HomeSignicat WebsiteSupportGet Started
Search…
Signicat Documentation
Releases
Release Notes: Signicat NextGen
Release Notes
MySignicat
MySignicat Overview
MySignicat Dashboard
Federation Dashboard
Admins Management
Signicat Identity Broker
Identity Broker Overview
Certificates in Identity Broker
Identity Broker Dashboard
Service Providers
Authentication Providers
Message Log
Broker Settings
SAML Attribute Consuming Services
Level of Assurance Contracts
Attribute Filters
Service Catalogue
Broker Services
Broker Features
eHerkenning Broker
Intro to eHerkenning Broker
Direct Connection to eHerkenning Broker
eHerkenning Service Catalogue
Example Messages
Certificates in eHerkenning Broker
BSNk Polymorphic Decryption Keys
Interface Management
Communication
OwnIdP
OwnIdP Overview
OwnIdP Dashboard
Managing Organisations
Managing Roles
Managing Roles per Service Provider
Managing Users
Custom Attributes
OwnIdP Settings
SCIM API v1.0
Signicat Adapters
SDK Overview
Mobile SDK
Web SDK
Manual SDK Configuration
Knowledgebase
Changes to IdP-scoping in Signicat Identity Broker
eHerkenning Broker Migration
Frequently Asked Questions
Glossary of Terms
ID Method Overview
Protocol Information
Signicat Support
Connectis Legacy Content
Powered By GitBook
Direct Connection to eHerkenning Broker
The following steps will outline how to configure a direct connection to the eHerkenning Broker.
IMPORTANT: This chapter discusses direct connections to the eHerkenning Broker. If you are using the Signicat Identity Broker, instead follow the steps for integration of eHerkenning in the Identity Broker.

Signicat eHerkenning Broker certificate

Your application may need to trust the Signicat eHerkenning broker certificates. You can download them here directly:

Pre-production

eh.pre.signicat.nl.cer
4KB
Binary

Production

eh.signicat.nl.cer
3KB
Binary

Login representation flow

The representation flow is the flow where the user logs in to act on behalf of a company.
Step 1: The service provider sends an AuthnRequest to the eHerkenning broker via Artifact binding, Post binding or Redirect binding to the relevant SingleSignOnService of the eHerkenning broker from the metadata.
Example:
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://eh01.staging.connectis.nl/broker/sso/1.13"/>
Example AuthnRequest:
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AttributeConsumingServiceIndex="6"
Destination="https://eh01.staging.connectis.nl/broker/sso/1.13"
ForceAuthn="false"
ID="_91b639b6cdeb6fe2c618f762a9b96e9a"
IssueInstant="2021-04-23T11:28:42.471Z"
ProviderName="Example"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:etoegang:DV:00000003244440010000:entities:0006</saml2:Issuer>
</saml2p:AuthnRequest>
Step 2: The eHerkenning Broker verifies the signature and SAMLRequest.
Step 3: The eHerkenning Broker determines the service that is being requested, based on the OIN of the issuer and the AttributeConsumingServiceIndex.
The AttributeConsumingServiceIndex could optionally be mapped by AttributeConsumingServices in the metadata to another index. In below example, index 2 maps to index 50. And, if no AttributeConsumingServiceIndex is sent, index will be 1 (because of isDefault)
Step 4: Show IdP selection screen. Filter IdP from the network metadata based on:
  • requested LoA (each IdP specifies a maximum LoA they support)
  • Requested ECTAset (some IdPs do not support certain ECTA, e.g. Pseudo)
Step 5: Create an IdP request and send to the IdPs Single SignOn Service using Artifact binding.
Example: https://acc-ehlogin.we-id.nl/ad113_preprod/process?SAMLart
Once the above steps have been followed, next, you access eHerkenning.

Access the eHerkenning Broker

To proceed, an authentication method with at least a Level of Assurance (LoA) 3 must be used. More information on purchasing an eHerkenning Level 3 supplier can be found on the leveranciersoverzicht page.
Using the dropdown, select the provider of the authentication method to choose how to log in.
eHerkenning Broker IdP screen

eHerkenning Level 3 suppliers

You can choose an authentication method from the following suppliers that offer LoA level 3. Use the links to find out more about each supplier:
eHerkenning Broker - Previous
Intro to eHerkenning Broker
Next - eHerkenning Broker
eHerkenning Service Catalogue
Last modified 1mo ago
Copy link
Outline
Signicat eHerkenning Broker certificate
Login representation flow
Access the eHerkenning Broker
eHerkenning Level 3 suppliers