Skip to main content
Skip table of contents

HM metadata for DV

Herkenningsmakelaar (HM)

Signing metadata MUST meet the requirements for signing SAML messages described Information security requirements.

Each EntityDescriptor element MUST contain the entityID and an additional version attribute and MUST NOT contain other SAML attributes. The version attribute contains the version of the interface specifications on which the entity communicates.

An IDPSSODescriptor element MUST contain the WantAuthnRequestsSigned XML attribute with value "true" and MUST NOT contain any other optional attributes.

For eIDAS-outbound the EB and BRP act as a Dienstverlener, so the HM must also provide the same information to them.

Metadata:

This section describes the layout of the metadata. Elements not listed in this table MUST NOT be included in the metadata.

Element/@Attribute0..nDescription

IDPSSODescriptor

1

Elektronische Toegangsdiensten: A Herkenningsmakelaar MUST include only one IDPSSODescriptor and MUST NOT include any other elements. An IDPSSODescriptor element MUST contain the WantAuthnRequestsSigned XML attribute with value "true" and MUST NOT contain any other optional attributes.

KeyDescriptor 1..nSAML: An IDPSSODescriptor element MUST contain one or more KeyDescriptor elements with the use XML attribute with value "signing" and one or more KeyDescriptor elements with the use XML attribute with the value "encryption". Every KeyDescriptor element marked for "signing" MUST contain a KeyName element and a valid PKIoverheid certificate with which the service provider its SAML messages and/or direct TLS connections can be authenticated. KeyDescriptors marked for "signing" are also the keys that will be used to specify the attesting Entity through Holder-of-Key-Subjectconfirmation in case of DienstBemiddeling. KeyDescriptors marked for "signing" MAY contain certificates other than PKIoverheid for authenticating direct TLS connections, as long as such certificates are valid and comply with the requirements in Secure connection.

Every KeyDescriptor element marked for "encryption" MUST contain a KeyName element and a valid PKIoverheid certificate to be used to encrypt IDs and attributes for the DV. Note: HMs must process all of the described KeyDescriptor elements. KeyName in the signatures and protocol messages indicates which certificate in the metadata is used for the signature.

ArtifactResolutionService1..n Elektronische toegangsdiensten: The ArtifactResolutionService MUST be implemented at least once per service.
  @Binding
  @LocationSAML:  The URL of the SAML endpoint
  @Index1SAML:  The index of the binding, MUST be unique for all ArtifactResolutionService elements
SingleLogoutService0..nElektronische Toegangsdiensten: MAY be implemented more than once. Describes the endpoint used to log the user out of its current session.
  @Binding1

SAML:  The binding parameter denotes the type of binding used. This is an urn relating to: http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf

  @Location1SAML:  The URL of the SAML endpoint
SingleSignOnService1..n

Elektronische Toegangsdiensten: MUST contain at least one SingleSignOnService element for which the Binding attribute has the value urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

If the HM offers support for native apps through the OAuth2 protocol, the IDPSSODescriptor from the HM MUST contain one SingleSignonService element with a Binding attribute which has the value 'urn:etoegang:1.11:bindings:native-app', representing the endpoint supporting native apps using the OAuth2 protocol.

  @Binding1

SAML:  The binding parameter denotes the type of binding used. This is an urn relating to:http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf

  @Location1SAML:  The URL of the SAML endpoint


Processing rules for the DV

  • The HM metadata MUST be validated by the DV
  • The DV MUST check if the endpoints in the location parameters are available.
  • The DV MAY skip validation of SingleSignOnService elements if they are not used
  • The DV MUST use the HM metadata if validation succeeds.


Example Herkenningsmakelaar

XML
...
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="true">
...
    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://..." index="0" />
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://...."/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://...."/>
    <md:SingleSignOnService Binding="urn:etoegang:1.11:binding:native-app" Location="https://...." />
 </md:IDPSSODescriptor>
...

Example

XML
...
<md:KeyDescriptor use="signing">
        <ds:KeyInfo>
              <ds:KeyName>
2fd4e1c6 7a2d28fc ed849ee1 bb76e739 1b93eb12
              </ds:KeyName>
              <ds:X509Data>
                  <ds:X509Certificate>
...
                   </ds:X509Certificate>
                </ds:X509Data>
          </ds:KeyInfo>
</md:KeyDescriptor>
...
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.