Federated authentication means that the user logs in on another location then that of the accessed service. SURFconext is located between those locations, the Service Provider and the Identity Provider. Each of the providers has one trusted connection with SURFconext. SURFconext couples the SP and the IP depending on specific rules. The model used is called a hub-and-spoke federation.
The authentication is implemented with SAML 2.0 standards, specifically with it's web SSO profile.
Both the Service Provider and the Identity Provider have Trust connections with SURFconext, meaning that they have identified themselves to SURFconext. This was done by exchanging some metadata, containing all the information necessary for one entity to send a message to another (like endpoint locations, bindings, signing certificates, etc).
Authentication process in steps
- A user accesses a Service Provider and is required to log in. The Service Provider redirects the user to SURFconext with a SAML 2.0 authentication request.
- SURFconext needs to determine where to send the user for authentication. This is done by showing the user a "Where Are You From?" (WAYF) page.
- The WAYF page shows the Identity Providers that have access to the service. The user chooses the institution that is his Identity Provider. After that he is redirected to his Identity Provider with a SAML 2.0 authentication request.
- The Identity Provider must authenticate the user. Usually the user is asked to enter his credentials. After validating these, the Identity Provider redirects the user back to SURFconext with a SAML 2.0 response message saying the user authenticated and containing the user's attributes.
- SURFconext validates the response message from the Identity Provider. If valid, SURFconext carries out a number of alterations, for example rewriting the user's identifier and adding or modifying user's attributes. According to the service's configured attribute release policy (ARP), SURFconext determines the attributes that are allowed through to the Service Provider. Finally the user is redirected to the Service Provider with a SAML 2.0 response message.
- The Service Provider validates the response message from SURFconext. If valid, the Service Provider can extract the necessary information and allow the user to access the service's secured content.