Connection checklist

Preparation

Contract

The contract between you and Connectis must be signed and sent to sales@connectis.nl. We cannot start the set-up process until we have received the signed contract.

Declaration

You need to sign the declaration agreeing to abide by the requirements and arrangements of the trust framework (https://afsprakenstelsel.etoegang.nl), and send it to technicalsupport@connectis.nl. A declaration is required for any service that is connected to eHerkenning and eIDAS. This declaration needs to be signed by a legal representative of the company.

Application

Your application must be capable of supporting eIDAS and eHerkenning 1.11 and the functions you wish to enable. The interface specifications are available here: https://afsprakenstelsel.etoegang.nl/display/as/Interface+specifications. Please note that the attributes and identifying characteristics returned by eHerkenning and eIDAS differ. More information about identifying characteristics can be found, under EntityConcernedTypesAllowed.

Connectis Adapter

Connectis has developed various adapters that make it easy to interface with the Connectis Identity Broker. Java and .NET versions of the adapters are available. If you would like an adapter (and supporting documentation), please mail your account manager. To use one of our adapters, you will need to sign an EULA.

For more inforrmation regarding the Connectis Adapters, see the section in API Documentation.

Applying for a connection

PKI Government certificate

You need to have two PKI Overheid (Government) G3 certificates with at least 2048-bit encryption (one certificate for preproduction and one for production). The certificates are used to sign the eHerkenning messages. Existing PKI Government certificates can be reused.

Things you need to decide

Services and assurance levels You need to decide which services you want connected to eIDAS and eHerkenning. We will need the following details of each service:

  • Name

  • Description

  • Web page

  • Assurance level

Connectis can provide guidance on appropriate assurance levels, naming, and the granularity and structure of the authorisation model.

Identifying characteristic type

eIDAS and eHerkenning can return various types of identifying characteristic (EntityConcernedTypes). You can indicate which identifying characteristic your service can accept by selecting an EntityConcernedTypesAllowed.

Attributes

You can request any of the attributes specified in the attribute catalog for eIDAS and eHerkenning (https://afsprakenstelsel.etoegang.nl/display/as/Attribuutcatalogus). However, please be aware that the delivery of requested attributes is not guaranteed within eIDAS and eHerkenning, but users whose attributes are not provided must nevertheless be able to log in successfully. See RequestedAttributes for details of the attributes you can request.

Realisation

Step 1 - Pre-production

Send pre-production SAML metadata to Connectis

The SAML metadata consists of an XML file detailing the URLs and certificates used on the various interfaces. You need to generate the file within your software, and then send it to technicalsupport@connectis.nl. Further information about generating metadata is available here: https://afsprakenstelsel.etoegang.nl/display/as/DV+metadata+for+HM

Send eHerkenning service catalog to Connectis

An eIDAS and eHerkenning service catalog is an XML file defining the services that you want to be accessible using eIDAS or eHerkenning. A template service catalog is provided later in this document. Connectis will load the metadata and service catalog into its eIDAS and eHerkenning test network.

Incorporate the pre-production metadata from Connectis into your application

You need to process the SAML metadata file provided by Connectis. All the information you need to connect to Connectis's test environment is available here: https://eh01.connectis.nl/metadata/ (under Pre-production Metadata).

Perform pre-production interface tests

To test your eHerkenning interface, you need to log in using the pre-production accounts set up by Connectis. Pre-production accounts can be applied for here: https://connectis.com/nl/testmiddel-aanvragen/. You do not need to test the interface with each of the various authentication services; it is up to Connectis and the authentication services in question to ensure that they work properly. Test accounts for eIDAS-enabled services can be requested by mailing technicalsupport@connectis.nl. Please note that, with eHerkenning, the responses you receive make use of SAML Artifact Binding. Consequently, your server must be capable of establishing a connection to the Connectis Identity Broker to retrieve the response message. A common problem for service providers is that their firewall prevents their webserver establishing a connection to the Connectis Identity Broker. Therefore, if your application is not receiving responses as it should, please review your firewall settings.

Step 2 - Preparation for production rollout

Connectis will distribute your service catalog

Once you have successfully completed the test procedures, you should authorise Connectis to distribute your service catalog within the eIDAS and eHerkenning network. That will make your service (or services) accessible to all eHerkenning users. Please note that access for eHerkenning users is not universally enabled until distribution is complete. It is therefore important to instruct us to start distribution some time before you want access enabled.

Update your website content

You may want to tell your website users that a new log-in system is being introduced. It is a good idea to make information available explaining how eHerkenning log-ins are obtained and used.

Make sure that your support staff and other personnel know about eIDAS/eHerkenning

Your support staff need to understand what eIDAS and eHerkenning are, and what the new system's introduction means for your customers.

Step 3 - Production

Inform Connectis about your production rollout date Connectis should be put on standby to implement a release on your chosen date. We can then reserve the necessary capacity and arrange for heightened surveillance in the period after the connection goes live.

Send production SAML metadata to Connectis

You need to generate a production SAML metadata file and send it to technicalsupport@connectis.nl.

Incorporate the production metadata from Connectis into your application

You need to process the SAML metadata file provided by Connectis. All the information you need to connect to Connectis's production environment is available here: https://eh01.connectis.nl/metadata/ (under Production Metadata). Once the interface has been activated, it is available for immediate use by your customers. Connectis will be on standby when the connection goes live, so that any problems that might arise can be dealt with promptly.