Can I test my (test)service on a permanent basis?
- In the Test environment DIY/test IdP is available for testing. Register your service with the SP registration form. Note that the metadata for the Test environment is different from the Production environment.
- In the Production environment you can login with Onegini into your application for testing. [Refer to Using Onegini as IdP for testing SPs.]
How can I facilitate guest access for my service?
With Onegini.
Does SURFconext support provisioning?
No, if your service needs provisioning, you must arrange this yourself.
Does SURFconext support Single Logout?
No.
How does SURFconext support rich clients and mobile applications?
Whether a rich client supports federated login with one of the standards used by SURFconext (e.g. SAML or OIDC) depends on the developer of that rich client. The support must be built into the rich client and often also on the server of the service. SURFconext cannot make the rich client compatible. SURFconext can advise institutions about services that have rich clients associated with them. We can also pressure vendors to support federations in their designs.
My metadata has changed. What should I do?
Inform SURFconext and provide us with the new metadata before you upload it to the Production environment. If you inform us in time, there will be no downtime for the users.
Can I use SURFconext to login with a social ID (Facebook, Google, etc.)?
Yes, with Onegini.
Which attributes can SURFconext supply to my service?
SURFconext operates with a minimal disclosure principle: only the absolute necessary (personal) information is transferred to a service. When you request a connection to the Production environment, you must specify the attributes needed. We will review your request and configure an Attribute Release Policy accordingly.
What do 'single-tenant' and 'multi-tenant' mean?
See Use of single-tenant and multi-tenant services in SURFconext.
Can I implement my own discovery screen?
Yes.
Is there a way for my users to authenticate and not use Single Logon?
Yes. You can force users to authenticate when they log in. By setting ForceAuthn to true, single sign-on is disabled. If the user already had a session with SURFconext, that will be ignored.
Can I add my own branding to the SURFconext discovery screen?
Yes, you can create your own WAYF selection page.
Why doesn't my service get attribute X?
Generally it is because the IdP did not release the required attribute. SURFconext operates with a minimal disclosure principle: only the absolute necessary (personal) information is transferred to a service.
Can I get statistics about the number of users who log in to my service?
You can keep these statistics yourself based on your own logging.
Can I offer my service to foreign universities via SURFconext?
Yes, via EduGAIN. With this services connected to SURFconext are available for foreign universities. However the technical implementation is different from 'normal' connections. Contact support@surfconext.nl for more information.
How can I use groups provided by SURFconext?
SURFconext Teams offers an easy way to manage collaborative groups. The groups are organised centrally and can be used with cloud services. A group can be set up so that only the members of that group have access to restricted data on a particular cloud service. More information: VOOT description.
Does SURFconext support authorization?
SURFconext offers only limited support for authorization, mainly in the context of VOs (i.e., limiting access to a specific SP based on group membership). It is strongly recommended to implement your own authorization component in your application.
SURFconext can apply attributes that can be used for authorization; e.g. the user's home institution, his affiliation (student, faculty, etc), and group memberships. SURFconext can also pass on custom entitlements from an IdP to an SP.
Does SURFconext support other authentication protocols like OpenID Connect or Facebook Connect?
Currently only SAML2 and OAuth 2 are supported. In the future other protocols will also be supported.
How do I relay a student or employee number to my SP?
With the schacPersonalUniqueCode attribute. Note that only a very limited number of IdPs are providing this attribute. If you want to use/provide this attribute contact support@surfconext.nl.
Why is my SP being removed from SURFconext?
We check regularly if an SP is still being used. If no logins are recorded during some time (see below), we will remove the connection. Before doing so, we will notify the SP.
Currently, the timeout periods are defined as follows:
timeout | grace period | |
|---|---|---|
| Test connections | 1 year | 14 days |
| Production connections | unlimited | n/a |
Test connections must receive minimum 1 login within the first 6 months. Otherwise they will be removed.
SAML
Which attribute should I use to identify SURFconext users in my application?
NameID. It is always present in the SAML assertion. Because it is not an attribute, it is not subject to the Attribute Release Policy.
Does SURFconext support ASelect/OpenASelect?
Because ASelect does not support SAML 2.0 it is not compatible with SURFconext. OpenAselect, an open source version of ASelect, does support SAML 2.0. If you wish you can upgrade your system.
How do I transmit a custom (non-standard) attribute from an IdP to an SP?
Use the eduPersonEntitlement attribute:
(urn:mace:dir:attribute-def:eduPersonEntitlement / urn:oid:1.3.6.1.4.1.5923.1.1.1.7)
To scope the entitlement values, we include the SP's principle domain in the value.