Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Identity broker

eHerkenning external IDP

search
printsuggest an editpdf paneldownload

eHerkenning external IDP

eHerkenning is the digital identity schema that the Dutch government uses to identify representatives of organizations. It provides a mandate schema where organizations can designate individuals to authenticate and act on behalf of their organization. It can be used to identify, authenticate, and authorize designated users for eligible organizations.

eHerkenning is available as a standard identity provider (IDP) in the Identity Broker and can be used in onboarding processes. Availability is restricted to eligible organizations in the Netherlands.

The eHerkenning IDP is a Security Assertion Markup Language (SAML) implementation that is relevant only for the Netherlands. It follows the procedure for adding a SAML IDP, except some values are preset.

The eHerkenning connection provides access to eHerkenning and to eIDAS (via the Netherlands (NL) node). The identity broker supports the DV-HM interface, which means that you need a connection to an eHerkenning makelaar (broker). The DV-HM interface is standardized, so the identity broker is able to connect to all eHerkenning makelaars:

  • OneWelcome
  • Signicat
  • Digidentity
  • KPN

copy link to clipboardRequest eHerkenning from an eHerkenning makelaar

You need to request DigiD for each brand.

copy link to clipboardRequest an OIN

You can can check the OIN register.

copy link to clipboardRequest PKI-overheid certificates

  • Request a unique PKI-overheid certificate for each connection. You need a different certificate for production and non-production.

You can use a server certificate with a maximum validity of three years. The OIN is included in the certificate serial number.

copy link to clipboardGenerate the service catalog

You need to manually create a new service catalog file for a new service or when switching the broker.

You can check the aggregated eHerkenning catalog to see if a service is already registered:

To create a new file, to fill this XML:

<?xml version="1.0" encoding="UTF-8"?>
<esc:ServiceCatalogue xmlns:esc="urn:etoegang:1.13:service-catalog" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                      xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                      esc:IssueInstant="2019-12-28T10:19:57Z" esc:Version="urn:etoegang:1.13:53"
                      ID="198d678c-239e-43c4-acf7-b4f6f1f6d8c0">
    <esc:ServiceProvider esc:IsPublic="true">
        <esc:ServiceProviderID><!--OIN van organistatie/organization OIN--></esc:ServiceProviderID>
        <esc:OrganizationDisplayName xml:lang="nl"><!--Naam van organistatie/organization name--></esc:OrganizationDisplayName>
        <esc:ServiceDefinition esc:IsPublic="true">
            <esc:ServiceUUID><!--unieke ID genereren via uuidgenerator.net/generate a unique ID via uuidgenerator.net--></esc:ServiceUUID>
            <esc:ServiceName xml:lang="nl"><!--Naam van de Service/Name--></esc:ServiceName>
            <esc:ServiceName xml:lang="en"><!--Service name--></esc:ServiceName>
            <esc:ServiceDescription xml:lang="nl"><!--Beschrijving van de Service--></esc:ServiceDescription>
            <esc:ServiceDescription xml:lang="en"><!--Service description--></esc:ServiceDescription>
            <esc:ServiceDescriptionURL xml:lang="nl">http://example.etoegang.nl</esc:ServiceDescriptionURL>
            <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:<!--Loa van de Service/Loa of the service--></saml:AuthnContextClassRef>
            <esc:HerkenningsmakelaarId>00000003520354760000</esc:HerkenningsmakelaarId>
            <esc:EntityConcernedTypesAllowed>urn:etoegang:1.9:EntityConcernedID:KvKnr</esc:EntityConcernedTypesAllowed>
              <esc:ServiceRestrictionsAllowed>urn:etoegang:1.9:ServiceRestriction:Vestigingsnr</esc:ServiceRestrictionsAllowed>
        </esc:ServiceDefinition>
        <esc:ServiceInstance esc:IsPublic="true">
            <esc:ServiceID>urn:etoegang:DV:<!--OIN -->:services:<!--Service Index--></esc:ServiceID>
            <esc:ServiceUUID><!--unieke ID genereren via uuidgenerator.net/generate a unique ID via uuidgenerator.net--></esc:ServiceUUID>
            <esc:InstanceOfService><!-- UUID of service definition--></esc:InstanceOfService>
            <esc:ServiceURL xml:lang="nl"><!--vul hier een service url in --></esc:ServiceURL>
            <esc:ServiceURL xml:lang="en"><!-- link to the url of the service --></esc:ServiceURL>
            <esc:PrivacyPolicyURL xml:lang="nl"><!-- vul hier een privacy url in --></esc:PrivacyPolicyURL>
            <esc:PrivacyPolicyURL xml:lang="en"><!-- link to the privacy policy --></esc:PrivacyPolicyURL>
            <esc:HerkenningsmakelaarId>00000003520354760000</esc:HerkenningsmakelaarId>
            <esc:SSOSupport><!-- a boolean that indicates whether the service supports SSO --></esc:SSOSupport>
            <esc:ServiceCertificate>
        <md:KeyDescriptor use="encryption">
          <ds:KeyInfo>
            <ds:KeyName>..............</ds:KeyName>
            <ds:X509Data>
              <ds:X509Certificate>..............</ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </md:KeyDescriptor>
      </esc:ServiceCertificate>
        </esc:ServiceInstance>
    </esc:ServiceProvider>
</esc:ServiceCatalogue>

copy link to clipboardHerkenningsmakelaarId reference table

To fill the HerkenningsmakelaarId, use this table:

Broker HerkenningsmakelaarId Pre-production metadata Production metadata Contact email address
OneWelcome 00000003520354760000 Pre Prod eherkenningsupport@onewelcome.com
Signicat 00000003244440010000 Pre Prod technicalsupport@signicat.com
Digidentity 00000003273226310000 Pre Prod eid@digidentity.com
KPN 00000003271247010000 eidsupport@kpn.com

copy link to clipboardSample eHerkenning

<?xml version="1.0" encoding="UTF-8"?>
<esc:ServiceCatalogue xmlns:esc="urn:etoegang:1.13:service-catalog" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                      xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                      esc:IssueInstant="2019-12-28T10:19:57Z" esc:Version="urn:etoegang:1.13:53"
                      ID="198d678c-239e-43c4-acf7-b4f6f1f6d8c0">
    <esc:ServiceProvider esc:IsPublic="true">
        <esc:ServiceProviderID>00000003302392690000</esc:ServiceProviderID>
        <esc:OrganizationDisplayName xml:lang="nl">OneWelcome</esc:OrganizationDisplayName>
        <esc:ServiceDefinition esc:IsPublic="true">
            <esc:ServiceUUID>1770a991-962d-47fb-963d-80ceee623771</esc:ServiceUUID>
            <esc:ServiceName xml:lang="nl">Test service mobile</esc:ServiceName>
            <esc:ServiceName xml:lang="en">Test service mobile</esc:ServiceName>
            <esc:ServiceDescription xml:lang="nl">Test service mobile</esc:ServiceDescription>
            <esc:ServiceDescription xml:lang="en">Test service mobile</esc:ServiceDescription>
            <esc:ServiceDescriptionURL xml:lang="nl">http://example.etoegang.nl</esc:ServiceDescriptionURL>
            <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa3</saml:AuthnContextClassRef>
            <esc:HerkenningsmakelaarId>00000003520354760000</esc:HerkenningsmakelaarId>
            <esc:EntityConcernedTypesAllowed>urn:etoegang:1.9:EntityConcernedID:KvKnr</esc:EntityConcernedTypesAllowed>
              <esc:ServiceRestrictionsAllowed>urn:etoegang:1.9:ServiceRestriction:Vestigingsnr</esc:ServiceRestrictionsAllowed>
        </esc:ServiceDefinition>
        <esc:ServiceInstance esc:IsPublic="true">
            <esc:ServiceID>urn:etoegang:DV:00000003302392690000:services:9999</esc:ServiceID>
            <esc:ServiceUUID>419f5703-3524-4d62-b1b2-da8a922e0f9e</esc:ServiceUUID>
            <esc:InstanceOfService>1770a991-962d-47fb-963d-80ceee623771</esc:InstanceOfService>
            <esc:PrivacyPolicyURL xml:lang="nl">https://www.onewelcome.com/privacy-policy</esc:PrivacyPolicyURL>
            <esc:PrivacyPolicyURL xml:lang="en">vhttps://www.onewelcome.com/privacy-policy</esc:PrivacyPolicyURL>
            <esc:HerkenningsmakelaarId>00000003520354760000</esc:HerkenningsmakelaarId>
            <esc:SSOSupport>false</esc:SSOSupport>
            <esc:ServiceCertificate>
        <md:KeyDescriptor use="encryption">
          <ds:KeyInfo>
            <ds:KeyName>current</ds:KeyName>
            <ds:X509Data>
              <ds:X509Certificate>MIIGeDCCBGCgAwIBAgIUaP2XB6Bw8WZ1Wxe3bkY3jf/2JLgwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCEtQTiBCLlYuMTEwLwYDVQQDDChLUE4gUEtJb3ZlcmhlaWQgUHJpdmF0ZSBTZXJ2aWNlcyBDQSAtIEcxMB4XDTIxMDQyMjEzMzI0OVoXDTI0MDQyMTEzMzI0OVoweDELMAkGA1UEBhMCTkwxEDAOBgNVBAcMB1dvZXJkZW4xEDAOBgNVBAoMB09uZWdpbmkxHTAbBgNVBAUTFDAwMDAwMDAzMzAyMzkyNjkwMDAwMSYwJAYDVQQDDB1sb2dpbi1kZW1vMS5zdGFnZS5vbmVnaW5pLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKWzINs7euhdo5Ftv7o5mSIbiez4m/GyHL6K7l3NSnrWKc6N30qa9tXQYvnWw2LYzpDs4jweLUkB1ecdtrPT4qNHpC3ILUNniDU+qnO72u15WGeuFyd3Mw1ExQhdro1KCyx3/hNpE0uwgs0KV0Zt8GVuBGywmRlG948sJZo+0Vemrm4nmnrUk2etLndajPT84L3vGr2UeFG98Dc0BieCnmyeiu6hBeJTTCAS96jvANf1BKC/FIU9iAw4bVAeqA04t2BBGKlG0vhE1EJ3iWQd9sVAc2Xl6uDFCuVUbVZzJKUwP/WJTuNMLC6j0aOexw3Ls4gquPtQ6Rh4rz5vnahwMbMCAwEAAaOCAh0wggIZMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUuNRMn6hbbtolp2iO74xGGv4fU2UwOAYIKwYBBQUHAQEELDAqMCgGCCsGAQUFBzABhhxodHRwOi8vcHJvY3NwLm1hbmFnZWRwa2kuY29tMCgGA1UdEQQhMB+CHWxvZ2luLWRlbW8xLnN0YWdlLm9uZWdpbmkuY29tMIHXBgNVHSAEgc8wgcwwgckGCmCEEAGHawECCAYwgbowQgYIKwYBBQUHAgEWNmh0dHBzOi8vY2VydGlmaWNhYXQua3BuLmNvbS9lbGVrdHJvbmlzY2hlLW9wc2xhZ3BsYWF0czB0BggrBgEFBQcCAjBoDGZPcCBkaXQgY2VydGlmaWNhYXQgaXMgaGV0IENQUyBQS0lvdmVyaGVpZCBQcml2YXRlIFNlcnZpY2VzIFNlcnZlciBjZXJ0aWZpY2F0ZW4gdmFuIEtQTiB2YW4gdG9lcGFzc2luZy4wHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMFwGA1UdHwRVMFMwUaBPoE2GS2h0dHA6Ly9jcmwubWFuYWdlZHBraS5jb20vS1BOQlZQS0lvdmVyaGVpZFByaXZhdGVTZXJ2aWNlc0NBRzEvTGF0ZXN0Q1JMLmNybDAdBgNVHQ4EFgQUfOXk1sfsNsGwgR/OSY2bs+5VOs0wDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBCwUAA4ICAQB41IfUSdfdcYVQxv0dPvVKFzxs36QEanzjcx7FihVF8VeQnkGfGkTX3qGKLebpB/Hj4d8LRndCmUODfn73gDdg9A3ppysLSg9Fmk4ZJgtE2ElmtEbdDgUKcgHys83984bKOqf67MlOveNtAlgwXUFa+m8BNeI6d1xY2HFpKDtOmo3C0f6YQDW7tVrQ6IOHW73b66anCNvb81BNtEcOXAA/pQUnR8HE8O/DK+AEFOZSkHpDdWU2HxEwGiAlIvG+okhXXPr6dv3RgG4m5ApTXlplcd4TF6U9hPTBNPr+aX5/LIq/4t5V3nU9BSKOhAG0oTdbuGfHB5qc7la/BMdgJybRrn3eVDnvk0w2MoLGi+wSQo/+E8wimRUqcMRaG4ADvAz00pIkNJIoT+RkTYmZMSMXB3Te8Yec/XumV+nhGSOP6FbomXWzmg2F7Idp1Xk2e/UWxah7kdMIxXljuAR+21Dl1c/aCbrr+DfhVCK7EBfZIBIq3IDRx0MLvGJqjIgON40X/l9jT8LXRnYXFYKBYb15IfjulSRDuXI8OkCopzAaflpnsaEvILx5TNBGdGdgV1CVXbN40W0PxBPuAsSSmf8wRA3Z8sfEbJIMNV+0fOSDq/N2vkFu5uYe2z4APeNCuttNFgjCQLa4pJy/cDKOaEGHPjtSIf+GYW5/rUXJj4KJnw==</ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </md:KeyDescriptor>
      </esc:ServiceCertificate>
        </esc:ServiceInstance>
    </esc:ServiceProvider>
</esc:ServiceCatalogue>

copy link to clipboardSample eIDAS

<?xml version="1.0" encoding="UTF-8"?>
<esc:ServiceCatalogue xmlns:esc="urn:etoegang:1.13:service-catalog" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                      xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                      esc:IssueInstant="2019-12-28T10:19:57Z" esc:Version="urn:etoegang:1.13:53"
                      ID="198d678c-239e-43c4-acf7-b4f6f1f6d8c0">
    <esc:ServiceProvider esc:IsPublic="true">
        <esc:ServiceProviderID>00000003520354760000</esc:ServiceProviderID>
        <esc:OrganizationDisplayName xml:lang="nl">OneWelcome</esc:OrganizationDisplayName>
        <esc:ServiceDefinition esc:IsPublic="true">
            <esc:ServiceUUID>c00e036f-3d3f-4114-b13d-2fa9a1f0cc7c</esc:ServiceUUID>
            <esc:ServiceName xml:lang="nl">Test service mobile eIDAS</esc:ServiceName>
            <esc:ServiceName xml:lang="en">Test service mobile eIDAS</esc:ServiceName>
            <esc:ServiceDescription xml:lang="nl">Test service mobile eIDAS</esc:ServiceDescription>
            <esc:ServiceDescription xml:lang="en">Test service mobile eIDAS</esc:ServiceDescription>
            <esc:ServiceDescriptionURL xml:lang="nl">http://example.etoegang.nl</esc:ServiceDescriptionURL>
            <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa3</saml:AuthnContextClassRef>
            <esc:HerkenningsmakelaarId>00000003520354760000</esc:HerkenningsmakelaarId>
            <esc:EntityConcernedTypesAllowed>urn:etoegang:1.12:EntityConcernedID:BSN</esc:EntityConcernedTypesAllowed>
        </esc:ServiceDefinition>
        <esc:ServiceInstance esc:IsPublic="true">
            <esc:ServiceID>urn:etoegang:DV:00000003520354760000:services:9994</esc:ServiceID>
            <esc:ServiceUUID>b91637ca-718b-4ead-8397-af5362c8cb44</esc:ServiceUUID>
            <esc:InstanceOfService>c00e036f-3d3f-4114-b13d-2fa9a1f0cc7c</esc:InstanceOfService>
            <esc:PrivacyPolicyURL xml:lang="nl">https://www.onewelcome.com/privacy-policy</esc:PrivacyPolicyURL>
            <esc:PrivacyPolicyURL xml:lang="en">vhttps://www.onewelcome.com/privacy-policy</esc:PrivacyPolicyURL>
            <esc:HerkenningsmakelaarId>00000003520354760000</esc:HerkenningsmakelaarId>
            <esc:SSOSupport>false</esc:SSOSupport>
            <esc:ServiceCertificate>
        <md:KeyDescriptor use="encryption">
          <ds:KeyInfo>
            <ds:KeyName>current</ds:KeyName>
            <ds:X509Data>
              <ds:X509Certificate>MIIIEjCCBfqgAwIBAgIUa7AwYPJTDPDndFX3NIxw7uIlnEAwDQYJKoZIhvcNAQELBQAwgYAxCzAJBgNVBAYTAk5MMSAwHgYDVQQKDBdRdW9WYWRpcyBUcnVzdGxpbmsgQi5WLjEXMBUGA1UEYQwOTlRSTkwtMzAyMzc0NTkxNjA0BgNVBAMMLVF1b1ZhZGlzIFBLSW92ZXJoZWlkIFByaXZhdGUgU2VydmljZXMgQ0EgLSBHMTAeFw0yNDA0MjMxMTQ3MTZaFw0yNzA0MjMxMTQyMDBaMG4xCzAJBgNVBAYTAk5MMRgwFgYDVQQKDA9PbmVXZWxjb21lIEIuVi4xHTAbBgNVBAUTFDAwMDAwMDAzNTIwMzU0NzYwMDAwMSYwJAYDVQQDDB1wbGF5Z3JvdW5kLnRlc3Qub25ld