This page describes how to upgrade your version of eHerkenning.
What do I need to consider when upgrading to a more recent version of eHerkenning (1.13)?
As of January 1st 2021 eHerkenning versions older than 1.9 will no longer be supported. When upgrading to the newest version (eHerkenning 1.13) service providers connected to the eHerkenning Broker must take the following into account:
The relevant version of the metadata must be loaded into the application of the service provider. Date and time must be coordinated with technical support because loading in the Signicat application must take place simultaneously.
Add certificate to Service Catalogue
Since the introduction of eHerkenning 1.13, it is mandatory that a certificate is added to the service in the Service Catalogue. This documentation page describes how to do this.
Format for Level of Assurance
The old format for the Level of Assurance (LoA) has been changed to urn:etoegang. The LoA specifications can be found on this website.
Modification of SAML Response
The SAML Response is returned in a different manner:
1.13 ActingSubjectID (EncryptedID) containing the specific pseudonym of the user. Previously, this was returned in the NameID.
1.13 LegalSubjectID (EncryptedID) containing the identifying characteristic of the represented body. This may be a Chamber of Commerce number, but also an RSIN number or a BSN for a sole proprietorship, for example.
The 1.13 attributes must be decrypted. The SSO broker can provide the decryption.
As of 1.9, service providers receive the Chamber of Commerce (KvK) number, (in urn:etoegang:1.9:EntityConcernedID:KvKnr). Prior to this, the KvK number was formatted as the organisation identification number (OIN).
New functionality per version of eHerkenning
You can find the release notes of the different eHerkenning versions here.
As of eHerkenning 1.9, Artifact Binding on the response is mandatory. A client certificate must be sent along from the client (Mutual TLS). The client certificate used must be included in the metadata. This may be the same certificate as the signing certificate. The SSO broker can still offer the service via POST/Redirect.
If you are still using a subdossier number, you should change to the branch number, or vestigingsnummer, (urn:etoegang:1.9:ServiceRestriction:Vestigingsnr). You can find more information here.
By default, an Advice element is included from eHerkenning 1.11 onwards, which contains the assertions of the AD and MR. It is possible to disable this for your connection. To do so, please contact technical support.
As of eHerkenning 1.9 service providers can request an AttributeConsumingServiceIndex with the AuhtnRequest. This maps directly to the index of the service from the Service Catalogue.