The picture below shows how the SURFconext Strong Authentication gateway, SURFconext, SPs and 2nd factors used for strong authentication (SMS, Tiqr and YubiKey) are related.
Please notice that:

• There are no technical changes required to their IdPs. They still connect to SURFconext.
• SPs connect the the SURFconext Strong Authentication gateway. No connection with SURFconext or integration with 2nd factor authentication devices is required.

Image Added

SURFconext Strong Authentication authentication flow

The picture below shows the authentication flow of a SP using the SURFconext Strong Authentication gateway.

1. The SP sends a SAML 2.0 AuthnRequest to the SURFconext Strong Authentication gateway. The SP may use a RequestedAuthnConext to specify the minimal LoA at which a user must be authenticated.
2. The SURFconext Strong Authentication gateway sends a Authn request to SURFconext. SURFconext takes care of the authentication of the user at their home IdP and applies policies: attribute release, user consent and institutional consent.
3. The SURFconext Strong Authenticationgateway receives a response from SURFconext with the identity and attributes of the user.
4. The SURFconext Strong Authenticationgateway determines whether strong authentication is required and, when required, sends the user to the authentication provider for their 2nd factor
5. The response from the 2nf factor authentication provider is returned to the SURFconext Strong Authentication gateway
6. The SURFconext Strong Authentication gateway sends a SAML Response with Assertion and the attributes and the identity of the user to the SP.

Image AddedNo changes to the IdP are required. Changes to the SP are minimal.