...
The SFO uses a different SingleSignOn Location and different AuthnConext identifiers than as the standard authentication.
...
The SURFconext identifier is build built from identifiers that the IdP of the users sends to SURFconext during authentication. It has the following form:
urn:collab:person:{{urn:mace:terena.org:attribute-def:schacHomeOrganization}}:{{urn:mace:dir:attribute-def:uid}}
where:
...
Starting an SFO authentication will immediately start an authentication at the SA gateway. For tiqr this means that a push notification is sent to the phone of the user being authenticated. For SMS authentication this means that an SMS message is sent to the mobile phone of the using user being authenticated. When an authentication is started for the wrong user (deliberately or not) this will derange the targeted user and in case of SMS, incur a cost to the institution and possibly for the user.
...