# Go to production
Important
To set up DigiD in production, you first need to get your pre-production integration approved by Logius. Make sure you have completed the steps described in the Setup up DigiD pre-producuction page.
Page contents
# Prerequisites
To go to production, you must first meet these prerequisites:
- Purchase a PKIoverheid certificate for production
- Get your pre-production setup approved by Logius
# 1. Create a production account
To connect to DigiD in production, you need to create a production account with a custom domain in the Signicat Dashboard.
Go to the Signicat Dashboard (opens new window) and:
- Click the name of your organisation at the top left of the screen and then select Manage.
- Under Organisation management, click Add Account.
- Enter the name of your account under Account Name and tick the box for Production account.
- Click Create to create the new account.
In the next screen, select Add new domain to add a custom domain.
# Add a custom domain
To add a custom domain, follow the instructions for Custom domains. Then, return to this page to continue with the integration.
Custom domain
Note that you must add a custom domain. Accounts with a Signicat subdomain (for example, mycompany.app.signicat.com) cannot be used to connect to DigiD.
Using Let's Encrypt certificates
If you wish to use Let's Encrypt (opens new window) certificates as TLS/SSL server certificates for DigiD, you must use a .nl domain. Learn more in the Logius documentation (opens new window).
# 2 Upload PKIo certificates
Order certificates
This step assumes that you have already purchased a PKIoverheid certificate for production. Learn how in our documentation to Order certificates.
Now, upload the public part of the PKIo certificates (in .pem or .cer file extension) to the Signicat Dashboard.
To upload a certificate:
- Go to Account management > Signing Certificates (opens new window).
- In the Signing Certificates section, select Upload certificate and select the certificate from your device.
Alternatively, send them to support@signicat.com or the onboarding manager.
# 3. Add DigiD in the Dashboard
You can now add DigiD to your ID methods. To do this:
- In the Dashboard, navigate to eID Hub > ID Methods (opens new window).
- To enable the ID method, click Add new in the top right.
- Choose the ID method from the list. Then, click Save.
- Now you can see the ID method listed and enabled with status "Active" in the ID methods list.
# ID method configuration
You can edit the settings of your DigiD connection:
Click to expand
- Strip sector code from nameID: Logius sends a prefix with the citizen service number (BSN). Some service providers can't handle that. Tick this checkbox to strip away the sector code/prefix.
Advanced configuration
To configure advanced settings, select the "Advanced" tab in the DigiD page and specify:
Select attribute filter: Attribute filters allow you to filter out certain attributes to make the response more concise for further processing in your software.
Include only when scoped: Signicat eID Hub provides scoped IdP functionality.
Response attribute mappings: You can customise the name of the attributes received in the response body. Provide none or multiple name-to-name mappings.
Use web flow on mobile device: If you are configuring the WEB flow for your connection, you may still want to use it from mobile devices. If you are using the DigiD app, the redirect (in some situations) opens in the mobile device's native browser. In such cases, we need to perform an operation called "session restoration" which may incur in security issues. We have taken a number of mitigations on our side to reduce the risks of such threats. However, some risks cannot be addressed on our side. If you want to use this option, you have to accept such risks. For further information, contact our Signicat Support at support@signicat.com.
Mitigating risks
To fully mitigate the residual risk, we recommend you implement the following on your side: You should only accept a response back from Signicat if you are able to match that response to a request that you have sent earlier. You can achieve this, for instance, by storing the request you have sent in the user session.
Adjust the settings as necessary and click Save to apply the changes.
# 4. Get Signicat metadata
To apply for a DigiD connection with Logius, you need the Signicat SAML metadata (in XML format). To download the metadata file:
- In the Signicat Dashboard, go to eID Hub > ID methods (opens new window).
- Select DigiD from the list of active ID methods.
- Select Get Signicat metadata to download the XML file to your device.
# 5. Request DigiD in production
To connect to DigiD production environment, you need to fill in the Logius Aanvraagformulier (opens new window). In the application form, upload the Signicat metadata in XML format that you obtained in the previous step.
# 6. Set up a connection with a protocol
To establish a connection between Signicat DigiD and your application, you need to use an authentication protocol.
# Choose a protocol
Supported protocols
Signicat supports the standard OIDC and SAML 2.0 protocols. In addition, we offer the Signicat Authentication REST API.
Choice of protocol depends on what you prefer and what you want to achieve. The Authentication REST API gives you a lot of flexibility and is easy to set up. Between the other two, we recommend using OIDC, since SAML 2.0 is much more complex to implement on your side and usually requires a federation agent already in place. OIDC is industry standard and you do not need to manage user sessions on your own (like with the Authentication REST API).
For more information about the different protocol types, see the general Authentication protocols section.
# Set up the protocol
For information on how to set up the different protocols, see the eID Hub - Quick start guide.
# Data and attributes
To learn more about attributes, scopes and claims supported by each authentication protocol, visit the Attributes reference page.
# 7. Activate your connection
Submit a request for activation of your connection to the DigiD production environment in the DigiD Wijzigingsformulier (opens new window). In the form, select "Ik wil mijn productieaansluiting activeren".
# 8. Ask Logius to approve your connection
After you set up the connection in production, you need to test it and submit a request for approval by Logius.
- Test your implementation using the Checklist for connecting to DigiD (opens new window).
- Apply changes to meet the requirements.
- Ask Logius to verify your integration by requesting a connection test with the form Aanvragen test DigiD-aansluiting (opens new window).
# 9. Audit and assessment
Your DigiD integration in production should adhere to security standards to ensure secure end-user authentication. Logius performs audits and checks to ensure your infrastructure and connection comply with such requirements.
Your DigiD integration must undergo an official assessment by an external and certified DigiD auditor within two months after going to production.
Additionally, organisations that use DigiD must conduct an annual IT security assessment.
Arrange the audits according to the specifications in the DigiD ICT-beveiligingsassessments (opens new window) guide.
Signicat TPM certificate
Signicat, as a third party involved in the provision of services for the web application that uses DigiD, undergoes a Third-Party Mededeling (TPM) DigiD yearly assessment. Signicat tries to plan the TPM audit as early as possible in the year. We provide our DigiD Generieke TPM certificate to use in your audit.
Note that the yearly required assessment planning for municipalities in NL and for DigiD occurs at different times of the year and might lead to some delays.
We recommend you plan sufficient time around the assessment with municipalities' own audits.