What is Stepup?

Step-up authentication as-a-service, or "Stepup" for short, is an open source project that was started by SURFnet to create what is now called "SURFsecureID". It works seamlessly with OpenConext to add Step-up authentication for (SAML) Service Providers. The Stepup system manages authentication and registration of second factors without requiring technical integration with the identity provider, which is great if you need to support many different identity providers. For SAML service providers (SPs) an "always require stepup" policy is available that allows SPs to connect to Stepup with very little to no integration effort. For a more feature rich integration SAML Scoping with RequestedAuthnContext is supported.

Stepup is not limited to be used with OpenConext. There is nothing that precludes it from being used by itself to add Step-up authentication to:

  • an existing SAML identity provider
  • one or many SAML service providers
  • other SAML proxies or hubs

How SURFnet uses Stepup to offer strong authentication to cloud services:

More information

Ansible Stepup Deployment (Stepup-Deploy)

Stepup-Deploy contains the Ansible playbooks and supporting scripts for installing Stepup. It is also the repository that contains information on the architecture, design and technology of Stepup.


The in this repo lists the changes of not only the deployment scrips, but also the changes in the stepup components.

Pivotal Issue tracker

Much of the development discussions take place outside github in a pivotal tracker:

Releated github repositories

Stepup Components

These are the "top level" repositories for the Stepup components that can be deployed on the Stepup infrastructure:

These in turn use many components and bundles that are stored in other repositories.

Build Server

Stepup-Build is used for building releases of the stepup components. Prebuild components can be downloaded from the release page of the component on github.

Stepup VM

Stepup-VM contains scripts for setting up a VM for testing/development

Documentation from SURFnet's SURFconext Strong Authentication service

SURFnet runs an instance of the Stepup software and offers it as a service to its members. To that end it provides documentation aimed at Identity Providers, Service Provides and users of the service in the SURFsecureID wiki pages.

Animation introducing SURFconext Strong authentication

Other Documentation

The first study on the architecture and processes:


Contributions and bug reports are welcome! Please open an Issue or a PR in the relevant github repository. If you are considering implementing a non-trivial feature we suggest that you discuss your plans beforehand, this makes the process of getting your change accepted more pleasant, predictable and effective. Note that much of the development discussion takes place in Pivotal.