Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • use the urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect binding
  • be signed using the http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 algorithm (XML signatures cannot be used).
  • include a RequestedAuthnContext with an AuthnContextClassRef with one of the defined levels.
  • include the SURFconext identifier of the user in the Subject element as a NameID (with Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", see description of AuthnRequest in https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, line 2001).

...

  • urn:collab:person:
    = fixed prefix.
  • {{urn:mace:terena.org:attribute-def:schacHomeOrganization}}
    = value of schacHomeOrganisation attribute of the user; same for all users and will be something like "institution.nl".
  • {{urn:mace:dir:attribute-def:uid}}
    = value of uid attribute of the user.  Replace any "@" with an "_".

For the value of last two items: ask the administrator of the IdP .

...

You can find the metadata of the SFO endpoints on SURFsecureID Metadata for Service Providers.

Always do a first factor authentication before starting a SFO authentication

...

An example code for using SFO with SimpleSAMLphp can be found at: https://github.com/SURFnet/Stepup-SFO-demo