For testing your connection on the SURFconext Strong Authentication Production or Pilot Gateway you should use use an Onegini account instead of one of your regular IdP's accounts.
Registration for Pilot and Production are seperate. You can use the same token and OneGini account for Pilot and Production, but you need to do the registration procedure once for each environment.
Production environment
The procedure below applies to the SURFconext Strong Authentication Production environment. For the pilot environment a similar policy exists. See Pilot environment below.
Policy
SURFnet adheres to a strict policy for using Onegini for SURFconext Strong Authentication:
- A SURFnet SRAA will do the vetting of a SP contact. The contact must be physically present with his token, activation code and ID. Skype/mail is not allowed for the Production environments.
- When the SP contact loses his token, he must register a new token and do the activation process all over again.
- Onegini accounts are not allowed to have RA(A) rights.
- Onegini IdP is aimed at SPs. SURFnet offers 'best effort support' only.
- The SP must allow Onegini as IdP for their service and is responsible for its own additional authorization rules.
Registration procedure
- Register a Onegini account.
- Make sure to complete Onegini's verification process for your mail address: this is required for registering a Strong Authentication token.
- Go to https://sa.surfconext.nl and login with your Onegini account.
- Request a second factor authentication token (SMS, tiqr or YubiKey) and complete the self-registration process until step 4 "Activation code'.
- Contact us (support@surfconext.nl) for an appointment to finish the registration (ca. 5 minutes). The appointment must be face-to-face, remote vetting is not allowed.
- Do not forget to bring/have your activation code and second factor authentication token (SMS, tiqr or YubiKey) and photo ID (passport or drivers license) ready.
- After verification SURFnet will activate your token and you can login.
Pilot environment
Policy
- A SURFnet SRAA will do the vetting of a SP contact. The contact must be available during vetting with their activation code. Vetting using Skype/mail/phone is allowed for the Pilot environments.
- When the SP contact loses his token, he must register a new token and do the activation process all over again.
- Onegini accounts are not allowed to have RA(A) rights.
- Onegini IdP is aimed at SPs. SURFnet offers 'best effort support' only.
- The SP must allow Onegini as IdP for their service and is responsible for its own additional authorization rules.
Registration procedure
- Register a Onegini account.
- Make sure to complete Onegini's verification process for your mail address: this is required for registering a Strong Authentication token.
- Go to https://selfservice.pilot.stepup.surfconext.nl/ and login with your Onegini account.
- Request a second factor authentication token (SMS, tiqr or YubiKey) and complete the self-registration process until step 4 "Activation code'.
- Contact us (support@surfconext.nl) for an appointment to finish the registration (ca. 5 minutes). For the Pilot environment, the appointment can be by telephone or Skype call.
- Do not forget to bring/have your activation code and second factor authentication token (SMS, tiqr or YubiKey) ready.
- After verification SURFnet will activate your token and you can login.
Attributes
The following attributes are available when using a OneGini account. Whether you actually receive these attributes depends on the attribute release policy (ARP) that is configured for your SP in SURFconext:
Friendly name | Attribute name | Value |
---|---|---|
SURFconext ID | urn:oid:1.3.6.1.4.1.1076.20.40.40.1 | urn:collab:person:surfguest.nl:<uid> |
uid | urn:mace:dir:attribute-def:uid | Previous SURFguest username when this is a migrated account. Otherwise generated by Onegini. |
Surname | Registered surname | |
Given name | Registered first name | |
Common name | Registered common name | |
Display name | urn:mace:dir:attribute-def:displayName | Same as common name |
Email address | urn:mace:dir:attribute-def:mail | Registered email address |
Organization | urn:mace:terena.org:attribute-def:schacHomeOrganization | |
PrincipalName | urn:mace:dir:attribute-def:eduPersonPrincipalName | <uid>@surfguest.nl |
There is no attribute that shows which authentication provider (Facebook, Google, LinkedIn, Twitter) the user used.