Second Factor Only authentication allows a SP to authenticate only the second factor of a user. SFO is suitable for situations where the application must perform the fist factor authentication of the user like that application gateway (e.g. Citrix Netscaler or F5 BIG-IP) or to the authentication or authorization gateway (e.g. Microsoft ADFS or Novell/NetIQ) of an institution. SFO has its own authentication endpoint at the SURFsecureID gateway.

Once a user is registered with a second factor in SURFsecureID both SFO authentication and the standard SURFsecureID authentication can be used.

Differences between 'standard' SURFsecureID and SFO authentication

The table below lists the differences between standard authentication and second factor (SFO) authentication that is offered by SURFsecureID gateway to a service provider.

DescriptionStandard authenticationSFO authenticaton
Authentication of the user's first factor by the SURFsecureID gatewayAlwaysNever
Authentication of second factor by the SURFsecureID gatewayBased on policy between IdP and SPAlways
User registrationUsing SURFsecureID selfservice registration and vetting by an RA
Standard SURFconext features that can be usedAttributes, Authorization, persistent identifiersNone
The service provider specifies the identity of the user during authenticationNeverAlways

With SFO the authentication via SURFconext is bypassed (see image below). This means that SURFconext functionality (e.g. attributes from the user's home IdP, the definition of authorization rules and persistent user identifiers) is not available. During a standard authentication the identity of the user is detemind by SURFconext during the 1st factor authentication. Because this step is omitted during SFO, the service provider must provide the identity of the user's to SURFsecureID during authentication instead.

Note that also with SFO the registration of users (i.e. linking second factors to user identities) will be done by the institutions (IdP's): there is no work to be done for the SP.

SAML AuthRequest

To start a SFO the SP must send a SAML 2.0 AuthnRequest to the SFO endpoint of the SURFsecureID Gateway. This request MUST:

SURFsecureID Implementation notes regarding RequestedAuthnContext

Future SURFsecureID versions may support more complex processing of RequestedAuthnContext options and add new AuthnContextClassRef "families" do support different registration policies.

Example AuthnRequest

Below is an example SAML 2.0 SFO AuthnRequest request for the SURFsecureID production environment:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"></saml:NameID>

Note that the signature is not visible in the XML of the above AuthnRequest: it will be encoded in the HTTP GET parameters according to the specification of the HTTP-Redirect binding.

Note that SFO uses a different SingleSignOn Location and a different AuthnConextClassRef identifiers than a standard authentication to SURFsecureID. See SURFsecureID Metadata for Service Providers for the diffenrent AuthnConextClassRef identifiers that are being used by SURfsecureID.

Determining the SURFconext identifier of a user

The SURFconext identifier of a user is built from the values if two different attributes that the identity provider (IdP) of the user's institution sends to SURFconext during authentication. The two attributes that are used to create the SURFconext user identitfier are:

  1. the value of this attribute identifies the user's institution.
  2. urn:mace:dir:attribute-def:uid: the value of this attribute identifies the user withing the institution


For the value of last two items: ask the administrator of the IdP .


SAML Response

The result of a successful authentication is a SAML Response. Note that it does not contain an AttributeStatement and that the Assertion element is signed and that the Response element is not signed. Response signing is not currently supported by SURFsecureID, it may be added in future versions.

 <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    <saml:Assertion xmlns:xsi=""
        <ds:Signature xmlns:ds="">
                <ds:CanonicalizationMethod Algorithm="" />
                <ds:SignatureMethod Algorithm="" />
                <ds:Reference URI="#_1ROuxGVzJi5bbre6W4woNza82aK41HKjp6aKtw9r">
                        <ds:Transform Algorithm="" />
                        <ds:Transform Algorithm="" />
                    <ds:DigestMethod Algorithm="" />
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"></saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2016-03-10T15:14:25Z"
        <saml:Conditions NotBefore="2016-03-10T15:09:25Z"
        <saml:AuthnStatement AuthnInstant="2016-03-10T15:09:25Z">

Error handling

For specifiec scenario's, when the authenticated fails, the SURFsecureID gateway sends a SAMLResponse to the SP with a non success status:

A service provider SHOULD be able to handle the first two errors scenarios above (AuthnFailed and NoAuthnContext) in a user friendly manner. These error responses will occur during normal use: users can and do cancel the authentication process and users that do no not yet, or no longer have, a registered seond factor will try to authneticate to your service, and fail.

SURFsecureID does not currenly add a StatusMessage to an "error" response. We plan to add a StatusMessage in a future version of SURFsecureID that provides more context about the error to the operator of the service than can be conveyed using the standard statusCodes.

Example Error Response

Below is an example SAML "error" Response:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext" />

Level: authentication strength

See explanation at "Levels of Assurance".


SFO must be implemented at the SP. The authentication protocol is similar to the one used by the SURFsecureID gateway. The main difference is that the SP must send the identifier of the user in the Subject element of the SAML AuthnRequest (see description of AuthnRequest, line 2017).

You can find the metadata of the SFO endpoints on SURFsecureID Metadata for Service Providers.

Always do a first factor authentication before starting a SFO authentication

Starting an SFO authentication will immediately start an authentication at the SURFsecureID gateway: a push notification (tqr) or an SMS will be sent to the user being authenticated. If authentication is started for the wrong user, this will derange the targeted user and in case of SMS, incur a cost to the institution and possibly for the user.

By observing the behavior of the SFO authentication it is possible to determine whether a username exists.

For this reasons we advise to perform a first factor authentication before starting a SFO authentication.


An example code for using SFO with SimpleSAMLphp can be found at: