Go to production
To set up DigiD in production, you first need to get your pre-production integration approved by Logius. Make sure you have completed the steps described in the Setup up DigiD pre-production page.
Prerequisites
To go to production, you must first meet these prerequisites:
- Purchase a PKIoverheid certificate for production
- Get your pre-production setup approved by Logius
1. Create a production account
To connect to DigiD in production, you need to set up a production account with a custom domain in the Signicat Dashboard. You can always reuse a production account that you created previously. To create a new production account, do the following:
- Go to Signicat Dashboard > Organisation management.
- Select Add Account.
- Enter the name of your account under Account Name and tick the box for Production account. Note that this requires that already completed your company's onboarding in the Dashboard.
- Select Create to create the new account.
In the next screen, select Add new domain to add a custom domain.
Add a custom domain
To add a custom domain, follow the instructions for Custom domains. Then, return to this page to continue with the integration.
Note that you must add a custom domain. Accounts with a Signicat subdomain (for example, mycompany.app.signicat.com) cannot be used to connect to DigiD.
If you wish to use Let's Encrypt certificates as TLS/SSL server certificates for DigiD, you must use a .nl domain. Learn more in the Logius documentation.
2 Upload PKIo certificates
This step assumes that you have already purchased a PKIoverheid certificate for production. Learn how in our documentation to Order certificates.
Now, upload the public part of the PKIo certificates (in .pem or .cer file extension) to the Signicat Dashboard.
To upload a certificate:
- Go to Account management > Signing Certificates.
- In the Signing Certificates section, select Upload certificate and select the certificate from your device.
Alternatively, you can either:
- Send them to us by creating a support ticket in the Signicat Dashboard.
- Send them to the onboarding manager.
3. Add DigiD in the Dashboard
You can now add DigiD to your eIDs. To do this:
- In the Signicat Dashboard, navigate to Products > eID and Wallet Hub > eIDs.
- Select + Add new in the top right.
- Choose the eID from the list. Add any required configuration, then select Add.
- Now, review that the eID is available and set to "Active" in the eIDs list.
eID configuration
You can edit the settings of your DigiD connection:
Click to expand
DigiD Dashboard settings
- Strip sector code from nameID: Logius sends a prefix with the citizen service number (BSN). Some service providers can't handle that. Tick this checkbox to strip away the sector code/prefix.
Advanced configuration
To configure advanced settings, go to the "Advanced" tab in the DigiD page and specify:
- Select attribute filter: Select an attribute filter to control which attributes you want to include, or exclude, from the response. To create attribute filters in the Dashboard, navigate to Products > eID and Wallet Hub > Advanced > Attribute filters.
- Include only when scoped: If ticked, the eID will not be visible by default on the eID selection screen, unless you specify it by using IdP scoping.
- Response attribute mappings: You can customise the name of the attributes received in the response body. Provide none or multiple name-to-name mappings.
- Use web flow on mobile device: If you are configuring the WEB flow for your connection, you may still want to use it from mobile devices. If you are using the DigiD app, the redirect (in some situations) opens in the mobile device's native browser. In such cases, we need to perform an operation called "session restoration" which may incur in security issues. We have taken a number of mitigations on our side to reduce the risks of such threats. However, some risks cannot be addressed on our side. If you want to use this option, you have to accept such risks. For further information, you can contact us by creating a support ticket in the Signicat Dashboard.
Mitigating risks
To fully mitigate the residual risk, we recommend you implement the following on your side: You should only accept a response back from Signicat if you are able to match that response to a request that you have sent earlier. You can achieve this, for instance, by storing the request you have sent in the user session.
Adjust the settings as necessary and click Save to apply the changes.
4. Get Signicat metadata
To apply for a DigiD connection with Logius, you need the Signicat SAML metadata (in XML format). To download the metadata file:
- In the Signicat Dashboard, navigate to Products > eID and Wallet Hub > eIDs.
- Select DigiD from the list of active eIDs.
- Select Get Signicat metadata to download the XML file to your device.
5. Request DigiD in production
To connect to DigiD production environment, you need to fill in the Logius Aanvraagformulier. In the application form, upload the Signicat metadata in XML format that you obtained in the previous step.
6. Set up a connection with a protocol
To establish a connection between Signicat DigiD and your application, you need to use an authentication protocol.
Choose a protocol
Signicat supports the standard OpenID Connect (OIDC) and SAML 2.0 protocols. In addition, we offer our bespoke Signicat Authentication REST API.
The protocol you choose depends your goals and preferences. The Authentication REST API provides flexibility and an easy setup. Otherwise, we recommend OIDC, since SAML 2.0 is much more complex to implement and usually requires a federation agent. OIDC is an industry standard with managed user sessions, unlike the Authentication REST API.
To learn more about these authentication protocols, see the Signicat eID and Wallet Hub documentation.
Set up the protocol
For information on how to set up the different protocols, see the eID and Wallet Hub - Quick start guide.
Data and attributes
To learn more about attributes, scopes and claims supported by each authentication protocol, visit the Attributes reference page.
7. Activate your connection
Submit a request for activation of your connection to the DigiD production environment in the DigiD Wijzigingsformulier. In the form, select "Ik wil mijn productieaansluiting activeren".
8. Ask Logius to approve your connection
After you set up the connection in production, you need to test it and submit a request for approval by Logius.
- Test your implementation using the Checklist for connecting to DigiD.
- Apply changes to meet the requirements.
- Ask Logius to verify your integration by requesting a connection test with the form Aanvragen test DigiD-aansluiting.
9. Audit and assessment
Your DigiD integration in production should adhere to security standards to ensure secure end-user authentication. Logius performs audits and checks to ensure your infrastructure and connection comply with such requirements.
Your DigiD integration must undergo an official assessment by an external and certified DigiD auditor within two months after going to production.
Additionally, organisations that use DigiD must conduct an annual IT security assessment.
Arrange the audits according to the specifications in the DigiD ICT-beveiligingsassessments guide.
Signicat, as a third-party provisioning services for DigiD, undergoes a Rapporten voor de Serviceorganisatie (RSO, formerly TPM) yearly assessment. For this we to plan the RSO audit as early as possible in the year. We can also provide you with our DigiD RSO certificate to use in your audit.
Note that the yearly required assessment planning for municipalities in NL and for DigiD occurs at different times of the year and might lead to some delays. Therefore, we recommend you plan sufficient time around the assessment with municipalities' own audits.
10. Renewing certificates
When your PKIo certificate is about to expire, you need to renew your certificate and communicate the changes to Logius. Learn how to renew your certificates in the How to renew PKIo certificates guide.