Production environment
The SAML 2.0 metadata for the SURFconext Strong Authentication gateway production environment can be found at:
https://sa-gw.surfconext.nl/authentication/metadata
The Onegini IdP may be used for testing by SP's without a regular institution's account. Refer to Using Onegini as IdP for testing SPs.
Most SPs will first want to test their connection and therefor connect to our pilot environment first (see below).
Most SAML 2.0 Libraries will be able to use this metadata to setup the connection to the gateway. If not, you can use the information below:
EntityID | https://sa-gw.surfconext.nl/authentication/metadata |
signing certificate | -----BEGIN CERTIFICATE----- |
SingleSignOnService Location | https://sa-gw.surfconext.nl/authentication/single-sign-on |
SingleSignOnService Binding | urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect |
Pilot environment
The SAML 2.0 metadata for the SURFconext Strong Authentication gateway pilot environment can be found at:
https://gateway.pilot.stepup.surfconext.nl/authentication/metadata
Most SAML 2.0 Libraries will be able to use this metadata to setup the connection to the gateway. If not, you can use the information below:
EntityID | https://gateway.pilot.stepup.surfconext.nl/authentication/metadata |
signing certificate | -----BEGIN CERTIFICATE----- |
SingleSignOnService Location | https://gateway.pilot.stepup.surfconext.nl/authentication/single-sign-on |
SingleSignOnService Binding | urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect |
How to test your SP-connection on the Pilot-environment using the Onegini IDP
Developers who want to test how their SP works in combination with the SURFconext Strong Authentication Gateway pilot environment, must follow the following procedure:
- If you do not have one already: register a Onegini account
- Make sure you complete Onegini's verification process for your mail address, as a mail address is required for registering a strong authentication token
- Go to https://selfservice.pilot.stepup.surfconext.nl/ and login with your Onegini account
- Request a second factor authentication token (choose SMS, tiqr or YubiKey) and complete the self-registration process until you reach step 4 "Activation code'
- Contact us via support@surfconext.nl to schedule an appointment for the completion of the registration process. This will only take 5 minutes max. and can best be done by telephone or Skype call, so please drop us your contact details like phone number and/ or Skype_ID so we can contact you.
- During this appointment: make sure you have your Activation code, your second factor authentication token (SMS, tiqr or YubiKey) and ID ready.
- One of the authorized SURFnet employees will then verify that you are in possession of the registered second factor authentication token (SMS, tiqr or YubiKey) that is associated with the activation code, will verify your identity and will activate your token.
- You can now login on your own SP using your activated second factor authentication token (SMS, tiqr or YubiKey)
NB: This procedure will only work on our pilot environment. For the production environment a stricter policy is applied. Please refer to Using Onegini as IdP for testing SPs.