Please follow these steps to enable DigiD SAML 2.0:
Download the DigiD Checklist published by Logius on their website.
Make sure you familiarise yourself with the testing criteria that Logius maintains for using DigiD in your service, and use this information to prepare your service for DigiD. Logius will test compliance after the connection is established.
Dutch law requires you to sign a Verwerkersovereenkomst (Processor Agreement) with Connectis. You can contact [email protected] to receive a default template.
Connectis Identity Broker must be configured on a domain name that is controlled by the organization that requests the DigiD connection. This has the be the organization that is allowed to process BSN. Follow Setting up a domain name to change the domain name of your Connectis Identity Broker if required.
Contact Logius and request a pre-production connection. You can use this connection to test your pre-production environment. Logius will need up to 5 working days to process your request.
Logius will provide you with metadata. Send this metadata file to [email protected]
Run through the Logius checklist to prepare to test your DigiD connection on pre-production.
Logius must perform tests on your pre-production connection. This will take up to 5 working days. When the tests are done, you will receive their findings. When your connection is approved, you can continue to connect to production.
As described in the Logius DigiD Checklist, the Connectis Identity Broker must be configured on a domain name that is controlled by the organization that requests the DigiD connection. This has the be the organization that is allowed to process BSN. Follow Setting up a domain name
to change the domain name of your Connectis Identity Broker if required.
Logius requires you to use a PKI Overheid (Government) CA 2020 certificate.
Contact Logius and request a production connection. Logius will need up to 5 working days to process your request.
Send the metadata of the connection to Connectis, please see steps required for pre-production.
Logius will activate your connection for DigiD SAML.
Within 2 months after going live, execute a DigiD assessment via a Registered ETP Auditor and send the report with findings to Logius. More information
If you have also enabled other authentication methods than just DigiD you can use the NameQualifier attribute in SAML responses to your Service to detect in your application that DigiD was used to log in for this request:
<saml:Subject><saml:NameIDFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"NameQualifier="https://was-preprod1.digid.nl/saml/idp/metadata">sector number:bsn</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationDataInResponseTo="..." NotOnOrAfter="..." Recipient=".../></saml:SubjectConfirmation></saml:Subject>