Page History

...

In the above diagram the authentication flow for SFO is shown. 

1. The service (SP, like ADFS, Citrix, F5 or any other capable system) performs the 1st authentication factor itself, outside of SURFsecureID. This is usually done directly against the IDP of the institution.
2. The user's credentials (usually username/password) are validated by the IDP and the result of the 1st authentication factor is sent back tot he service.
3. The service then starts the 2nd factor authentication by sending the user to the SURFsecureID Authentication gateway (SA-GW) using a SAML authnrequest. There, the user selects his 2nd factor token type and the 2nd factor authentication is started.
4. The user's 2nd factor token is validated.
5. The result is sent back to the SA-GW.
6. If the 2nd factor authentication was successful, the user is sent back to the service with a SAML response indicating the result of the process. The user is now successfully authenticated at the service.

...