Frequently Asked Questions

Find quick answers to common questions about eHerkenning.

Setting up an eHerkenning connection

Find out more about setting up an eHerkenning connection.

What is a connection?

A connection is a network connection between your app (web application or mobile) and the Signicat eID Hub. The methods of communication are defined by the authentication protocol.

What authentication protocols does Signicat offer?

With Signicat you can integrate using the following authentication protocols:

To learn more about the protocols, see the Signicat eID Hub documentation.

What is needed to connect to eHerkenning with Signicat?

To connect to the Signicat eID Hub, you must provide us with:

A signed contract
A signed eHerkenning self-declaration
PKIoverheid certificate (type Private Services CA G1)
Organisation identification number (OIN)

Additionally, you should consider the following items:

Register on the authorisation list for BSN (ALB), if you want to request the BSN of users.
Determine the appropriate Level of Assurance (LoA) for the service by following the guidelines at https://www.forumstandaardisatie.nl/onderwerpen/veilig-internet/betrouwbaarheidsniveaus.
Determine which identifying attributes and optional attributes you want to request from your users.
- Note that you must include a purpose of use statement for each optional attribute requested from your users. You add this in the eHerkenning service catalogue.
Provide a link to your up-to-date privacy policy. You add this in the eHerkenning service catalogue.
Choose service name(s) and branding in line with eHerkenning and eIDAS guidelines.

What is an OIN?

This is an Organisation Identification Number or also called a Government Identification Number. You use it to identify yourself as an organisation.

eHerkenning/eIDAS

This section addresses queries about eHerkenning and the eIDAS network.

If I connect eHerkenning, does eIDAS come standard?

This is not standard, but depends on the contract you enter into with Signicat. eHerkenning and eIDAS are different products that use the same technical network. However, both eHerkenning and eIDAS can be accessed through the same connection. Please contact sales to find out more.

Is it necessary for eIDAS to set up a separate connection next to eHerkenning?

No, this is not necessary. eHerkenning and eIDAS can be accessed through the same connection. Therefore, there is no need to set up a separate connection for the different channels.

However, to make a service an eIDAS service, the eIDAS classifiers need to be added to the service in the catalogue.

Some applications cannot handle serving multiple eIDs over a single connection. In that case, we recommend setting up two separate connections.

Certificates

Certificates help you secure connections between your app and eHerkenning and can be used to encrypt data and sign messages.

What is a PKIoverheid certificate?

PKI stands for Public Key Infrastructure, a digital certificate that allows you to exchange data securely online with government agencies and the Tax and Customs Administration among others.

PKI is an international standard when it comes to signing data and messages. You can therefore obtain a PKI certificate in various ways, however, this is not sufficient for interactions with the Dutch government.

The Dutch government states that you need a PKIoverheid (PKIo) certificate. A PKIoverheid certificate is a regular PKI certificate, but issued by a Certificate Authority (CA) that has been authorised by the government. They must meet strict requirements of the government. You can learn more about PKIo certificates at https://cert.pkioverheid.nl/.

Will you be informed when a certificate is about to expire?

On a best effort basis, Signicat tries to inform you when a certificate is about to expire. However, the ultimate responsibility rests with you. So, make sure that your organisation provides new certificates to Signicat's technical support department in a timely manner.

You provide services for a government agency. Can you apply for a PKIoverheid certificate yourself?

Yes, you can. More information can be found at https://www.pkioverheid.nl.

Services

Services are an essential concept in eHerkenning. Learn more about services below.

Service names in the service catalogue

With eHerkenning, you specify services by entering them in the service catalogue. It is important to use clear names. View the official manual "Handleiding Dienstencatalogus" containing the obligations and advice on filling in the required fields in the eHerkenning - Handbooks and support page.

Naming a service

The name of the service is very important. The name should be meaningful and distinguishable. For example, the names 'Department 1' & 'Department Municipality X' may not be clear enough for the user. Another reason is that a proper name helps users and organisations with choosing the right permissions on their eHerkenning login.

Note that the user should immediately know what to do based on the name of the service. For example, if you create a service to apply for a subsidy, call the service 'Apply for a subsidy'.

Changing a service UUID

Every service in the eHerkenning service catalogue has a UUID. This is a unique number that is characteristic for a certain service. Permissions that are linked to the eHerkenning the user's resources are issued based on UUIDs.

When you add a new service, the service is assigned a UUID. In the case of minor changes, the UUID must always remain the same.

However, you must change the service UUID if one of the following changes occurs:

Changing the level of assurance (LoA).
Changing the purpose and scope of the service.
Changing significantly the personal user data you request. This may impact the LoA.
Moving services under a portal service.
Changing the legal entity and OIN of you organisation.

When a service changes its UUID, the users must re-link the new service to their eHerkenning device in order to gain access. Therefore, it is important that the UUID remains the same in the event of minor changes, otherwise users will no longer be able to log in with mandated permissions and will have to link another service to their eHerkenning device.

For more FAQs about eHerkenning permissions, visit https://we-id.nl/en/ and https://www.eherkenning.nl/nl/machtigen.

Support

This section outlines ways for you to get the assistance you need with eHerkenning.

Is there a health check available?

Yes, you can ping our infrastructure at https://<ACCOUNT_DOMAIN>/broker/.ping. Change the <ACCOUNT_DOMAIN> in the URL to the domain name associated with your account in the Settings > Domain Management page in the Dashboard.

You can also monitor the status of Signicat services in our Status page.

Where can I find outage and maintenance reports?

You can monitor system-wide outages on the reporting page of eHerkenning: Outage and Maintenance.

Is your question not listed? You can contact us by creating a support ticket in the Signicat Dashboard:

Setting up an eHerkenning connection​

What is a connection?​

What authentication protocols does Signicat offer?​

What is needed to connect to eHerkenning with Signicat?​

What is an OIN?​

eHerkenning/eIDAS​

If I connect eHerkenning, does eIDAS come standard?​

Is it necessary for eIDAS to set up a separate connection next to eHerkenning?​

Certificates​

What is a PKIoverheid certificate?​

Will you be informed when a certificate is about to expire?​

You provide services for a government agency. Can you apply for a PKIoverheid certificate yourself?​

Services​

Service names in the service catalogue​

Changing a service UUID​

Support​

Is there a health check available?​

Where can I find outage and maintenance reports?​