Skip to main content

Go to production

Important

To set up DigiD in production, you first need to get your pre-production integration approved by Logius. Make sure you have completed the steps described in the Setup up DigiD pre-production page.

Prerequisites

To go to production, you must first meet these prerequisites:

1. Create a production account

To connect to DigiD in production, you need to create a production account with a custom domain in the Signicat Dashboard.

Go to the Signicat Dashboard and:

  1. Click the name of your organisation at the top left of the screen and then select Manage.
  2. Under Organisation management, click Add Account.
  3. Enter the name of your account under Account Name and tick the box for Production account.
  4. Click Create to create the new account.

In the next screen, select Add new domain to add a custom domain.

Add a custom domain

To add a custom domain, follow the instructions for Custom domains. Then, return to this page to continue with the integration.

Custom domain

Note that you must add a custom domain. Accounts with a Signicat subdomain (for example, mycompany.app.signicat.com) cannot be used to connect to DigiD.

Using Let's Encrypt certificates

If you wish to use Let's Encrypt certificates as TLS/SSL server certificates for DigiD, you must use a .nl domain. Learn more in the Logius documentation.

2 Upload PKIo certificates

Order certificates

This step assumes that you have already purchased a PKIoverheid certificate for production. Learn how in our documentation to Order certificates.

Now, upload the public part of the PKIo certificates (in .pem or .cer file extension) to the Signicat Dashboard.

To upload a certificate:

  1. Go to Account management > Signing Certificates.
  2. In the Signing Certificates section, select Upload certificate and select the certificate from your device.

Alternatively, you can either:

3. Add DigiD in the Dashboard

You can now add DigiD to your ID methods. To do this:

  1. In the Dashboard, go to eID Hub > ID Methods.
  2. To enable the ID method, click Add new in the top right.
  3. Choose the ID method from the list. Then, click Save.
  4. Now you can see the ID method listed and enabled with status "Active" in the ID methods list.

ID method configuration

You can edit the settings of your DigiD connection:

Click to expand
DigiD Dashboard settings

DigiD Dashboard settings

  • Strip sector code from nameID: Logius sends a prefix with the citizen service number (BSN). Some service providers can't handle that. Tick this checkbox to strip away the sector code/prefix.

Advanced configuration

To configure advanced settings, go to the "Advanced" tab in the DigiD page and specify:

  • Select attribute filter: Select an attribute filter to control which attributes you want to include, or exclude, from the response. You can create attribute filters in the Dashboard > eID Hub > Advanced > Attribute filters.
  • Include only when scoped: If ticked, the ID method will not be visible by default on the ID method selection screen, unless you specify it by using IdP scoping.
  • Response attribute mappings: You can customise the name of the attributes received in the response body. Provide none or multiple name-to-name mappings.
  • Use web flow on mobile device: If you are configuring the WEB flow for your connection, you may still want to use it from mobile devices. If you are using the DigiD app, the redirect (in some situations) opens in the mobile device's native browser. In such cases, we need to perform an operation called "session restoration" which may incur in security issues. We have taken a number of mitigations on our side to reduce the risks of such threats. However, some risks cannot be addressed on our side. If you want to use this option, you have to accept such risks. For further information, you can contact us by creating a support ticket in the Signicat Dashboard.
    Mitigating risks

    To fully mitigate the residual risk, we recommend you implement the following on your side: You should only accept a response back from Signicat if you are able to match that response to a request that you have sent earlier. You can achieve this, for instance, by storing the request you have sent in the user session.

:::

Adjust the settings as necessary and click Save to apply the changes.

4. Get Signicat metadata

To apply for a DigiD connection with Logius, you need the Signicat SAML metadata (in XML format). To download the metadata file:

  1. In the Signicat Dashboard, go to eID Hub > ID methods.
  2. Select DigiD from the list of active ID methods.
  3. Select Get Signicat metadata to download the XML file to your device.

5. Request DigiD in production

To connect to DigiD production environment, you need to fill in the Logius Aanvraagformulier. In the application form, upload the Signicat metadata in XML format that you obtained in the previous step.

6. Set up a connection with a protocol

To establish a connection between Signicat DigiD and your application, you need to use an authentication protocol.

Choose a protocol

Supported protocols

Signicat supports the standard OIDC and SAML 2.0 protocols. In addition, we offer the Signicat Authentication REST API.

Choice of protocol depends on what you prefer and what you want to achieve. The Authentication REST API gives you a lot of flexibility and is easy to set up. Between the other two, we recommend using OIDC, since SAML 2.0 is much more complex to implement on your side and usually requires a federation agent already in place. OIDC is industry standard and you do not need to manage user sessions on your own (like with the Authentication REST API).

For more information about the different protocol types, see the Signicat eID Hub documentation.

Set up the protocol

For information on how to set up the different protocols, see the eID Hub - Quick start guide.

Data and attributes

To learn more about attributes, scopes and claims supported by each authentication protocol, visit the Attributes reference page.

7. Activate your connection

Submit a request for activation of your connection to the DigiD production environment in the DigiD Wijzigingsformulier. In the form, select "Ik wil mijn productieaansluiting activeren".

8. Ask Logius to approve your connection

After you set up the connection in production, you need to test it and submit a request for approval by Logius.

9. Audit and assessment

Your DigiD integration in production should adhere to security standards to ensure secure end-user authentication. Logius performs audits and checks to ensure your infrastructure and connection comply with such requirements.

Your DigiD integration must undergo an official assessment by an external and certified DigiD auditor within two months after going to production.

Additionally, organisations that use DigiD must conduct an annual IT security assessment.

Arrange the audits according to the specifications in the DigiD ICT-beveiligingsassessments guide.

Signicat TPM certificate

Signicat, as a third party involved in the provision of services for the web application that uses DigiD, undergoes a Third-Party Mededeling (TPM) DigiD yearly assessment. Signicat tries to plan the TPM audit as early as possible in the year. We provide our DigiD Generieke TPM certificate to use in your audit.

Note that the yearly required assessment planning for municipalities in NL and for DigiD occurs at different times of the year and might lead to some delays.

We recommend you plan sufficient time around the assessment with municipalities' own audits.