<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<table width="100%" cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td class="mPadding0" style="padding-bottom: 20px;"
valign="top" align="left">
<table width="100%" cellspacing="0" cellpadding="0"
border="0">
<tbody>
<tr>
<td valign="top" bgcolor="#FFFFFE" align="center">
<table class="mWidth100" style="width: 620px;"
cellspacing="0" cellpadding="0" border="0"
align="center">
<tbody>
<tr>
<td class="mHdrPadding" style="padding: 15px
0px;" valign="top" align="left">
<table width="100%" cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr>
<td align="left">
<table width="100%" cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr>
<td class="nb_title"
style="font-family: Arial,
Helvetica, 'Helvetica Neue',
sans-serif; font-size: 19px;
color: #000001; font-weight:
bold; line-height: 22px;"
align="left">SURFconext News
SP-edition 2020 #2</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td class="mHdrPadding" style="padding: 0px
0px;" valign="top" align="left">
<table width="100%" cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr>
<td style="padding: 0px 0px;"
valign="top" align="left"><img
src="cid:part1.4C1D1940.494F13AA@surfconext.nl"
alt="" moz-do-not-send="false"
class="" width="600" height="125"></td>
</tr>
<tr>
<td style="padding: 0px 0px;
line-height: 0px; font-size: 0px;"
valign="top" height="16"
align="left"><br>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<table width="100%" cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td class="mFlexPadding" style="padding-bottom: 5px;"
valign="top" align="center">
<table class="mWidth100" style="width: 660px;"
cellspacing="0" cellpadding="0" border="0" align="center">
<tbody>
<tr>
<td valign="top" align="left"><br>
<table width="100%" cellspacing="0" cellpadding="0"
border="0">
<tbody>
<tr>
<td class="mPadding0" style="padding-bottom:
20px;" valign="top" align="left">
<table width="100%" cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr>
<td valign="top" align="left">
<table width="100%" cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr>
<td class="mHide"
style="width: 12px;
line-height: 0px; margin:
0px; font-size: 0px;"
valign="top">
<h2> </h2>
</td>
<td style="height: 12px;
line-height: 0px; margin:
0px; font-size: 0px;"
height="12"
bgcolor="#FFFFFF"> </td>
<td class="mHide"
style="width: 12px;
line-height: 0px; margin:
0px; font-size: 0px;"
valign="top"> </td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td valign="top" bgcolor="#FFFFFF"
align="center">
<table class="mWidth100"
style="width: 620px;"
cellspacing="0" cellpadding="0"
border="0" align="center">
<tbody>
<tr>
<td class="nb_kop"
style="font-family: Arial,
Helvetica, 'Helvetica Neue',
sans-serif; color: #1570a6;
font-size: 15px;
line-height: 20px;
font-weight: bold; padding:
4px 0px 2px;" valign="top"
align="left"> </td>
</tr>
<tr>
<td valign="top" align="left">
<table width="100%"
cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr>
<td valign="top"
align="left">This
newsletter will
bring you
information about
new developments
regarding
SURFconext, plans
for the future, tips
and tricks and will
appear on an
irregular basis.<br>
<br>
<b>Who receive this
newsletter?</b><br>
All technical and
administrative
contacts of a
service connected to
SURFconext will
receive this
newsletter.
Subscribe <a
moz-do-not-send="true"
href="https://list.surfnet.nl/mailman/listinfo/surfconext-sp-newsletter">here</a>
and unsubscribe <a
moz-do-not-send="true"
href="https://list.surfnet.nl/mailman/options/surfconext-sp-newsletter">here</a>.<br>
<br>
For an overview of
all mailings by the
SURFconext team, see
the <a
moz-do-not-send="true"
href="https://wiki.surfnet.nl/display/surfconextdev/SURFconext+News+SP-edition">following
page</a>.<br>
<br>
In this edition:<br>
<br>
1. eduID will
replace Onegini as
Guest IdP in
SURFconext<br>
2. Make your
service available
more quickly to
institutions<br>
3. Which services
are connected to
SURFconext?<br>
4. SURFsecureID
key rollover<br>
5. OpenID Connect
migration<br>
<h1>eduID will
replace Onegini as
Guest IdP in
SURFconext<br>
</h1>
Not everyone who
must login to a
service connected to
SURFconext has an
institutional
account. For these
so-called guest
users, SURFconext
offers a guest
Identity Provider
(guest IdP). The
current guest IdP
Onegini will be
replaced by eduID
before 1 July 2020.
<a
moz-do-not-send="true"
href="https://www.surf.nl/en/eduid-to-support-lifelong-learning-research-and-collaboration">
Read more about
eduID</a>.<br>
<br>
SURF has set up a
process to make it
as easy as possible
for the user to
migrate the old
Onegini guest
account to eduID.
During the
migration, a new
eduID account is
created for the user
with the same
identifier as the
old Onegini account.
As a result, the old
identity is retained
within eduID. The
guest user also
retains his existing
authorisations
within SURFconext
(such as SURFconext
Teams memberships)
and the services
connected to it.<br>
<h4>Planning</h4>
The migration will
start within a few
weeks (the exact
date is not yet
known). Once the
migration has begun,
Onegini will send
out an email to all
current Onegini
users, requesting to
migrate their
accounts to eduID.
Meanwhile, SURF will
connect the eduID
IdP to all Service
Providers who are
currently connected
with Onegini. This
ensures that
migrated users can
actually login to
the service using
eduID. On 1 July
2020, Onegini will
be disconnected from
all Service
Providers.<br>
<h4>Expected impact</h4>
As a Service
Provider, no or very
few changes are
needed to provide
support for eduID.
