...
- This option is preferred above option B
- The service can connect with SAML or OpenID Connect to SURFconext, both will work
- This integration does not supports dynamic LoA request by the service. If the service wants to use this feature it needs to connect to SURFsecureID directly (see option B).
- This option works for the production and test environment, not for the pilot environment.
Authentication flow
- The SP sends a SAML 2.0 AuthnRequest or an OpenID Connect to SURFconext.
- The user chooses the Identity Provider (institution) where to login for the 1st factor and SURFconext sends this IdP a SAML AuthnRequest
- The user logs in at the IdP and a SAML response is sent back to SURFconext with the identity and attributes of the user
- In this case, SURFconext is configured for this SP or SP-IDP combination to call SURFsecureID with a minimum LoA (>1).
- SURFsecureID gateway sends the user to the authentication provider for the 2nd factor
- The 2nd factor authentication provider returns the response to the SURFsecureID gateway.
- The SURFsecureID gateway sends a SAML Response back to SURFconext
- SURFconext sends a SAML Response with Assertion and the attributes and the identity of the user to the SP.
...