Set up DigiD pre-production
To set up DigiD in pre-production, start with the steps described in the Initial preparations page.
1. Add DigiD in the Dashboard
When you want to use an eID, you first need to activate it in the Signicat Dashboard. To do this for DigiD, follow these steps:
- In the Signicat Dashboard, navigate to Products > eID and Wallet Hub > eIDs.
- Select + Add new in the top right.
- Choose the eID from the list. Add any required configuration, then select Add.
- Now, review that the eID is available and set to "Active" in the eIDs list.
If you cannot activate DigiD or require assistance, you can contact us by creating a support ticket in the Signicat Dashboard.
eID configuration
DigiD Dashboard settings
You can edit the settings of your DigiD connection:
- Strip sector code from nameID: Logius sends a prefix with the citizen service number (BSN). Some service providers can't handle that. Tick this checkbox to strip away the sector code/prefix.
Adjust the settings as necessary and click Save to apply the changes.
Advanced configuration
To configure advanced settings, go to the "Advanced" tab in the DigiD page and specify:
- Select attribute filter: Select an attribute filter to control which attributes you want to include, or exclude, from the response. To create attribute filters in the Dashboard, navigate to Products > eID and Wallet Hub > Advanced > Attribute filters.
- Include only when scoped: If ticked, DigiD will not be available as an eID for authentication on the eID selection screen, unless you specify it in your authentication request by using IdP scoping (DigiD scope:
digid). - Response attribute mappings: You can customise the name of the attributes received in the response body. Provide none or multiple name-to-name mappings.
- Use web flow on mobile device: When you configure DigiD for WEB flows, you may still want to offer authentication through mobile devices. It is important to note that sometimes authentications started in the DigiD app may redirect the user to the native browser of the mobile device. In such cases, we handle the redirect through "session restoration" which may lead to vulnerabilities that require additional security considerations.
Security considerations
We have taken a number of measures to reduce the security risks on our side. To ensure secure authentications, you need to take action on the implementation side. If you want to use web flows on mobile devices, you have to be aware of the risks and address them appropriately. For more information, you can read more below or contact us by creating a support ticket in the Signicat Dashboard.
Mitigating risksTo fully mitigate the residual risk, we recommend you implement the following measures on your side.
Verify the response
You should accept a response back from Signicat only after you have matched the response to a request that you have sent previously. For example, you can achieve this by storing the request in the user session.
2. Get Signicat metadata
When you activate DigiD in the Signicat Dashboard, you can download the Signicat SAML metadata (in XML format). You need the Signicat metadata when applying for DigiD with Logius in the next step.
To get the metadata file:
- In the Signicat Dashboard, navigate to Products > eID and Wallet Hub > eIDs.
- Select DigiD from the list of active eIDs.
- Select Get Signicat metadata to download the XML file to your device.
3. Request DigiD pre-production
To connect to DigiD pre-production, you need to fill in the Logius Aanvraagformulier. In the application form, upload the Signicat metadata in XML format that you obtained in the previous step.
According to the Logius Roadmap, you receive connection details for access to the DigiD pre-production environment within five working days.
4. Set up a connection with a protocol
To establish a connection between DigiD and your application, you need to use an authentication protocol.
Note that you only need to connect to Signicat eID and Wallet Hub servers. Signicat handles the connection with DigiD separately, therefore acting as a message broker between your application and DigiD.
Choose a protocol
Signicat supports the standard OpenID Connect (OIDC) and SAML 2.0 protocols. In addition, we offer our bespoke Signicat Authentication REST API.
The protocol you choose depends your goals and preferences. The Authentication REST API provides flexibility and an easy setup. Otherwise, we recommend OIDC, since SAML 2.0 is much more complex to implement and usually requires a federation agent. OIDC is an industry standard with managed user sessions, unlike the Authentication REST API.
To learn more about these authentication protocols, see the Signicat eID and Wallet Hub documentation.
Set up the protocol
For information on how to set up the different protocols, see the eID and Wallet Hub - Quick start guide.
Data and attributes
To learn more about attributes, scopes and claims supported by each authentication protocol, visit the Attributes reference page.
5. Get your pre-production setup approved
After you set up the pre-production web/mobile service connection, you need to test it and submit a request for approval by Logius. Here are the steps to follow:
- Test your implementation using the Checklist for connecting to DigiD.
- Apply changes to meet the requirements.
- Ask Logius to verify your integration by requesting a connection test with the form Aanvragen test DigiD-aansluiting.
After Logius approves your pre-production connection, you are ready to integrate with DigiD in production.