eHerkenning release notes

eHerkenning chain authorization update

With this release an intermediary is able to perform chain authorizations on behalf of sole proprietaries registered with BSN.

1.13

  • Sole proprietors (eenmanszaken) can now use eHerkenning with their BSN (polymorph encrypted) as identifying attribute (ECTA)

  • Support of ECTA sets. It is now possible to add ECTA sets to a single service. This means that a service can request multiple ECTAs as mandatory, or that a service can provide a preference on ECTA with one or multiple alternative ECTAs which will also be allowed.

    • Example 1: Both RSIN and KvK are required

      • Set 1: RSIN & KvK

    • Example 2: First try to get RSIN, if RSIN is not available, try to get KvK

      • Set 1: RSIN

      • Set 2: KvK

    • Example 3: First try to get both RSIN and KvK, if that is not available, try to get BSN and KvK.

      • Set 1: RSIN & KvK

      • Set 2: BSN & KvK

  • The polymorphic decryption keys can be requested from the broker using a specific endpoint (for eIDAS: PseudoID, and eIDAS and eHerkenning: BSN). This endpoint requires an OIN and (public key of) certificate. If the customer is allowed to process a BSN, three decryption keys will be returned. If the customer is not allowed to process BSN, two decryption keys are returned. The request for decryption keys can also be started from the Connectis adapter (new versions).

  • For customers who want to provide the IdP selection on their own page, country codes for the available eIDAS countries are now available, in addition to the already available country names.

  • Personal contact information (name, email, phonenumber) is no longer allowed in the metadata. All contact information should be non-identifiable for a person. This means all contact information should be generic company contact information.

  • Changing the LoA of an existing service is no longer allowed. If the LoA of a service should be changed, a new service needs to be created.

  • For eIDAS services, SPs are required to use the eIDAS login buttons provided by Logius. See website of Logius: https://magazines.logius.nl/eidas/2017/01/communiceren-met-europese-gebruikers‚Äč

  • Signing services have been removed from the specifications.

  • Chain authorisations can now be used to authorise an organisation (often an external agency or intermediary), to carry out an online service with eHerkenning. Chain authorisations allow acting on behalf of sole proprietors. Read more about chain authorisations (in Dutch).

1.11(SP)

This version supports all incoming eIDAS connections, including usage of BSN.

Signing service has been added to the specifications.

Service intermediation has been added to the specifications. This means that the same service can be offered by more than one service provider.

1.9

A ServiceUUID is added to the service catalog, to enable transferring services to, or sharing services with, other service providers without losing authorizations.

The portal functionality is extended, making it possible for the user to login for multiple services at the same time.

Artifact-binding is used for all interfaces, to create a better user-experience.

End-to-end encryption is applied to protect all attributes and identifying characteristics.