After your service has been connected successfully to production, few things have to be done before users are able to login to your service;
- Institutions have to couple with your service: Key users (SURFconextverantwoordelijke) at the institutions are able to enable the service for the institution. We can ask the our contact person at the institution to activate the connection for your service.
Fine graned access to your service
When an IdP has been coupled with your service, typically all users at the institution are able to login. Below authorisation options are mentioned
Normally attributes are negotiated during the connection process.
With attributes, it's possible to restrict access to your service. For example, with the attribute 'Affiliation' you can give access only to students. If you want to restrict access to a certain faculty, you can use the scoped affiliation attribute.
Alternatively, you can pre-provision the legitimate users of your service, and refuse the rest. You then must find a way to map the user information you own to the information you receive from SURFconext.
SURFconext Authorisation Rules
IdP's have the possibility to restrict access to a service. With SURFconext Authorisation Rules, Key users at the institutions can restrict certain users, or user groups to have access to the service. This functionality is not available for to Service Providers,
Het concept uitleggen dat beide partijen (IdP en SP) de boel open moeten zetten om daadwerkelijk toegang te krijgen tot jouw dienst
attributen kunnen worden gebruikt om toegang te specificeren