2VsY29tZS5pbzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALjTtCGn/l6/zHw7ucReORz3aFdqh0Ptzl4wEJxiFqNrLC/OA4NmJxYJT8kI4z6SLwW2pQ9w57he0yDbC0f2qQ1qkvz6v7q/6H4kvY/Sxsug8WQNL6hX734FBcSI7oKo/QlT9/Y73TMMDY0sxUDqcGMOSptDQs0PM+KYmZQoeSPC2HiilKerhqAODJuFgiXqqrOhEpTM8rn9Fk2urGCWGYzUTho6fYJG7FCDc7RnYDd55Sfih1fQyDIES5k+OatqA2fovC5vfr5Vyi0Vup6OQw/Y1vWQi5zGa/pEQCZ7ICHwu2Ml1mxQpzEjn9/mBCKvrVs84SwIn6wGQlW1HfRmVpFOUWH4ogFgv7VT68fcNjuXMwgxKHzIx/Xxd8DwpNDvuPigIbivp9d4HVk37sBhu9J9JocXmSqvBMZVX/41ITVySNCocenx3Mt9a1CyDCGlsiTd2ZeTVIUkL/b5OIARnV4vVf1MInkgDAWaO2gnx+WY74WWMeyQBveufDvKMto9Q4vdAt1eCwkUFpyr7991UygTe0p3FfvYy9QnGNoZBBFcrJvGlDD2eL4EpOlep2Z3y1fDdQr77yHcd26FXnhw6KxbiJ3eyQKAr61RKHhdx9MX0Uhr+TujUuxkq5E/Wa8C1f1zBdVHqlyAEwlUTfMwB+kkTSomC8awpWq8uP1GY13AgMBAAGjggKTMIICjzAfBgNVHSMEGDAWgBS5bKYTursvNGODMS75fkkd3wD1YzB9BggrBgEFBQcBAQRxMG8wPgYIKwYBBQUHMAKGMmh0dHA6Ly90cnVzdC5xdW92YWRpc2dsb2JhbC5jb20vcGtpb3ByaXZzZXJ2ZzEuY3J0MC0GCCsGAQUFBzABhiFodHRwOi8vc2wub2NzcC5xdW92YWRpc2dsb2JhbC5jb20wKAYDVR0RBCEwH4IdcGxheWdyb3VuZC50ZXN0Lm9uZXdlbGNvbWUuaW8wggEwBgNVHSAEggEnMIIBIzCCAR8GCmCEEAGHawECCAYwggEPMDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnF1b3ZhZGlzZ2xvYmFsLmNvbS9yZXBvc2l0b3J5MIHWBggrBgEFBQcCAjCByQyBxlJlbGlhbmNlIG9uIHRoaXMgY2VydGlmaWNhdGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0YW5jZSBvZiB0aGUgcmVsZXZhbnQgUXVvVmFkaXMgQ2VydGlmaWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1lbnQgYW5kIG90aGVyIGRvY3VtZW50cyBpbiB0aGUgUXVvVmFkaXMgcmVwb3NpdG9yeSAoaHR0cDovL3d3dy5xdW92YWRpc2dsb2JhbC5jb20pLjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwQQYDVR0fBDowODA2oDSgMoYwaHR0cDovL2NybC5xdW92YWRpc2dsb2JhbC5jb20vcGtpb3ByaXZzZXJ2ZzEuY3JsMB0GA1UdDgQWBBQxCEsW9s60UBI0kKqHcveSLUjouDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggIBABUL/o+kuwsZzBTBoy+UsUil48bDen2R1Yquhy7dYCEcGZeitXs32Er4X8gyOROqi4E//FaijifzpmuAsf9j9h8jMYrcVEpPDqbPegjZ8Kyf3c+Pc5aNrtgQz5ohv/O640t4fe8KhqEE3jusGhDMhYEH7bBhEg1P3I9dW7RiTFkYKJxrChj2j0rcf9lAG/Tlg/wNaXxP7EMsFdos2CIA5m8k5R9prNYlaEYBYFkBuJS9SBqraemRI7H+3rjPZ5Pvcfe1P5l+N6cgh+6XEfGXsVr6nl2qrTWt505igbIwb1+AbXKOjBAyy54CrBbii2GcPpYSjl+X3xk61vhIecmL3SQ+F4LSM3QYc66DBf9p0TaUxm40LhrppmySzAfpt/WcdNyI09p9AtZ7rweALWexNKsTZ8mqCjNGm33wW37nCkd4+0o7RW/K3St1DSKH63GnA6zj76hX+WBkY8RD/g7ZjMz5IcwFcmiBNL8EdDZ5qyYprbhIaU46+nM9tWYs62TacbbRiIzf24PwQVmTbqSZRu2LRoYPWymElbGgxFqKg8r/v6rbcM2D0OuZy8OKXOzfGF5XlDdrX91GIJEYvHnJyrho01x3G9KLiuWfMCxBU/4aFIwZhZiC8HTU4IWlzKjypmlggAG46e3GCyNpEpd1V2U1cafKthVTiLrt0nhXQ3z2</ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </md:KeyDescriptor>
      </esc:ServiceCertificate>
      <esc:Classifiers>
        <esc:Classifier>PublicDomain</esc:Classifier>
        <esc:Classifier>eIDAS-inbound</esc:Classifier>
      </esc:Classifiers>
      <esc:BsnkStructureVersion>2</esc:BsnkStructureVersion>
      <esc:BsnkRecipientKeySetVersion>20240423</esc:BsnkRecipientKeySetVersion>
      </esc:ServiceInstance>
    </esc:ServiceProvider>
</esc:ServiceCatalogue>

copy link to clipboardTest accounts for pre-production

The eHerkenning broker can help get test accounts in the pre-production environment.

copy link to clipboardConfigure eHerkenning in the identity broker

Typically, you provide these identity provider details for eHerkenning:

  • Display name: eHerkenning (for example)
  • Active: Select the check box
  • Metadata URL: The metadata URL for production or pre-production from the HerkenningsmakelaarId reference table
  • Entity ID (identity provider): Automatically filled when you click Load next to the metadata.
  • Entity ID (service provider): The entity ID of the connection follows this structure: urn:etoegang:DV:<OIN>:entities:<index>. The <index> is a number between 0 and 8999 that you can select to define different connections. Numbers between 9000 and 9999 are reserved for test systems. Source.
  • Signing key pair: Your PKO-o certificate (both private and public part)
  • Encryption key pair: Your PKO-o certificate (both private and public part)
  • Single logout: Do not select the check box

copy link to clipboardVariants

You always need at least one variant. If you use multiple services or want to connect eHerkenning and eIDAS under a single connection, you need two. You can add as many as you need as long as they have unique names.

copy link to clipboardVariant for eHerkenning

  • Variant name: eHerkenning (for example)
  • Service Catalog ID: urn:etoegang:DV:<OIN>:services:<Service Index>. This is the ServiceID of the ServiceInstance as defined in that service catalog.
  • Force authentication: Select the check box
  • Variant flavour: eHerkenning
  • Authentication context class reference: EH2+ or higher, it must match the Loa of the service in the service catalog.

copy link to clipboardVariant for eIDAS

  • Variant name: eIDAS (for example)
  • Service Catalog ID: urn:etoegang:DV:<OIN>:services:<Service Index>. This is the ServiceID of the ServiceInstance as defined in that service catalog.
  • Force authentication: Select the check box
  • Variant flavour: eIDAS
  • Authentication context class reference: Low or higher, it must match the Loa of the service in the service catalog.
  • eIDAS environment: Select either Production or Preproduction. It must match the environment used for the IDP metadata.
  • Decryption keys: The eHerkenning makelaar provides these keys after you provide the SAML SP metadata and the service catalog.

On this page