...
- Adding two factor authentication to an institution's application gateway (e.g. Citrix Netscaler or F5 BIG-IP)
- Adding two factor authentication to an institution's authentication or authorization gateway (e.g. Microsoft ADFS, Novell/NetIQ)
Both SFO authentication and standard authentication use the 2nd factor of the user that is registered with SURFconext SA. This means that once a user is registered with SURFconext SA both services using standard and SFO authentication can be used.
The table below shows the differences between a SURFconext SA standard authentication and a SURFconext SA SFO Authentication.
| Feature | Standard authentication | SFO authenticaton |
|---|---|---|
| Authentication of the user's first factor | Always | Never |
| Authentication of the user's second factor | Based on policy between the IdP and SP | Always |
| User registration | Using SURFconext SA selfservice registration and vetting by an RA | |
| Standard SURFconext features | Attributes, Authorization, persistent identifiers | None |
During SFO Authentication the authentication via SURFconext is bypassed (see image below). This means that SURFconext functionality like attributes (from the user's home IdP), persistent user identifiers or the definition of authorization rules is not available when using SFO authentication. For the self-service registration of users and the vetting by RA the SURFconext SA self-service and RA web interfaces are used, with the first factor authentication provided by SURFconext.
