Connect with an authentication protocol
When an end-user wants to authenticate with your services using eHerkenning, your application sends/receives a series of requests/responses to/from Signicat eID and Wallet Hub, which acts as message broker between your application and the eHerkenning network.
To manage the communication between your application and the Signicat eID and Wallet Hub, you connect using an authentication protocol.
Prerequisites
This guide assumes you have completed the steps in the following guides:
- Initial preparations.
- Manage certificates.
- Add eHerkenning in the Dashboard.
- Set up a service in the service catalogue.
Set up a connection
With Signicat you can integrate using the following authentication protocols:
- OpenID Connect (OIDC)
- Security Assertion Markup Language (SAML) 2.0
- Signicat Authentication REST API
OIDC and SAML 2.0 are official identity protocols. We recommend using OIDC since implementing SAML 2.0 involves more advanced steps.
The Authentication REST API - developed and maintained by Signicat - offers more flexibility and supports headless and redirect integration flow(s) (grant type).
You can find integration guides and more information about each protocol in the Signicat eID and Wallet Hub documentation.
For general information about integrating with Signicat, see the eID and Wallet Hub Quick start guide.
Authentication requests
The authentication protocol you integrate with determines how you build an authentication request and the format of the parameters you use. With eHerkenning, you can also configure provider-specific aspects like scoping the eID and the service. This allows you to skip selection screens and route the user directly to the service you intend to use for authentication.
Scoping eHerkenning services
When starting an authentication session, you can specify a service that you defined in your eHerkenning service catalogue. This allows you to target one service in particular by using its index value. As a result, the end-users are automatically routed to the service you pass in your authentication request thus skipping any service selection screen.
- OpenID Connect
- SAML 2.0
- Authentication REST API
When sending an authentication request with OIDC, the acr_values attribute allows you to provide additional parameters. To pass the eHerkenning service index, you need to provide the index with the service_index:SERVICE_INDEX parameter in the ACR Values. For example, to route to the Service Index 9701, you need to pass 9701 as the value for the service_index property, as shown below:
https://example.sandbox.signicat.com/auth/open/connect/authorize?
client_id=sandbox-vivid-blade-759
&response_type=code
&redirect_uri=https://oauth.tools/callback/code
&state=1734687023840-WGZ
&scope=openid%20profile%20nin
&code_challenge=7aEnwazbpKXHjOYbISsHWbtAWn33fE9cgDpS0y4-0UM
&code_challenge_method=S256
&acr_values=idp:eherkenning%20service_index:9701
Note that idp:eherkenning allows you to specify eHerkenning as the eID where to direct your end-users therefore skipping the eID provider screen.
Data and attributes
To view the attributes supported by each authentication protocol and examples of requests and responses, see the Attributes reference page.
Communicating changes
Once you have an eHerkenning connection, it is important to tell your customers about the new setup. For more information, see the Communication guide.