Versions Compared

Old Version 18

changes.mady.by.user Peter Clijsters

Saved on

compared with

New Version 19

changes.mady.by.user Peter Clijsters

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • This option is preferred above option B
  • The service can connect with SAML or OpenID Connect to SURFconext, both will work
  • This integration does not supports dynamic LoA request by the service. If the service wants to use this feature it needs to connect to SURFsecureID directly (see option B).
  • This option works for the production and test environment, not for the pilot environment.

Authentication flow

  1. The SP sends a SAML 2.0 AuthnRequest or an OpenID Connect to SURFconext.
  2. The user chooses the Identity Provider (institution) where to login for the 1st factor and SURFconext sends this IdP a SAML AuthnRequest
  3. The user logs in at the IdP and a SAML response is sent back to SURFconext with the identity and attributes of the user
  4. In this case, SURFconext is configured for this SP or SP-IDP combination to call SURFsecureID with a minimum LoA (>1).
  5. SURFsecureID gateway sends the user to the authentication provider for the 2nd factor
  6. The 2nd factor authentication provider returns the response to the SURFsecureID gateway.
  7. The SURFsecureID gateway sends a SAML Response back to SURFconext
  8. SURFconext sends a SAML Response with Assertion and the attributes and the identity of the user to the SP.

...