Broker Services

Broker services allow you to configure scenarios for the Signicat Identity Broker to be used in the request for the Identity Provider (IdP).

To configure a service, select the Broker Services section in the Identity Broker menu.

The default service is always configured and cannot be removed, only edited. In the Broker Services section, you can add, edit and remove other broker services.

In the example above, we can see the configuration section of a single service.

• Name: Required. The name of the broker service.
• Select default minimum Level of Assurance: The minimum Level of Assurance (LoA) to apply to all Identity Providers defined in this broker service.
• Selected authn provider: Optional. The Identity Providers that the Broker should offer for authentication when the login flow is using the selected service.
• Provide authn configuration: Allows you to further customise the configuration for an Identity Provider.
  • Authn provider: The name of the Identity Provider to customise.
  • Service: Optional. The name of the service to customise. Applies only to eHerkenning.
  • Select minimum Level of Assurance: Optional. Allows you to control the minimum LoA per Identity Provider. Applies only to DigiD and eHerkenning.
  • Add attributes: Optional. The user attributes to request per Identity Provider. Note that the name of attributes may vary depending on the protocol of the Identity Provider:
    • SAML -> Index
    • OpenID -> Scopes
    • iDIN -> RequestedAttributes

LoA priority using Broker Service

When defining the Level of Assurance (LoA) in the Broker Services, the following order of priority applies:

1. Minimum LoA set in the specific service.
2. Minimum LoA set in the default service.
3. Minimum LoA per Identity Provider configured in the specific service.

Note that specifying the LoA with a query parameter in the authentication request will override any of the above configurations.

Requesting broker services

To use services on the login flow, service providers have two options:

1. Send the service on the login request. For this functionality, the Broker supports the following protocols:
   • OpenID: The service should be requested by using the scope attribute. Services available in the Broker are shown in the .well-known/openid-configuration endpoint of the broker, such as {yourDomain}/broker/sp/oidc/.well-known/openid-configuration (opens new window). The services are listed with the following format service:$ServiceName, for example: service:iDIN.
2. Configure default service in the configuration-app. This feature is available for each configured service provider connection. The Broker will first try to use a service that was sent in the login request. If no service is requested, it will try to use the service configured in the service provider connection, if available.