The picture below shows how the SURFconext Strong Authentication gateway, SURFconext, SPs and 2nd factors used for strong authentication (SMS, Tiqr and YubiKey) are related.

Please note that:

• There are no technical changes required for IdPs. They still connect to SURFconext.
• SPs that require strong authentication connect to the SURFconext Strong Authentication gateway. No connection with SURFconext or integration with 2nd factor authentication devices is required.

SURFconext Strong Authentication authentication flow

The picture below shows the authentication flow of a SP using the SURFconext Strong Authentication gateway.

1. The SP sends a SAML 2.0 AuthnRequest to the SURFconext Strong Authentication gateway (SA-GW). The SP may use a RequestedAuthnConext to specify the minimal LoA at which a user must be authenticated.
2. The SURFconext Strong Authentication gateway (SA-GW) sends a Authn request to SURFconext (IdP1). SURFconext takes care of the authentication of the user at their home IdP (not shown) and applies policies: attribute release, user consent and institutional consent.
3. The SURFconext Strong Authentication gateway (SA-GW) receives a response from SURFconext (IdP1) with the identity and attributes of the user.
4. The SURFconext Strong Authentication gateway (SA-GW) determines whether strong authentication is required and, if required, sends the user to the authentication provider (IdP2) for their 2nd factor
5. The response from the 2nd factor authentication provider (IdP2) is returned to the SURFconext Strong Authentication gateway (SA-GW)
6. The SURFconext Strong Authentication (SA-GW) gateway sends a SAML Response with Assertion and the attributes and the identity of the user to the SP.

Note that for the SP only steps 1 and 6 are visible. These steps constitute a standard SAML interaction, consisting of a SAML AuthnRequest and SAML AuthNResponse.