Federated authentication means that a user logs in on another location (an Identity Provider) than that of the accessed service (a Service Provider). SURFconext is located between those locations. Each of the providers has only one trusted connection with SURFconext: this is why this is called a hub-and-spoke federation. The connections are 'trusted', because both the Service Provider and the Identity Provider have identified themselves to SURFconext.
Read on to find out more about the authentication flow when using SURFconext. Your service will either use SAML or OpenID Connect when you connect with SURFconext. These are both standards for exchanging authentication and authorization data between parties, in our case identity providers and service providers.
...