The goal of OpenConext is to make collaboration easier for users in Research and Education. Unfortunately making something easier for users typically involves technology that isn’t always easy – or easy to explain – by itself. This site is the starting place for getting to know OpenConext, its technologies, use cases, the code itself and all other OpenConext Project and OpenConext Community related information.

OpenConext was originally developed by SURFnet as part of the SURFworks and GigaPort3 programme.

SURFnet runs an instance of the platform for research and education in The Netherlands known as SURFconext (

But first, lets explain what OpenConext is all about:

In a nutshell, OpenConext provides the following features that are useful for Research and Education Services.

  • Services Shopfront: Multiple services hosted behind a single federation Service Providers ‘shopfront’
  • Group/Team Management: Secure and flexible creation of teams (synonymous with groups in OpenConext)
  • Authenticated User Group Information: APIs for Service Providers to retrieve the authenticated user’s group information, and also membership of those groups (i.e. other users in the authenticated user’s groups).

From a more technical point of view

OpenConext is an open source collaboration management platform. It provides a SAML2 proxy for identity federation, a group proxy for group management and built-in tools for the management of the service registry and of group providers.

OpenConext is an infrastructure that enables groups, teams or organizations to bring together a set of federated tools such as wikis, mailing lists, or video conference software for use in a collaboration.

More specifically, OpenConext comprises two core components:

  • Engine is a SAML2.0 (SAML2Int WebSSO profile) compliant authentication proxy capable of acting as an IdP or SP. Apart from the authentication proxy, it also provides a “Where Are You From” (WAYF) service. Moreover, an interface allowing users to express their consent regarding the release of their identity attributes is available. Finally, the OpenConext Engine includes an interface enabling users to view and manage profile and group membership information.
  • API: Serves as the group proxy, also providing a management tool, named Manage. It supports both the Grouper API and VOOT with either OAuth (2.0) or Basic Auth authentication.

All other components are provided by ‘third parties’, including SPs, IdPs and group providers.

License Apache License Version 2.0
Current deployments SURFnet (SURFconext)
Modes of deployment as a VM
Sustainability model Maintained by SURFnet and the open source community. It also relies on external open source projects, such as Janus, Grouper, simpleSAMLphp, Shibboleth