Frequently Asked Questions

My organization already has SSO set up in one environment, but now wants it in other environments as well. What do I need to do?
In this case, no application needs to be submitted to SurfConext or Entree Federation. Send an email to support@paragin.nl containing the contact information and the url of the relevant environment.

How do I know if SSO is enabled for the environment?
You can check this by going to the login page of the environment. There you will see a button with 'Log in with SurfConext/Entree Federation/etc'.

There is no button on the login page, now what?
If there is no button on the login page with 'Log in with SurfConext/Entree Federation' it means that the SSO is not turned on for the environment. Please contact support@paragin.nl.

I have found the unique ID. Do I have to add it to existing users one by one?
No, you do not need to add the UID one by one to existing user accounts. Create an export of existing users. Add the unique value to the code/characteristic field. Import this enriched file back into the environment. The codes are added to the users in this way.

I have SSO set up. Are new users now automatically created?
No, you populate the accounts with the correct unique ID. Only this ID is not enough information for the environment to create a complete account. For example, information still needs to be given about linking the correct course(s) and group(s). So the idea is to create accounts including the use of the correct unique ID.

I am using SSO. How do I get into the environment now? Will a tile now automatically appear on my portal or a button on the website?
This button or tile will not automatically appear on an internal website or portal. Please contact the internal person responsible for this website or portal for that. If no button or tile is present, you will need to go to the URL of the environment to log in with your SurfConext or Entree Federation login credentials.

If I click through from the website, I still have to log in even though SSO is turned on.
That's right. This has been set up for security reasons. Because these environments often involve exams, it is important to prevent someone from accidentally staying logged in and allowing someone else to view an exam. Having to log in one more time prevents this kind of risk.

I introduced the unique ID to one user. The other users cannot use their SSO yet. How is this possible?
Filling the code/characteristic field must be filled for all users. It is not sufficient to fill it for one user.

What if there are two accounts in Remindo with the same unique ID in the code/characteristic field?
In that case, the user may choose which account they want to continue working in.

What if there is no code/characteristic filled in the user account in Remindo?
Is a user trying to log into Remindo with the SSO data, but no code/characteristic field has been filled in yet? Then this user will be shown the standard Remindo login screen and may enter its username and password. Then the Surf ID will still be linked and the participant can then log in with their Surf login credentials (Note: this only applies to Remindo in combination with SurfConext).

I entered an incorrect unique ID (UID) value, what now?
This value can still be changed in the user's profile. The unique ID is only known within the organization.

In the case of Remindo, after logging in with the SSO account, a participant who has entered an incorrect unique ID is asked to log in with his Remindo username and password. This way, the link between the two accounts is still made and the participant can then log in with his Surf login credentials (Note: this only applies to Remindo in combination with SurfConext).

Unique IDs: I am a functional administrator and looking for the unique IDs. Where can I find the unique IDs for SurfConext or Entree Federation?

SurfConext:

• Search through https://engine.surfconext.nl/authentication/sp/debug for the format of value for a student and for an employee (there is a difference in that). Use the link to log into your own Surf account, thus deriving the format for employees. Also have a (demo) student log in, with this the format can be derived for the student. Often this is the student number or the mail address for the @. The values are built the same for all students, and the same for all employees. For example, for a student, is it the student number? Then assume it is the student number everywhere. For employees, this is often an abbreviation, then this method of abbreviation is also the same for all employees.
• Look at the attribute value of the UID (User ID).
• Note: this is different from the eduID. the unique value should really be the UserID.

Entree Federation:

• Entree Federation provides schools with an nlEduPersonProfileID or EckID. These unique values can only be found within the internal student administration system, for example in Magister.

I want to work with SSO, but my organization does not use SurfConext or Entree Federation. Can I still use SSO?
Outside of these two providers (SurfConext and Entree Federation), it is possible to set up a custom SSO solution. However, this is a lot less easy to set up compared to SurfConext and Entree Federation. Therefore, our advice is to choose one of these options.

Disclaimer: This text was automatically translated from the Dutch version.