Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • use the urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect binding
  • be signed using the algorithm (XML signatures cannot be used).
  • include a RequestedAuthnContext with an AuthnContextClassRef with one of the defined levels.
  • include the SURFconext identifier of the user in the Subject element as a NameID (with Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", see description of AuthnRequest in, line 2001).


  • urn:collab:person:
    = fixed prefix.
  • {{}}
    = value of schacHomeOrganisation attribute of the user; same for all users and will be something like "".
  • {{urn:mace:dir:attribute-def:uid}}
    = value of uid attribute of the user.  Replace any "@" with an "_".

For the value of last two items: ask the administrator of the IdP .


You can find the metadata of the SFO endpoints on SURFsecureID Metadata for Service Providers.

Always do a first factor authentication before starting a SFO authentication


An example code for using SFO with SimpleSAMLphp can be found at: