# Setup of eHerkenning

Integration with eHerkenning is done similarly to other Signicat's eID methods. This page describes the process of setting up eHerkenning.

For more general information on how to integrate with Signicat, see the Quick start guide.

# Initial preparations

This setup guide assumes you have completed the following initial preparations:

Sandbox account

We recommend you to create a sandbox account to test our services before implementing them in production.

# Add eHerkenning

Once Signicat has given you access to eHerkenning in the Signicat Dashboard, you can add eHerkenning to your list of active methods:

Choose eHerkenning click-to-zoom

# eHerkenning configuration

Once you have added eHerkenning, you can start the setup and configuration.

Adjust the settings as necessary and save the connection.

  • Organisation Identification Number (OIN): This will be automatically filled based on your certificate.
  • Entity index: The connection index; Often 9001 for the test environment and 1 for the production environment.
  • Default eHerkenning service: You are able to set the default eHerkenning service in this field. It is possible to set the default eHerkenning service, you will log in to this service if you do not specify any eHerkenning service in the Login Request.
  • Decrypt attributes at the broker checkbox: Check this checkbox if you want Signicat to do the decryption of the values for you.
  • Include only when scoped checkbox: This indicates that the ID method will not be visible on the ID method selection screen, but can only be reached by using IdP scoping. IdP-scoping means you can direct the user from your application to a desired identity provider so the user will not be offered multiple identity providers to choose from within the Signicat Broker. This enables you to let the user make a choice within your application, or to enforce the use of a given identity provider for a given service.
  • Select attribute filter: Attribute filters allow you to filter out certain attributes to make the response more concise for further processing in your software.
  • Option to add Response attribute mapping: Response attribute mapping allows you to choose the name of the attribute and thus use a standardised name that you receive in the response from the different authentication methods that are activated.

Once the connection is saved, press the Get broker metadata button. When pressed you will get the broker metadata xml. Email this to support@signicat.com.

# Broker settings

This component outlines the global settings for the broker. Here, you can configure the following properties:

  • Session duration: Your session will expire after the configured amount of time. The default is 30 minutes up to a maximum of 12 hours.
  • Use rolling validity: Whenever there is session activity, the session expiration time is reset to 30 minutes again.
  • Message log retention period: You can configure how long the messages in the Broker Message Log will be retained. This can be configured in months or days.
    • NOTE: Changing this setting will cause automatic deletion of the messages in the message log. Deleted messages cannot be restored.
    • Deletion happens daily at 01:00 CET.
  • Certificate expiration notification: You can define which email addresses need to be notified when an SP certificate is about the expire. Configurable fields are:
    • Email addresses to be notified before the certificate expires. Press enter to add multiple addresses. Emails will be sent every day until the certificate is renewed.
    • The number of days before certificate expiration that notifications will be sent to the added email addresses.
  • Cancel behaviour: You can choose how the cancel button will behave when pressed. There are two options:
    • Show selection screen
    • Go to SP
  • Metadata settings: Organisation data. These are all required fields.
    • Organisation name
    • Organisation display name
    • Organisation URL
  • Contact persons: You can add contact persons in this. The fields you can define are:
    • Type of contact person: Technical, Support, Administrative, Billing or Other.
    • First name
    • Last name
    • Company
    • Email address
    • Phone number

# eHerkenning service catalogue

Assuming you have already configured your broker settings, the next step is to create the eHerkenning service catalogue.

To publish a service in the eHerkenning network so that organisations can authorise their members to log in to these services, data on the service must be published to eHerkenning. This data is published through service catalogues. A service catalogue can contain information for multiple services.

Service catalogues define information about your services. Services are indicated through a ServiceID, which contains an Organisational Identification Number (OIN, or Government Identification Number) and index. We automatically set the OIN based on your connection.

# How to add a service catalogue

  • Open the eHerkenning configuration page and select the eHerkenning service catalogue button.
  • Select Add a Service and choose the type of service you would like to add, eHerkenning (used by Dutch organisations) or eIDAS (used by European citizens). This shows the eHerkenning service configuration page.

Create a service catalogue click-to-zoom

# eHerkenning service configuration

  • Service index: This is used to differentiate your service from the other services you (might) provide. This can be any value between 1 and 9999. The index with 0 is reserved for the portal function in eHerkenning, in case your organisation has a webservice portal that includes various eHerkenning services.
  • Level of Assurance (LoA): Here you can select the desired LoA. Read more about which Level of Assurance to choose for your services (opens new window).
  • Service name: Here you should provide a proper and descriptive name for your service (max 64 characters). It should be clear to the users what the service is intended for. Make sure you use a unique service name so no misunderstanding is possible with other services. See the note below. For example: Apply for a parking permit.
  • Service description: This is a short description of what the service is intended for (max 1024 characters).
  • Service description URL: Provide a valid URL to your website, explaining what the service can be used for.
  • Support SSO: Here you can toggle the option for Single Sign On (SSO) of the eHerkenning ID method on and off. It only works for LoA lower than level 4.
LoA eIDAS SAML 2.0
2 Low urn:etoegang:core:assurance-class:loa2
2+ Low urn:etoegang:core:assurance-class:loa2plus
3 Substantial urn:etoegang:core:assurance-class:loa3
4 High urn:etoegang:core:assurance-class:loa4

Important

It is very important to use a clear service name. For example, the names Department 1 or Municipality X will not be clear enough for the user. The user should immediately know what to do based on the name of the service. For example, if your service is used to apply for a subsidy, call it Apply for a subsidy.

View the official manual "Handleiding Dienstencatalogus" containing the obligations and advice on filling in the required fields in the eHerkenning - Handbooks and support (opens new window) page.

If you need help choosing the service name, we can help you. Please send a message to support@signicat.com.

  • Support branch offices: If you accept login transactions for branch offices the following applies:
    • You must also accept login transactions without branch office number,
    • You must respect the restriction to act only for a branch office, to ensure a legally valid legal act has been concluded,
    • You may not use the branch office to determine the location, only to determine the limits of the power of representation.
  • User attributes: Also known as Entity Concerned Types (ECTAs), these are an Identifier Set and are a combination of one or more identifying attributes. Individual identifiers possible in ECTA sets are: KvK, RSIN, BSN (if allowed), PseudoID, and Pseudo. eIDASLegalIdentifier is currently not yet supported by the EU countries. Here are all the possibilities and combinations per set:
    • kvk (eH)
    • rsin (eH)
    • bsn (eH / eIDAS)
    • kvk+rsin (eH)
    • kvk+bsn (eH)
    • pseudo (eIDAS)
    • pseudoid (eIDAS)
    • bsn+pseudoid (eIDAS)
    • bsn+pseudo (eIDAS)
    • bsn+pseudoid+pseudo (eIDAS)
    • eidasLegalIdentifier (eIDAS)
  • Requested attributes: You may use optional attributes. Please check the attribute catalogue (opens new window) (in Dutch) for more information if you plan on using additional attributes. Attributes can be divided into Must have and Nice to have. If you set an attribute as "must have", it means the user will not be able to log in to your service if they do not want to, or cannot, supply the requested attribute.

Warning

Not all attributes are supported or available by the authentication services or authorisation registries. Therefore, do not set optional attributes as "required" for your service, since that will prevent a portion of users from logging in.

Purpose statements for eHerkenning services click-to-zoom

  • Purpose statements: If Requested attributes are chosen, you must add purpose statements to advise the user on the reason for the required attribute.
  • Privacy policy URL: If Requested attributes are chosen, you must add a valid URL to your Privacy Policy. This is required by law and should be consistent with the EU laws regarding Privacy.

For further information, refer to the official manual (in Dutch) containing the obligations and advice on filling in service catalogue entries..

You can also learn more about service catalogue requirements from eHerkenning on this site (opens new window).

# Test the integration

When eHerkenning has been successfully added to the Dashboard as an ID method choice, click Test ID methods to proceed. You will then be presented with the following screen:

Test eHerkenning click-to-zoom

Note

If you use only eHerkenning as an identity provider, and no others, this step will be skipped.

Select eHerkenning to be redirected to the eHerkenning login screen.

# Communicating changes

Once you have an eHerkenning connection, it is important to tell your customers about the new setup in good time. For more information, see the Communication guide.

Last updated: 20/03/2024 10:00 UTC