Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


To start a SFO the SP must send a SAML 2.0 AuthnRequest to the SFO endpoint of the SURFsecureID Gateway. This request mustMUST:

Note that SFO uses a different SingleSignOn Location and AuthnConext identifiers as compared with standard authentication.a different AuthnConext identifier that a standard authentication to SURFsecureID. See SURFsecureID Metadata for Service Providers. Below is an example SAML 2.0 SFO AuthnRequest request for the production environment:

Code Block
titleExample SFO AuthRequest to the SURFsecureID production environment
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_zQIibz9FKixdlgX8E7bHqE29wfatcgbsPdVn0NN"
    Version="2.0" IssueInstant="2016-03-10T15:09:21Z"
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"></saml:NameID>

The Note that the signature is not visible in the XML of the above request: it will be encoded in HTTP GET parameters according to the specification of the HTTP-Redirect binding.


An example code for using SFO with SimpleSAMLphp can be found at: