# Upgrading eHerkenning version

# What do I need to consider when upgrading to a more recent version of eHerkenning (1.13)?

As of January 1st 2021 eHerkenning versions older than 1.9 will no longer be supported. When upgrading to the newest version (eHerkenning 1.13) service providers connected to the eHerkenning Broker must take the following into account:

# Loading in new metadata from EH Signicat

The metadata can be accessed at https://eh.signicat.nl/broker/sp/eh/1.13/metadata (opens new window).

The relevant version of the metadata must be loaded into the application of the service provider. Date and time must be coordinated with technical support because loading in the Signicat application must take place simultaneously.

# Add certificate to Service Catalogue

Since the introduction of eHerkenning 1.13, it is mandatory that a certificate is added to the service in the Service Catalogue. This documentation page describes how to do this.

# Format for Level of Assurance

The old format for the Level of Assurance (LoA) has been changed to urn:etoegang. The LoA specifications can be found on this website (opens new window).

# Modification of SAML Response

The SAML Response is returned in a different manner:

  • 1.13 ActingSubjectID (EncryptedID) containing the specific pseudonym of the user. Previously, this was returned in the NameID.
  • 1.13 LegalSubjectID (EncryptedID) containing the identifying characteristic of the represented body. This may be a Chamber of Commerce number, but also an RSIN number or a BSN for a sole proprietorship, for example.
  • The 1.13 attributes must be decrypted. The SSO broker can provide the decryption.

As of 1.9, service providers receive the Chamber of Commerce (KvK) number, (in urn:etoegang:1.9:EntityConcernedID:KvKnr). Prior to this, the KvK number was formatted as the organisation identification number (OIN).

# New functionality per version of eHerkenning

You can find the release notes of the different eHerkenning versions here (opens new window).

# Artifact binding

As of eHerkenning 1.9, Artifact Binding on the response is mandatory. A client certificate must be sent along from the client (Mutual TLS). The client certificate used must be included in the metadata. This may be the same certificate as the signing certificate. The SSO broker can still offer the service via POST/Redirect.

# Subdossier number

If you are still using a sub-dossier number, you should change to the branch number, or vestigingsnummer, (urn:etoegang:1.9:ServiceRestriction:Vestigingsnr). You can find more information here (opens new window).

# SAML advice

By default, an Advice element is included from eHerkenning 1.11 onwards, which contains the assertions of the AD and MR. It is possible to disable this for your connection. To do so, please contact Technical Support <technicalsupport@signicat.com>.

# AuthnRequest

As of eHerkenning 1.9 service providers can request an AttributeConsumingServiceIndex with the AuhtnRequest. This maps directly to the index of the service from the Service Catalogue.

Last updated: 3/1/24, 10:39:52 AM UTC