Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Second Factor Only (SFO) Authentication is an alternate SAML authentication endpoint that is offered by the SURFconext strong authentication (SA) gateway. The SFO endpoint allows a Service Provider (SP) to authenticate only the second factor of a user. This in contrast to a "standard" authentication at the SA gateway where authentication of the first factor, being the normal authentication of the user to the IdP of their home institution through SURFconext, is always performed.

SFO Authentication was designed to facilitate the integration of SURFconext SA with the internal services of an institution (i.e. the institution offering services to their own users). Typical applications include:

  • Adding two factor authentication to an institution's application gateway (e.g. Citrix Netscaler or F5 BIG-IP)
  • Adding two factor authentication to an institution's authentication or authorization gateway (e.g. Microsoft ADFS, Novell/NetIQ)

The table below shows the differences between a SURFconext SA standard authentication and a SURFconext SA SFO Authentication.

FeatureStandard authenticationSFO authenticaton
Authentication of the user's first factorAlwaysNever
Authentication of the user's second factorBased on policy between the IdP and SPAlways
Standard SURFconext featuresAttributes, Authorization, persistent identifiersNone

During SFO Authentication the authentication via SURFconext is bypassed. This means that SURFconext functionality like attributes (from the user's home IdP), persistent user identifiers or the definition of authorization rules is not available when using SFO authentication.

  • No labels