eHerkenning and/or eIDAS

Please follow these steps to enable eHerkenning/eIDAS

Getting started

  • Familiarise yourself with eHerkenning/eIDAS‚Äč

  • Sign Self-Declaration (Zelfverklaring) and send this signed self-declaration, in which you indicate to agree to the demands and agreements in the eHerkenning federation (https://afsprakenstelsel.etoegang.nl), to technicalsupport@connectis.com. Perform this step for each service that you want to publish in the eHerkenning and/or eIDAS service catalogue.

  • The Connectis Identity Broker must be configured on a domain name that is controlled by your organisation. Follow Setting up a domain name to change the domain name of your Connectis Identity Broker if required.

  • The Connectis Identity Broker must be configured with two certificates, one for pre-production and one for production, which will be used to cryptographically sign the messages between the Connectis Identity Broker and the eHerkenning/eIDAS network. These certificates must be G3 certificates with at least 2048 bit encryption. Connectis prefers to use EV (extended validation) SSL SHA2 certificates with 4096 bits encryption. You can choose to reuse an existing PKIO certificate.

  • Determine which services you want to connect to eIDAS/eHerkenning. Please provide the following information for each service:

    • Name

    • Description

    • Web page

    • Level of Assurance

    Connectis can support you in determining the necessary Level of Assurance for a service, the naming of that service, and in setting up an authorisation model for that service with the right granularity.

  • A variety of identifying attributes (EntityConcernedTypes) can be returned in the responses in eIDAS / eHerkenning. Choose an EntityConcernedTypesAllowed for your service.

  • Your service can request attributes as specified in the eIDAS & eHerkenning attribute catalogue.

  • However, it is not guaranteed that attributes will actually be delivered to all users in eIDAS & eHerkenning: users to whom attributes are not returned should also be able to log in. See RequestedAttributes for more information on which attributes you can request.

Connecting to pre-production

  • Prepare and send your eHerkenning/eIDAS Service Catalogue to Connectis. In this XML file, you will define what service you want to make available in the eHerkenning/eIDAS network. Connectis will process your Service Catalogue and publish it on the testing network of eHerkenning/eIDAS.

  • Request pre-production accounts so that you can test your connection on pre-production. A pre-production can be requested via https://connectis.com/nl/testmiddel-aanvragen/.

  • It is not necessary to run tests using multiple identity providers (authentication services): Connectis ensures that eHerkenning works correctly with all different identity providers in the network.

  • If you require an account to test eIDAS, please contact technicalsupport@connectis.com.

  • Test your connection by logging into your pre-production service via eHerkenning, using your pre-production test accounts.

Preparing your connection to production

  • Give Connectis your permission to distribute your service catalogue into the eHerkenning/eIDAS network. This will make your service available. Only after this step can users be authorised for your service!

Going to production

  • When your connection is active, it can be used by end users immediately. Send your planned date of going to production to technicalsupport@connectis.com. This allows Connectis to be on standby in case of any problems.