link

# eHerkenning

# About eHerkenning

Service providers in the Netherlands can use eHerkenning to allow users to log in on behalf of their organisations. Service providers in the Netherlands can allow users of (non-Dutch) European eIDs to log into their services by using the eHerkenning network. More information on eHerkenning is available on the eHerkenning website (opens new window).

# Service catalogues

In order to publish a service in the eHerkenning network so that organisations can authorise their members to log into those services, data on the service must be published to eHerkenning. This data is published through so-called service catalogues. A service catalogue can contain information for multiple services.

Service catalogues define information about your services. Services are indicated through a ServiceID, which contains an Overheids Identificatie Number (OIN, or Government Identification Number). More information about OINs can be found here. The Service ID format is:

urn:etoegang:DV:oin:services:service index

The required Level of Assurance for each of your services is listed in the service catalogue. Each service can have its own Level Of Assurance. It also indicates what kind of identifying attribute (EntityConcernedTypesAllowed) you want to receive in your application and whether or not you wish to enable eIDAS (Classifier). More detailed information on service catalogues.

To create a service catalogue, copy the following information into a text file and fill it out. Send this file to technicalsupport@connectis.com. Connectis will ensure the eHerkenning / eIDAS network will subsequently be updated with your changes.

<?xml version="1.0" encoding="UTF-8"?>
<esc:ServiceCatalogue xmlns:esc="urn:etoegang:1.13:service-catalog" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                      xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                      esc:IssueInstant="2019-12-28T10:19:57Z" esc:Version="urn:etoegang:1.13:53"
                      ID="198d678c-239e-43c4-acf7-b4f6f1f6d8c0">
    <esc:ServiceProvider esc:IsPublic="true">
        <esc:ServiceProviderID><!--OIN van organistatie--></esc:ServiceProviderID>
        <esc:OrganizationDisplayName xml:lang="nl"><!--Naam van organistatie--></esc:OrganizationDisplayName>
        <esc:ServiceDefinition esc:IsPublic="true">
            <esc:ServiceUUID><!--unieke ID genereren via uuidgenerator.net--></esc:ServiceUUID>
            <esc:ServiceName xml:lang="nl"><!--Naam van de Service--></esc:ServiceName>
            <esc:ServiceName xml:lang="en"><!--Naam van de Service--></esc:ServiceName>            
            <esc:ServiceDescription xml:lang="nl"><!--Beschrijving van de Service--></esc:ServiceDescription>
            <esc:ServiceDescription xml:lang="en"><!--Beschrijving van de Service--></esc:ServiceDescription>
            <esc:ServiceDescriptionURL xml:lang="nl">http://example.etoegang.nl</esc:ServiceDescriptionURL>
            <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:<!--Loa van de Service--></saml:AuthnContextClassRef>
            <esc:HerkenningsmakelaarId>00000003244440010000</esc:HerkenningsmakelaarId>
            <esc:EntityConcernedTypesAllowed>urn:etoegang:1.9:EntityConcernedID:KvKnr</esc:EntityConcernedTypesAllowed>
              <esc:ServiceRestrictionsAllowed>urn:etoegang:1.9:ServiceRestriction:Vestigingsnr</esc:ServiceRestrictionsAllowed>
        </esc:ServiceDefinition>
        <esc:ServiceInstance esc:IsPublic="true">
            <esc:ServiceID>urn:etoegang:DV:<!--OIN -->:services:<!--Service Index--></esc:ServiceID>
            <esc:ServiceUUID><!--unieke ID genereren via uuidgenerator.net--></esc:ServiceUUID>
            <esc:InstanceOfService><!-- UUID of service definition--></esc:InstanceOfService>
            <esc:ServiceURL xml:lang="nl">vul hier een service url in</esc:ServiceURL>
            <esc:ServiceURL xml:lang="en">vul hier een service url in</esc:ServiceURL>
            <esc:PrivacyPolicyURL xml:lang="nl">vul hier een privacy url in</esc:PrivacyPolicyURL>
            <esc:PrivacyPolicyURL xml:lang="en">vul hier een privacy url in</esc:PrivacyPolicyURL>
            <esc:HerkenningsmakelaarId>00000003244440010000</esc:HerkenningsmakelaarId>
            <esc:SSOSupport><!-- a boolean that indicates if the service supports SingleSignOn --></esc:SSOSupport>
            <esc:ServiceCertificate>
        <md:KeyDescriptor use="encryption">
          <ds:KeyInfo>
            <ds:KeyName>..............</ds:KeyName>
            <ds:X509Data>
              <ds:X509Certificate>..............</ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </md:KeyDescriptor>
      </esc:ServiceCertificate>
        </esc:ServiceInstance>
    </esc:ServiceProvider>
</esc:ServiceCatalogue>

# How to configure identifying attributes

By setting a value for EntityConcernedTypesAllowed, you determine which types of identifying attributes (in other words, which kinds of users) are allowed to log into your service. Different values can be used, depending on whether your service is coupled to eHerkenning or eIDAS.

The following values for EntityConcernedTypesAllowed are available for eHerkenning:

Value Description
EntityConcernedID:RSIN Used to identify a user through the RSIN (Rechtspersonen en Samenwerkingsverbanden Identificatienummer) (Legal persons and Partnerships Identification Number) of the represented organisation.
EntityConcernedID:KvKnr The KvK number (Dutch Chamber of Commerce number) of the represented organisation.
ServiceRestriction:Vestigingsnr Can only be used together with EntityConcernedID:KvKnr.
The field “vestigingsnummer (nieuwe formaat)” (“branch number (new format)”) as available in the Chamber of Commerce will be included in the response.
Last updated: 7/5/2021, 4:01:16 PM