...
- use the
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirectbinding - be signed using the
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256algorithm (XML signatures cannot be used). - include a
RequestedAuthnContextwith anAuthnContextClassRefwith one of the defined levels. - include the SURFconext identifier of the user in the
Subjectelement as aNameID(withFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",see description ofAuthnRequestin https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, line 2001).
...
urn:collab:person:
= fixed prefix.{{urn:mace:terena.org:attribute-def:schacHomeOrganization}}= value of schacHomeOrganisation attribute of the user; same for all users and will be something like "institution.nl".{{urn:mace:dir:attribute-def:uid}}= value ofuidattribute of the user. Replace any "@" with an "_".
For the value of last two items: ask the administrator of the IdP .
...
You can find the metadata of the SFO endpoints on SURFsecureID Metadata for Service Providers.
Always do a first factor authentication before starting a SFO authentication
...
An example code for using SFO with SimpleSAMLphp can be found at: https://github.com/SURFnet/Stepup-SFO-demo