Can I test my (test)service on a permanent basis?
In the Test environment DIY/test IdP is available for testing. Register your service with the SP registration form. Note that the metadata for the Test environment is different from the Production environment.
In the Production environment you can login with Onegini IdP into your application for testing. [Refer to Using Onegini as IdP for testing SPs.]
How does SURFconext guarantee my privacy?
- All data are encrypted before sent. SURFconext also makes clear agreements with all participants ('Privacy Best Practice') that data will only be used for the agreed purpose.
- Users are informed about the use of their personal data when they are approached by a service through SURFconext.
- The storage of personal data is bound by a maximum period.
- Participants of SURFconext are required to take security measures to prevent abuse of personal data.
More information: Contracten en Privacy (dutch).
How can I facilitate guest access for my service?
With Onegini.
Does SURFconext support provisioning?
No, if your service needs provisioning, you must arrange this yourself.
Does SURFconext support Single Logout?
No.
How does SURFconext support rich clients and mobile applications?
Whether a rich client supports federated login with SAML depends on the developer of that rich client. The support must be built into the rich client and often also on the server of the service. SURFconext cannot make the rich client compatible. SURFconext can advise institutions about services that have rich clients associated with them. We can also pressure vendors to support federations in their designs.
More information: SURFconext and rich clients
My metadata has changed. What should I do?
Inform SURFconext and provide us with the new metadata, before you upload it to the Production environment. If you inform us, there will be no downtime for the users.
Can I use SURFconext to login with a social ID (Facebook, Google, etc.)?
Yes, with Onegini.
Which attributes can SURFconext supply to my service?
SURFconext operates with a minimal disclosure principle: only the absolute necessary (personal) information is transferred to a service. When you request a connection to the Production environment, you must specify the attributes needed. We will review your request and configure an Attribute Release Policy accordingly.
Which attribute should I use to uniquely identify SURFconext users in my application?
NameID. It is always present in the SAML assertion. Because it is not an attribute, it is not subject to the Attribute Release Policy). Service Providers should use the NameID to identify users instead of Email address or other attributes that might change over time.
Does SURFconext support Shibboleth 1.3?
No, you need Shibboleth 2.0 or higher.
What do 'single-tenant' and 'multi-tenant' mean?
See Use of single-tenant and multi-tenant services in SURFconext.
Can I implement my own discovery screen?
Yes.
Does SURFconext support ASelect/OpenASelect?
Because ASelect does not support SAML 2.0 it is not compatible with SURFconext. OpenAselect, an open source version of ASelect, does support SAML 2.0. If desired you can upgrade your system.
Is there a way for my users to authenticate and not use Single Logon?
Yes. A Service Provider can force users to authenticate when they log in. By setting ForceAuthn to true, single sign-on is disabled (default value is false). If the user had a previously established session with SURFconext, that will be ignored. The user must authenticate again.
Can I add my own branding to the SURFconext discovery screen?
Yes, you can create your own WAYF selection page.
Why doesn't my services get attribute X?
Generally it is because the IdP did not release the required attribute. SURFconext operates with a minimal disclosure principle: only the absolute necessary (personal) information is transferred to a service.
Can I get statistics about the number of users who log in to my service?
No.
What is a virtual IdP vIdP or Virtual Organisation IdP?
A vIdP is an Identity Provider (IdP) provided by the OpenConext platform. It consists of:
- a group of users (as defined in either OpenConext Teams+Grouper, or at an External Group Provider);
- a group of IdPs;
- a combination of the above.
A concrete example is in grid computing (see the Wikipedia article on VOs) where a VO may be a group of researchers from different institutions whose access to a supercomputer or data from the CERN supercollider is their only commonality. Their institutions may not be part of a common federation.
What is a Virtual Organization or a Collaborative Organization?
A Collaborative Organization (or Virtual Organization) is an organization which does run its own IdP, but rather depends on other institutions to deliver identity information for its users. Typical examples are research collaboration such as CLARIN or ELIXER, in which users from different universities collaborate on a common topic. In such a case, the Collaborative Organization offers (computing) facilities, which need to be accessible to ll its researchers, even though they log in using the identity and IdP of their home university.
SURFconext offers some support for such collaborative organizations, typically by using a virtual IdP (see above) to combine individual users from multiple IdPs in a single "virtual" IdP that is visible to the SP.
Can I offer my service to foreign universities via SURFconext?
Yes. SURFconext is connected to the EduGAIN service. EduGAIN makes it possible for services connected to SURFconext to be made available for foreign universities. The technical implementation differs from a connection to the SURFconext hub with Dutch institution. Services who want to connect to foreign universities should make separate connections to non-Dutch IdP's (mesh). Please contact the SURFconext Team for more information (support@surfconext.nl)
What is the difference between SURFfederatie and SURFconext?
SURFfederatie is a platform which educational and research institutions can use for access to various (cloud based) services. SURFconext expands the functionalities of SURFfederatie and makes various features like online collaboration, single sign on and group management more easy. As of the 1st of January 2014, SURFfederatie will no longer be available.
How can I use groups provided by SURFconext?
SURFconext Teams provides students, researchers and staff at institutions with an easy way to manage collaborative groups. The management of groups is organised centrally and the groups can be used with various cloud services. For instance, a group can be set up for members of a research team so that only team members are given access to restricted data within a particular cloud service. More information on how to use groups can be found on this article: VOOT definition.
Does SURFconext support authorization?
SURFconext is mainly a platform for authenticatin, but offers limited support for authorization, mainly in the context of VOs (i.e., limiting access to a specific SP based on group membership). However, we strongly recommend you to implement an autorization component in your own application.
SURFconext can apply a number of attributes which can be used to base authorization decisions upon, such as the user's home institution, his affiliation (student, faculty, etc), and group memberships. In addition, SURFconext can pass on custom entitlements from an IdP to an SP.
Does SURFconext support other authentication protocols like OpenID Connect or Facebook Connect?
Currently only SAML2 and OAuth 2 are supported. In the (near) future we will also support other protocols like OpenID.
How do I relay a student or employee number from my IdP to an SP?
Since februari 2015, SURFconext supports the schacPersonalUniqueCode attribute to relay institution-specific student and employee numbers to SPs. Please note that at this time, only a very limited number of IdPs are providing this attribute. If you are running an SP and would like to use this attribute, or is you are running an IdP and would like to provide it, please contact support@surfconext.nl.
How do I transmit non-standard attributes from an IdP to an SP?
If an IdP needs to send a custom attribute (not in the standard list) to the SP, the eduPersonEntitlement attribute can be used:
(urn:mace:dir:attribute-def:eduPersonEntitlement / urn:oid:1.3.6.1.4.1.5923.1.1.1.7)
To scope the entitlement values, we include the SP's principle domain in the value.
Why is my SP being removed from SURFconext?
We check regularly if an SP is still being used. If no logins are recorded during some time (see below), we will remove the connection. Before doing so, we will notify the SP.
Currently, the timeout periods are defined as follows:
timeout | grace period | |
|---|---|---|
| Test connections | 1 year | 14 days |
| Production connections | unlimited | n/a |
Test connections must receive minimum 1 login within the first 6 months. Otherwise they will be removed.