You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

SPs do not have the means to test their connection on our Strong Authentication Gateway in production using one of the regular IdP's accounts. Therefor they can use the Onegini IDP for this purpose. Because of the different status of Onegini as IdP (everyone is able to create an OneGini account), SURFnet adheres to a strict policy for using Onegini for strong authentication.

Policy

  • A SURFnet SRAA will do the vetting of a SP contact, but only when SP-contact is physically present with his token, activation code and ID. Workarounds with vetting via Skype/mail are explicitly not allowed for production (unlike the pilot and test environments).
  • Remember: when the SP contact loses his/her token, the user must register a new token and start the activation process with ID vetting by SURFnet all over again. 
  • Onegini accounts are not allowed to have RA(A) rights.
  • Onegini IDP is aimed at SPs. SURFnet offers 'best effort support' only.
  • The SP must allow Onegini as IdP for their service, and is responsible for its own additional autorisation rules (if applicable).

Registration procedure for using the Onegini IDP for strong authentication (production)

Developers who want to test how their SP works in combination with the SURFconext Strong Authentication Gateway production environment, must follow the following procedure:

  1. If you do not have one already: register a Onegini account.
  2. Make sure you complete Onegini's verification process for your mail address, as a mail address is required for registering a strong authentication token.
  3. Go to https://sa.surfconext.nl and login with your Onegini account.
  4. Request a second factor authentication token (choose SMS, tiqr or YubiKey) and complete the self-registration process until you reach step 4 "Activation code'.
  5. Contact us via support@surfconext.nl to schedule an appointment for the completion of the registration process. This will only take 5 minutes max. and can only be done face-to-face!
  6. During this appointment: make sure you have your Activation code, your second factor authentication token (SMS, tiqr or YubiKey) and ID ready.
  7. One of the authorized SURFnet employees will then verify that you are in possession of the registered second factor authentication token (SMS, tiqr or YubiKey) that is associated with the activation code, will verify your identity and will activate your token.
  8. You can now login on your own SP using your activated second factor authentication token (SMS, tiqr or YubiKey). Congratulations!

The registration procedure for the pilot environment is described at How to test your SP-connection on the Pilot-environment using the Onegini IDP.

Note

Onegine now shows up as IdP for the SA portal (sa.surfconext.nl) at the WAYF (list of IdP's to choose from when logging in with the first factor).

  • No labels