DigiD SAML 2.0

Please follow these steps to enable DigiD SAML 2.0:

  • Download the DigiD Checklist published by Logius on their website.

  • Make sure you familiarise yourself with the testing criteria that Logius maintains for using DigiD in your service, and use this information to prepare your service for DigiD. Logius will test compliance after the connection is established.

  • Dutch law requires you to sign a Verwerkersovereenkomst (Processor Agreement) with Connectis. You can contact [email protected] to receive a default template.

Connecting to pre-production

  • Connectis Identity Broker must be configured on a domain name that is controlled by the organization that requests the DigiD connection. This has the be the organization that is allowed to process BSN. Follow Setting up a domain name to change the domain name of your Connectis Identity Broker if required.

  • Contact Logius and request a pre-production connection. You can use this connection to test your pre-production environment. Logius will need up to 5 working days to process your request.

  • Logius will provide you with metadata. Send this metadata file to [email protected]

  • Run through the Logius checklist to prepare to test your DigiD connection on pre-production.

  • Logius must perform tests on your pre-production connection. This will take up to 5 working days. When the tests are done, you will receive their findings. When your connection is approved, you can continue to connect to production.

Connecting to production

  • As described in the Logius DigiD Checklist, the Connectis Identity Broker must be configured on a domain name that is controlled by the organization that requests the DigiD connection. This has the be the organization that is allowed to process BSN. Follow Setting up a domain name

    to change the domain name of your Connectis Identity Broker if required.

  • Logius requires you to use a PKI Overheid (Government) CA 2020 certificate.

  • Contact Logius and request a production connection. Logius will need up to 5 working days to process your request.

  • Send the metadata of the connection to Connectis, please see steps required for pre-production.

  • Logius will activate your connection for DigiD SAML.

Audit your DigiD connection within 2 months

  • Within 2 months after going live, execute a DigiD assessment via a Registered ETP Auditor and send the report with findings to Logius. More information

If you have also enabled other authentication methods than just DigiD you can use the NameQualifier attribute in SAML responses to your Service to detect in your application that DigiD was used to log in for this request:

<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="https://was-preprod1.digid.nl/saml/idp/metadata">
sector number:bsn
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="..." NotOnOrAfter="..." Recipient=".../>
</saml:SubjectConfirmation>
</saml:Subject>