Please follow these steps to enable DigiD CGI:
Download the DigiD Checklist published by Logius.
Make sure you familiarise yourself with the testing criteria that Logius maintains for using DigiD in your service, and use this information to prepare your service for DigiD. Logius will test compliance after the connection is established.
Dutch law requires you to sign a Verwerkersovereenkomst (Processor Agreement) with Connectis. You can contact [email protected] to receive a default template.
Connectis Identity Broker must be configured on a domain name that is controlled by the organization that requests the DigiD connection. This has the be the organization that is allowed to process BSN. Follow Setting up a domain name to change the domain name of your Connectis Identity Broker if required.
Contact Logius and request a pre-production connection. You can use this connection to test your pre-production environment. Logius will need up to 5 working days to process your request.
Logius will provide you with details on your connection.
Send these details to [email protected] using a password-protected zip file. Call Connectis by phone to transfer the password, using phone number 088-012 02 10.
Run through the Logius checklist to prepare to test your DigiD connection on pre-production.
Logius must perform tests on your pre-production connection. This will take up to 5 working days. When the tests are done, you will receive their findings. When your connection is approved, you can continue to connect to production.
As described in the Logius DigiD Checklist, the Connectis Identity Broker must be configured on a domain name that is controlled by the organization that requests the DigiD connection. This has the be the organization that is allowed to process BSN. Follow Setting up a domain name
to change the domain name of your Connectis Identity Broker if required.
Logius requires you to use a PKI Overheid (Government) CA 2020 certificate.
Contact Logius and request a production connection. Logius will need up to 5 working days to process your request.
Send the metadata of the connection to Connectis, please see steps required for pre-production.
You must activate your credentials at Logius.
Within 2 months after going live, execute a DigiD assessment via a Registered ETP Auditor and send the report with findings to Logius. More information
If you have also enabled other authentication methods than just DigiD you can use the NameQualifier attribute in SAML responses to your Service to detect in your application that DigiD was used to log in for this request:
<saml:Subject><saml:NameIDFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"NameQualifier="https://was-preprod1.digid.nl/saml/idp/metadata">sector number:bsn</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationDataInResponseTo="..." NotOnOrAfter="..." Recipient=".../></saml:SubjectConfirmation></saml:Subject>