DigiD consists of a username and a password, and optionally an additional verification step via SMS. Another alternative is the DigiD mobile app, also supported by Signicat.
The DigiD scheme is managed by Logius:
Logius is the digital government service of the Netherlands Ministry of the Interior and Kingdom Relations (BZK). It maintains government-wide ICT solutions and common standards, that simplify the communication between authorities, citizens and businesses, with a view to cohesion of the e-government networks. Logius supplies products relating to access, data exchange, standardization and information security.
Hence, the following types of organisations are eligible to use DigiD:
- The organisation is a public organisation or a private organisation which is legally authorized to handle a public task.
- The organisation is allowed – on a legal basis – to use the BSN for this public task.
- The task for which DigiD is used is a public one.
Access to the scheme is controlled by means of the PKIoverheid-certificate regime, which is described in more detail in the PKIoverheid section on the Logius website.
There are four levels of authentication strength available in DigiD:
- Basic/“Basis” (username & password),
- Middle/“Midden” (username, password and an additional SMS with one time verification code)
- Substantial/“Substantieel” (authentication with a method which is issued after checking the holder’s identity document)
- High/“Hoog” (authentication with a personal certificate on an identity document)
The user can choose which level to use when logging in, although a service provider might choose to require a certain level if it is deemed necessary. Signicat will configure the minimum level for you when we onboard you to the service.
For more information about what is required in order for a user to obtain DigiD credentials etc, please refer to Functionele_Beschrijving_DigiD.pdf.
The main attributes you will receive are the following:
- The confidence level of the authentication. This confidence level will be equal to or greater than the requested level. The optional values are:
Confidence level Code Basis urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Midden urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract Substantieel urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard Hoog urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI
- A combination of sector code with personal number. The sector code can have the 2 values below, and describes the type of the personal number.
Sector code Type of personal number S00000001 Social security number, used by (for example) Social Insurance Bank (SVB) for Dutchmen who emigrated before the BSN was introduced. S00000000 BSN
The establishment of DigiD consists of:
- The integration with Signicat. During implementation, you can use our demo service to test your implementation. No certificates are needed to test with this service.
- The ordering process of PKIoverheid certificates (for both preprod and produnction) from one of the approved PKIoverheid issuers. Signicat will assist you during this ordering process by providing you with the relevant information. We advise you to start ordering certificates as soon as possible.
- The registration of your certificates and metadata at Logius. Signicat will guide you in this process and provide you with the right metadata.
- The approval of your implementation by Logius, both for preprod and prod. We will share the details of this process with you via e-mail.
Both your preprod and production need to be approved by Logius. Logius will use this checklist to check your implementation: https://www.logius.nl/sites/default/files/public/bestanden/diensten/DigiD/DigiD-Checklist-Testen.pdf
Points of attention:
- Because Signicat does not use the Single Sign on (“Eenmalig inloggen”) functionality within DigiD, there is no need to use the sign-out functionality from the DigiD side (“Federatief uitloggen”). However, DigiD requires that the end-user should be able to sign-out. This function must be implemented by the customer.
- The customer is also obliged to manage a local session for the end-user. For this session, a maximum inactivity period of 15 minutes applies. This must be implemented by the customer as well. The customer must be able to recognize replay attacks and be able to mitigate these attacks.
The service provider must implement a correct interpretation of the sector code. This means: checking whether the sector code as returned complies with the expected sector code and handle it appropriately; if an unexpected sector code is returned, the authentication must be canceled.
PKIoverheid certificate is needed to use DigiD. We will help you by providing the required info to order a PKIoverheid certificate (both for prepod and production).
No graphical customization is needed.
Signicat offers 24/7/365 free access to the preproduction environment,.
The following credentials may be used when testing DigiD: