# Upgrading eHerkenning version
# What do I need to consider when upgrading to a more recent version of eHerkenning (1.13)?
As of January 1st 2021 eHerkenning versions older than 1.9 will no longer be supported. When upgrading to the newest version (eHerkenning 1.13) service providers connected to the eHerkenning Broker must take the following into account:
# Loading in new metadata from EH Signicat
The metadata can be accessed via https://eh01.connectis.nl/metadata/ (opens new window).
The relevant version of the metadata must be loaded into the application of the service provider. Date and time must be coordinated with technical support because loading in the Signicat application must take place simultaneously.
# Add certificate to Service Catalogue
Since the introduction of eHerkenning 1.13, it is mandatory that a certificate is added to the service in the Service Catalogue. This documentation page describes how to do this.
# Format for Level of Assurance
The old format for the Level of Assurance (LoA) has been changed to
urn:etoegang. The LoA specifications can be found on this website (opens new window).
# Modification of SAML Response
The SAML Response is returned in a different manner:
- 1.13 ActingSubjectID (EncryptedID) containing the specific pseudonym of the user. Previously, this was returned in the NameID.
- 1.13 LegalSubjectID (EncryptedID) containing the identifying characteristic of the represented body. This may be a Chamber of Commerce number, but also an RSIN number or a BSN for a sole proprietorship, for example.
- The 1.13 attributes must be decrypted. The SSO broker can provide the decryption.
As of 1.9, service providers receive the Chamber of Commerce (KvK) number, (in urn:etoegang:1.9:EntityConcernedID:KvKnr). Prior to this, the KvK number was formatted as the organisation identification number (OIN).
# New functionality per version of eHerkenning
You can find the release notes of the different eHerkenning versions here (opens new window).
# Artifact binding
As of eHerkenning 1.9, Artifact Binding on the response is mandatory. A client certificate must be sent along from the client (Mutual TLS). The client certificate used must be included in the metadata. This may be the same certificate as the signing certificate. The SSO broker can still offer the service via POST/Redirect.
# Subdossier number
If you are still using a sub-dossier number, you should change to the branch number, or vestigingsnummer, (
urn:etoegang:1.9:ServiceRestriction:Vestigingsnr). You can find more information here (opens new window).
# SAML advice
By default, an Advice element is included from eHerkenning 1.11 onwards, which contains the assertions of the AD and MR. It is possible to disable this for your connection. To do so, please contact Technical Support <firstname.lastname@example.org>.
As of eHerkenning 1.9 service providers can request an AttributeConsumingServiceIndex with the AuhtnRequest. This maps directly to the index of the service from the Service Catalogue.