Just like Onegini,
eduID is an Identity
Provider in
SURFconext, and
eduID supports
exactly the same
attributes as
Onegini. Onegini and
SURF will take care
of migrating users
and once they have
migrated from
Onegini to eduID
(see below), they
will remain exactly
the same user, with
exactly the same
attributes and
identifier.<br>
<h4>ACL</h4>
If your Service
Provider filters
users based on the
Entity ID of the IdP
which the user
authenticated with
in SURFconext, you
will need to update
your ACL. The Entity
ID of eduID is: <a
class="moz-txt-link-freetext" href="https://login.eduid.nl">https://login.eduid.nl</a>.<br>
<h4>Customised WAYF
page?</h4>
Some services have
their own
WAYF/discovery page
that includes
Onegini, or a login
button that refers
directly to Onegini.
In that case, as a
Service Provider you
will need to change
this to eduID.<br>
<h4>Update your
manuals</h4>
If you have manuals
about guest use for
SURFconext, replace
Onegini with eduID.
You can also point
users towards our
own help pages: <a
class="moz-txt-link-freetext" href="https://eduid.nl/help_en/">https://eduid.nl/help_en/</a>
(for English) or <a
class="moz-txt-link-freetext" href="https://eduid.nl/help/">https://eduid.nl/help/</a>
(for Dutch).<br>
<h4>Temporary:
Onegini and eduID
side by side</h4>
Temporarily, guest
users who have
migrated their old
Onegini accounts to
eduID will be able
to login to
(certain) services
using both Onegini
and eduID. From a
service point of
view, there is no
difference between
these users. Later
this year Onegini
will disappear and
eduID will remain
the only possibility
to log in as a guest
user.<br>
<h4>Need help?</h4>
For more detailed
information, SURF
has setup a Wiki
page: eduID will
replace Onegini as
Guest IdP in
SURFconext. As
always, if you have
any questions you
can reach out to us
at <a
class="moz-txt-link-abbreviated"
href="mailto:support@surfconext.nl">support@surfconext.nl</a>.<br>
<h1>Make your
service available
more quickly to
institutions<br>
</h1>
When your Service
Provider (SP) has
been connected to
SURFconext, users
can login as soon as
the Identity
Provider (IdP) has
made the connection.
Whenever an
institution requests
a connection to your
service, we ask the
SP if the connection
is allowed
(sometimes, license
agreements i.e. need
to be in place).<br>
<br>
If there are no
restrictions for
institutions to use
your service, please
let us know! We can
now administer this
information, and
make the technical
connection more
quickly.<br>
<br>
Let us know if there
are no restrictions
for your service via
<a
class="moz-txt-link-abbreviated"
href="mailto:support@surfconext.nl">support@surfconext.nl</a><br>
<h1
id="SPnewsjan2020-KeepyoursecurityuptodateandremoveTLS1.0andTLS1.1">Which
services are
connected to
SURFconext?<br>
</h1>
A recent update of
the <a
moz-do-not-send="true"
href="https://dashboard.surfconext.nl/">SURFconext IdP Dashboard</a>
enables everyone,
without log in, to:<br>
-see all connected
Service Providers<br>
-check the Attribute
Release Policy of a
Service Provider<br>
-view the
information (for
example: the
description of the
service) <br>
-check which
institutions use a
service<br>
<br>
Data about your
service incorrect?
SP's with access to
our SURFconext SP
Dashboard (<a
moz-do-not-send="true"
href="https://wiki.surfnet.nl/display/surfconextdev/SP+Dashboard">learn
how to get access</a>)
can change most
information
themselves. Sending
an email will do as
well. Please contact
us at <a
class="moz-txt-link-abbreviated"
href="mailto:support@surfconext.nl">support@surfconext.nl</a><br>
<h1>SURFsecureID key
rollover<br>
</h1>
SURFsecureID
migrates to a new
signing key because
the current one is
almost 5 years old
and expires in July
of 2020. This means
that all Service
Providers connected
to SURFsecureID must
take action,
otherwise their
users cannot login
anymore. There are <a
moz-do-not-send="true"
href="https://wiki.surfnet.nl/display/SsID/SURFsecureID+key+rollover">several
migration options</a>,
but most SPs can
change their SAML
connections from
SURFsecureID to
SURFconext (and
we'll enable
SURFsecureID there).
Others will need to
import new
SURFsecureID
metadata containing
the new signing key.
We've created <a
moz-do-not-send="true"
href="https://wiki.surfnet.nl/display/SsID/SURFsecureID+key+rollover">a
webpage listing
the migration
options SP have
and the overall
planning of the
key rollover</a>.
We'll update this
page with more
details in the
coming period.
Support is available
for any questions or
assistance at <a
class="moz-txt-link-abbreviated"
href="mailto:support@surfconext.nl">support@surfconext.nl</a>.<br>
<h1>OpenID Connect
migration<br>
</h1>
<p>The OpenID
Connect
implementation of
SURFconext has
received a
complete overhaul
in 2019. This
means that all
OpenID Connect
connections will
be migrated to the
new OpenID Connect
gateway. Every
connected Relying
Party will receive
an email with
further details in
the coming weeks.
If you want to
prepare you can
already read <a
moz-do-not-send="true"
href="https://wiki.surfnet.nl/display/surfconextdev/OpenID+Connect+Migration">the
migration
documentation</a>.
We have noticed
that many Relying
Parties are
connected, but do
not generate any
logins. If you
have a connected
RP that is not
used, you can help
us by having it
removed from
SURFconext. You
can do so by
sending us an
email, or use the
SP Dashboard.<br>
</p>
<br>
<hr></td>
</tr>
<tr>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</body>
</html>