eHerkenning attributes in SAML 2.0
This page contains information about the user attributes that you can request and retrieve from eHerkenning when using SAML 2.0 as an authentication protocol.
Attribute glossary
To learn more about the properties of the data available through eHerkenning, visit the Attribute glossary page.
Attributes table
eHerkenning provides the following data:
* Pseudonym example: ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890@ABCDEF1234567890ABCDEF1234567890
Examples
Metadata document
The example below shows a Service Provider (SP) metadata document to connect to eHerkenning and request the attributes: idpId, firstName, lastName, dateOfBirth, gender, phoneNumber, email, placeOfBirth, nin, chamberOfCommerce, eherkenningIntermediatekvkNr, eherkenningVestigingsNr, eherkenningRsin, eherkenningProbasNr, eherkenningPseudo, eherkenningPseudoID, eherkenningServiceID, eherkenningServiceUUID, organisationName, eherkenningIntermediateOrganisationName, initials, familyNameInfix, 18OrOlder, 16OrOlder, 12OrOlder, 65OrOlder
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_45f42f65-39f9-4250-898e-f6297cb3f8ce" entityID="SAML Example SP">
<md:SPSSODescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
X509_CERTIFICATE
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://*SP_CLIENT_DOMAIN*/saml/acs" index="1" isDefault="false"/>
<md:AttributeConsumingService index="1" isDefault="false">
<md:ServiceName xml:lang="en" xmlns:xml="http://www.w3.org/XML/1998/namespace">All attributes</md:ServiceName>
<md:RequestedAttribute Name="idpId"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Request example
SAML 2.0 request example:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AttributeConsumingServiceIndex="SERVICE_INDEX"
Destination="https://*YOUR_SIGNICAT_DOMAIN*/auth/saml/login"
ID="_c1021b80fffe7cb098a50b735c739fec"
IssueInstant="2024-09-26T10:06:19.352Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:etoegang:DV:ORGANISATION_IDENTIFICATION_NUMBER:entities:SERVICE_INDEX</saml2:Issuer>
<saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Comparison="minimum">
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:etoegang:core:assurance-class:LOA</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>
Response example
SAML 2.0 response example:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
Destination="https://*SP_CLIENT_DOMAIN*/saml/acs"
ID="_637db830122cf2074bab93d9c534dd88"
InResponseTo="_a9ac37562d5fdb2068809c4f85c9638a"
IssueInstant="2024-09-26T10:07:03.042Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
https://*YOUR_SIGNICAT_DOMAIN*/auth/saml
</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_637db830122cf2074bab93d9c534dd88">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xsd"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>6SzxrEyAEB6ISrgbZCuI479WvmLh9sEH4OoOHEZB3n8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
XML_SIGNATURE
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
X509_CERTIFICATE
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
ID="_14bf7ff57d8cd43721c79f63d4db9c0a"
IssueInstant="2024-09-26T10:07:03.057Z"
Version="2.0"
>
<saml2:Issuer>https://*YOUR_SIGNICAT_DOMAIN*/auth/saml</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_14bf7ff57d8cd43721c79f63d4db9c0a">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xsd"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>ihgBWyK1tVczI5T7RJCOrMB92/ArGNGN8D9C0NQJ6a0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
XML_SIGNATURE
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
X509_CERTIFICATE
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="urn:etoegang:HM:00000003244440010000:entities:9713"
>gjhtHxMFfm-2bn-YaZ6mh2YfTL62z-EyU2AdnWbx3x4=</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_a9ac37562d5fdb2068809c4f85c9638a"
NotOnOrAfter="2024-09-26T10:09:03.057Z"
Recipient="https://*SP_CLIENT_DOMAIN*/saml/acs"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2024-09-26T10:06:58.057Z"
NotOnOrAfter="2024-09-26T10:09:03.057Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>ENTITY_ID</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AttributeStatement>
<saml2:Attribute Name="idpId">
<saml2:AttributeValue>eh-idp-01</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="firstName">
<saml2:AttributeValue>Jane</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="initials">
<saml2:AttributeValue>J.</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="lastName">
<saml2:AttributeValue>Doe</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="familyNameInfix">
<saml2:AttributeValue>van</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="dateOfBirth">
<saml2:AttributeValue>1980-01-15</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="gender">
<saml2:AttributeValue>male</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="phoneNumber">
<saml2:AttributeValue>+31612345678</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="email">
<saml2:AttributeValue>jane.doe@example.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="placeOfBirth">
<saml2:AttributeValue>Amsterdam</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="nin">
<saml2:AttributeValue>123456789</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="18OrOlder">
<saml2:AttributeValue>true</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="chamberOfCommerce">
<saml2:AttributeValue>12345678</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="eherkenningIntermediatekvkNr">
<saml2:AttributeValue>87654321</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="eherkenningVestigingsNr">
<saml2:AttributeValue>123400567890</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="eherkenningRsin">
<saml2:AttributeValue>987654321</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="eherkenningProbasNr">
<saml2:AttributeValue>PROBAS-00123</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="eherkenningPseudo">
<saml2:AttributeValue>pseudo-org-12345</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="eherkenningPseudoID">
<saml2:AttributeValue>pseudo-id-67890</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="eherkenningServiceID">
<saml2:AttributeValue>service-001</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="eherkenningServiceUUID">
<saml2:AttributeValue>d8f71022-789b-456c-abc1-2f1234567890</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="organisationName">
<saml2:AttributeValue>Example BV</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="eherkenningIntermediateOrganisationName">
<saml2:AttributeValue>Intermediate Services BV</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
<saml2:AuthnStatement AuthnInstant="2024-09-26T10:07:03.059Z"
SessionIndex="fe187084-671b-4784-997e-7ff69d68ebf5"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
<saml2:AuthenticatingAuthority>urn:etoegang:HM:ORGANISATION_IDENTIFICATION_NUMBER:entities:9713</saml2:AuthenticatingAuthority>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>