• Created by Unknown User (urn:collab:person:surfnet.nl:ton) on Tue 24 May 2016

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

SP's do not have the means to test their connection on our Strong Authentication Gateway in production using one of the regular IdP's accounts. Therefor they can use the Onegini IDP for this purpose. Because of the different status of Onegini as IdP (everyone is able to create an OneGini account), SURFnet adheres to a strict policy for using Onegini for strong authentication.

Policy

  • A SURFnet SRAA will do the vetting of a SP contact, but only when SP-contact is physically present with his token, activation code and ID. Workarounds with vetting via Skype/mail are explicitly not allowed for production (unlike the pilot and test environments).
  • Remember: when the SP contact loses his/her token, the user must register a new token and start the activation process with ID vetting by SURFnet all over again. 
  • Onegini accounts are not allowed to have RA(A) rights.
  • Onegini IDP is aimed at SPs. SURFnet offers 'best effort support' only.
  • The SP must allow Onegini as IdP for their service, and is responsible for its own additional autorisation rules (if applicable).

Note

Onegine now shows up as IdP for the SA portal (sa.surfconext.nl) at the WAYF (list of IdP's to choose from when logging in with the first factor).

  • No labels