Federated authentication means that a user logs in on another location (an Identity Provider) than that of the accessed service (a Service Provider). SURFconext is located between those locations. Each of the providers has only one trusted connection with SURFconext: this is why this is called a hub-and-spoke federation. The connections are 'trusted', because both the Service Provider and the Identity Provider have identified themselves to SURFconext by exchanging metadata. These metadata contain all the information necessary for one entity to send a message to another (like endpoint locations, bindings and signing certificates).
SURFconext couples the SP and the IP depending on specific rules.
Note that SURFconext itself does not authenticate users: this is done by the connected Identity Providers.
Authentication process in steps
A detailed description of the authentication flow can be found on the following pages: