Federated authentication means that a user logs in on another location (an Identity Provider) than that of the accessed service (a Service Provider). SURFconext is located between those locations. Each of the providers has only one trusted connection with SURFconext: this is why this is called a hub-and-spoke federation. The connections are 'trusted', because both the Service Provider and the Identity Provider have identified themselves to SURFconext.
Read on to find out more about the authentication flow when using SURFconext. Your service will either use SAML or OpenID Connect. These are both standards for exchanging authentication and authorization data between parties, in our case identity providers and service providers.
- SAML Authentication flow
- SAML is an XML-based markup language for security assertions, statements that service providers use to make access-control decisions. Read this page to find out more about the authentication flow when your application supports SAML.
- OpenID Connect Authentication flow
- SURFconext was a SAML based federation and OpenID Connect was added later. OpenID Connect is an identity layer on top of the OAuth 2.0 protocol, which allows computing clients to verify the identity of an end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner.