...
- use the
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
binding - be signed using the
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
algorithm (XML signatures cannot be used). - include a
RequestedAuthnContext
with anAuthnContextClassRef
with one of the defined levels. - include the SURFconext identifier of the user in the
Subject
element as aNameID
(withFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
see description ofAuthnRequest
in https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, line 2001).
...
urn:collab:person:
= fixed prefix.{{urn:mace:terena.org:attribute-def:schacHomeOrganization}}
= value of schacHomeOrganisation attribute of the user; same for all users and will be something like "institution.nl
".{{urn:mace:dir:attribute-def:uid}}
= value ofuid
attribute of the user. Replace any "@" with an "_".
For the value of last two items: ask the administrator of the IdP .
...
You can find the metadata of the SFO endpoints on SURFsecureID Metadata for Service Providers.
Always do a first factor authentication before starting a SFO authentication
...
An example code for using SFO with SimpleSAMLphp can be found at: https://github.com/SURFnet/Stepup-SFO-demo