With OpenID Connect, trust is established out-of-band, by supplying the Service Provider with a username and a secret. All the necessary technical information such as endpoints, supported algorithms and supported claims can be found at the .well-kown
endpoint: https://oidc.surfconext.nl/.well-known/openid-configuration
SURFconext couples the SP and the IdP based on specific rules.
Note that SURFconext itself does not authenticate users: this is done by the connected Identity Providers.
The picture above is a schematic representation of the login flow of the SURFconext OpenID Connect proxy. To get a feeling of how things work in reality, you can play around with our playground: https://authz-playground.surfconext.nl/.
User accesses a Service Provider (Relying Party) and clicks "login via SURFconext"
Relying Party (SP) generates OpenID Connect Authorize request and
Redirects user to the OpenID Connect Authorization endpoint
OpenID Connect server receives request and prepares a SAML redirect to authenticate the user
In order to determine where to send the user for authentication, SURFconext shows the user a "Where Are You From?" (WAYF) page with all Identity Providers that have access to the service. The user chooses the institution that is his Identity Provider.
the IdP generates a SAML response and redirects the user back to SURFconext with a response message, saying that the user is authenticated. The message also contains the attributes from the user.
SURFconext validates the response message and if OK makes some alterations, e.g. rewriting the user's identifier and adding or modifying attributes and sends the SAML response to the OpenID Connect gateway. According to the attribute release policy applied, SURFconext determines the attributes that are allowed through to the Service Provider.
The OpenID connect gateway verifies the response, generates a code, and redirects the user to the Relying Party (SP) with the code
The Relying Party (SP) receives the authorization code
The Relying Party (SP) prepares a backchannel request to exchange the token for an access and ID token
The OpenID connect gateway receives the token and checks the validity
The OpenID connect gateway generates an access and ID token