation code is shown in step 4 of the registration process, and is sent to you by email.
- After verification SURFnet will activate your token and you can then use it login at LoA/level 2 or above.
Until you have activated your token, you can only use the account to authenticate at LoA 1. SFO authentication always requires an activated token.
Attributes
The following attributes are available when using a OneGini account. Whether you actually receive these attributes depends on the attribute release policy (ARP) that is configured for your SP in SURFconext:
Friendly name | Attribute name | Value |
|---|---|---|
SURFconext ID | urn:oid:1.3.6.1.4.1.1076.20.40.40.1 | urn:collab:person:surfguest.nl:<uid> |
uid | urn:mace:dir:attribute-def:uid | Previous SURFguest username when this is a migrated account. Otherwise generated by Onegini. |
Surname | Registered surname | |
Given name | Registered first name | |
Common name | Registered common name | |
Display name | urn:mace:dir:attribute-def:displayName | Same as common name |
Email address | urn:mace:dir:attribute-def:mail | Registered email address |
Organization | urn:mace:terena.org:attribute-def:schacHomeOrganization | surfguest.nl |
PrincipalName | urn:mace:dir:attribute-def:eduPersonPrincipalName | <uid>@surfguest<uid>@surfguest.nl |
will only be provided after the user confirmed his email address (via the There is no attribute that shows which authentication provider (Facebook, Google, LinkedIn, Twitter) the user used.
...