Set up DigiD CombiConnect

This page shows how to set up a DigiD CombiConnect connection through Signicat.

Prerequisites

Before you continue, make sure that you have:

1. Followed the Initial preparations.
2. Signed up and configured the Signicat Dashboard.
3. Purchased PKIoverheid certificates for both pre-production and production environments.

1. Add DigiD CombiConnect in the Dashboard

When you want to use an eID, you first need to activate it in the Signicat Dashboard. To do this for DigiD CombiConnect, follow these steps:

1. In the Signicat Dashboard, navigate to Products > eID and Wallet Hub > eIDs.
2. Select + Add new in the top right.
3. Choose the eID from the list. Add any required configuration, then select Add.
4. Now, review that the eID is available and set to "Active" in the eIDs list.

Cannot activate DigiD CombiConnect?

If you cannot activate DigiD CombiConnect or require assistance, you can contact us by creating a support ticket in the Signicat Dashboard.

eID configuration

DigiD CombiConnect Dashboard settings

In the DigiD CombiConnect configuration page, you can adjust the following (optional) settings:

Adjust the settings as necessary and click Save to apply the changes.

2. Get Signicat metadata

When you activate DigiD CombiConnect in the Signicat Dashboard, you can download the Signicat SAML metadata (in XML format). To get the metadata file:

1. In the Signicat Dashboard, navigate to Products > eID and Wallet Hub > eIDs.
2. Select DigiD CombiConnect from the list of active eIDs.
3. Select Get Signicat metadata to download the XML file to your device.

Signicat metadata

You need to provide the Signicat metadata when applying for DigiD CombiConnect with Logius in the next step.

3. Request a DigiD CombiConnect connection from Logius

To connect to DigiD CombiConnect, you need to send a request to Logius. In the application form, you need to provide Signicat's metadata that you obtained in the previous step. Follow these steps:

1. Request a CombiConnect connection by filling in the CombiConnect - Aansluitformulier.
2. Provide details about your service by filling in the CombiConnect - Dienstgegevensformulier.
3. To add DigiD Machtigen, you need to submit a change request by filling in the CombiConnect - Wijzigingsformulier where you request to add DigiD Machtigen to your existing DigiD CombiConnect connection.

According to the Logius Roadmap, you receive connection details for access to a DigiD CombiConnect environment within five working days. However, note that Logius has a waiting list for processing connections to CombiConnect and gives priority to certain sectors, such as healthcare. You should also consider that you need to prepare your organisation and application for processing the functionality and data from DigiD Machtigen.

Environments

Note that you will need to perform this step both for pre-production and, after pre-production is approved, again for production.

4. Set up a connection with a protocol

To establish a connection between DigiD CombiConnect and your application, you need to use an authentication protocol.

Note that you only need to connect to Signicat eID and Wallet Hub servers. Signicat handles the connection with DigiD CombiConnect separately, therefore acting as a message broker between your application and DigiD CombiConnect.

Choose a protocol

Supported authentication protocols

Signicat supports the standard OpenID Connect (OIDC) and SAML 2.0 protocols. In addition, we offer our bespoke Signicat Authentication REST API.

The protocol you choose depends your goals and preferences. The Authentication REST API provides flexibility and an easy setup. Otherwise, we recommend OIDC, since SAML 2.0 is much more complex to implement and usually requires a federation agent. OIDC is an industry standard with managed user sessions, unlike the Authentication REST API.

To learn more about these authentication protocols, see the Signicat eID and Wallet Hub documentation.

Set up the protocol

For information on how to set up the different protocols, see the eID and Wallet Hub - Quick start guide.

5. Build the authentication request

To initiate an authentication flow, you need to build an authentication URL. This is the DigiD authorisation server where you route the end-user to start the authentication flow and log in with their credentials.

How you build the authentication URL depends on these factors:

• The authentication protocol you use in the integration: OIDC, SAML or Authentication REST API.
• The authentication flow chosen by the end-user: DigiD or DigiD Machtigen.

DigiD and DigiD Machtigen authentication flows

You craft your authentication request differently depending on the authentication flow chosen by your end-user. The possible flows are:

• (Standard) DigiD: Applies to end-users who want to log in on their own.
• DigiD Machtigen (Authorisation): Applies to end-users authorised to log in on behalf of another individual.

In your application, you need to provide options for each of these flows, for example by displaying separate buttons. The end-user's choice determines the authentication request that your application builds and sends to Signicat, as explained in the next section.

Obtain the flow identifiers

First, you need to retrieve the flow identifier that matches the flow type. Flow identifiers allow you route your end-users to the appropriate authentication flow, either (Standard) DigiD or DigiD Machtigen (Authorisation).

A flow identifier follows this syntax: urn:nl-eid-gdi:1.0:<FLOW_CODE>:<OIN>:entities:<ENTITY_ID>".

Understanding the flow code

The FLOW_CODE is a static value that identifies the type of DigiD service you are using. It is determined by the specific metadata URL you access.

For the flows described here, the codes are:

• (Standard) DigiD: TD
• DigiD Machtigen: BVD

Understanding the EntityID

The ENTITY_ID is a placeholder for the Entity Index (for example, 9000). This value is configurable in the Signicat Dashboard using the Entity index (0-9999) field in your connection settings, as explained in the eID configuration section.

Default values:

• Sandbox accounts: the default Entity Index is 9000.
• Production accounts: the default Entity Index is 0001.

You can specify a different index for your entity using the Entity index (0-9999) field. This is particularly useful if you have multiple connections registered with Logius and need to distinguish them.

Important: If you update the index, you must save the configuration changes. After saving, you can download the updated metadata from the Dashboard and provide it to Logius.

Follow the instructions below to obtain the flow identifier for the appropriate DigiD authentication flow.

(Standard) DigiD flow identifiers

To obtain the flow identifiers for Standard DigiD connections, follow these steps:

1. Go to the respective metadata page for your environment:
   • Pre-production: https://api-preprod1.digid.nl/saml/v4/entrance/metadata
   • Production: https://api.digid.nl/saml/v4/entrance/metadata
2. In the EntityDescriptor element, find the entityID attribute and copy its value. This is the flow identifier you need to use as a query parameter in your request.

The flow identifier will have a format similar to this:

urn:nl-eid-gdi:1.0:TD:00000004183317817000:entities:9000

Remember that the flow code for Standard DigiD flows is TD.

DigiD Machtigen (Authorisation) flow identifiers

To obtain the flow identifiers for DigiD Machtigen connections, follow these steps:

1. Go to the respective metadata page for your environment:
   • Pre-production: https://api-preprod1.digid.nl/saml/v4/bvd/metadata
   • Production: https://api.digid.nl/saml/v4/bvd/metadata
2. In the EntityDescriptor element, find the entityID attribute and copy its value. This is the flow identifier you need to use as a query parameter in your request.

The flow identifier will have a format similar to this:

urn:nl-eid-gdi:1.0:BVD:00000004003214345001:entities:9000

Remember that the flow code for DigiD Machtigen flows is BVD.

How to build your request

To specify which flow to use for authentication, you need to pass the flow identifiers as a query parameter in your request, similarly to how you would specify the eIDs with IdP scoping.

Requests with OIDC or Authentication REST API

For instructions on how to specify the flow with OIDC or the Authentication REST API, you can contact us by creating a support ticket in the Signicat Dashboard.

When using SAML, you can specify the flow you want to offer in the ProviderID property of the IDPEntry field, as shown below:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AttributeConsumingServiceIndex="1"
Destination="https://*YOUR_SIGNICAT_DOMAIN*/auth/saml/login" ForceAuthn="false"
ID="_aeaf5a7ddbc280bde07a1024f0574b70" IssueInstant="2021-03-09T10:47:58.502Z" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        ENTITY_ID
    </saml2:Issuer>
    <saml2p:Scoping>
      <saml2p:IDPList>
			    <saml2p:IDPEntry ProviderID="digid-combiconnect"/>
			    <saml2p:IDPEntry ProviderID="urn:nl-eid-gdi:1.0:BVD:00000004003214345001:entities:9000"/>
      </saml2p:IDPList>
    </saml2p:Scoping>
</saml2p:AuthnRequest>

6. Use scopes and attributes

To learn more about attributes, scopes and claims supported by each authentication protocol, visit the Attributes reference page.

7. Get your pre-production setup approved

After you set up the pre-production web/mobile service connection, you need to test it and submit a request for approval by Logius. Here are the steps to follow:

• Test your implementation using the Checklist for connecting to DigiD.
• Apply changes to meet the requirements.
• Ask Logius to verify your integration by requesting a connection test with the form CombiConnect - Aansluitformulier voor één DigiD dienst.

After Logius approves your pre-production connection, you are ready to integrate with DigiD CombiConnect in production.

Next step

5. Go to production

Connect to the DigiD CombiConnect production account