Skip to main content
Skip table of contents

snippet.Interface specifications DV-HM response

For chain authorizations (Vervallen_Interface specifications HM-MR chain authorization), the identification number of the represented service consumer are included in the assertion for the HM in the same way as for single authorizations. The additional information about the chain is stored in a separate attribute.

Note: The HM will not identify the MRs from which the underlying assertions originate. Additional attributes relate to the represented service consumer or the user. There is no mechanism to include an additional attribute that relates specifically to an intermediary.

Element/@Attribute0..nDescription

@ID

1

SAML: Unique message characteristic. MUST identify the message uniquely within the scope of the sender and receiver for a period of at least 12 months.

@InResponseTo

1

SAML: Unique attribute of the AuthnRequest for which this Response message is the answer.

@Version

1

SAML: Version of the SAML protocol. The value MUST be '2.0'.

@IssueInstant

1

SAML: Time of issuing of the Response.

@Destination

1

SAML: URL of the endpoint of the DV on which the message is offered. MUST match the DV's metadata.

@Consent

0..1

Elektronische Toegangsdiensten: MAY be included. When Consent is included, the default value MUST contain urn:oasis:names:tc:SAML:2.0:consent:unspecified.

Issuer

1

Elektronische Toegangsdiensten: MUST contain the EntityID of the HM.

@NameQualifier0
Elektronische Toegangsdiensten: MUST NOT be included.
@SPNameQualifier0
Elektronische Toegangsdiensten: MUST NOT be included.
@Format0
Elektronische Toegangsdiensten: MUST NOT be included.
@SPProvidedID0
Elektronische Toegangsdiensten: MUST NOT be included.

Signature

0..1

Elektronische Toegangsdiensten: MUST contain the Digital signature of the HM for the enveloping message.

When communicated within a ArtifactResolveResponse the signature on the SAML:Response MAY be omitted, since the parent message already guarantees the integrity.

Extensions

0

Elektronische Toegangsdiensten: MUST NOT be included.

Status

1

Elektronische Toegangsdiensten: MUST contain a StatusCode element with the status of the authentication. See Error handling.

StatusCode

1SAML: MUST be present in a Status element.
@Value1

If not 'success' additional information should be provided. (conform Elektronische Toegangsdiensten specifications).

StatusCode0..1

Only present if top-level StatusCode is not 'success'.

@Value1

In the event of a cancellation or error, the element MUST be populated with the value AuthnFailed. See Error handling.

StatusMessage0..1

Only present if top-level StatusCode is not 'success'.

StatusDetail0

Elektronische Toegangsdiensten: MUST NOT be included.

Assertion

0..1

Elektronische Toegangsdiensten: MUST contain the <Assertion> that is delivered in the response, if the request was processed successfully. See below.

EncryptedAssertion0
Elektronische Toegangsdiensten: MUST NOT be included.

Example message

XML
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    ID="_5e702d5c-de06-11e4-a5a1-080027a35b78"
    InResponseTo="6984066c-de03-11e4-a571-080027a35b78"
    Version="2.0"
    Destination="https://..."
    IssueInstant="2015-04-08T16:30:06Z">
    <saml:Issuer>urn:etoegang:HM:...</saml:Issuer>
    <ds:Signature>
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#_5e702d5c-de06-11e4-a5a1-080027a35b78">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>...</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>...</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:KeyName>...</ds:KeyName>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion Version="2.0"
        ID="_535162e2-de06-11e4-98a2-080027a35b78"
        IssueInstant="2015-04-08T16:30:05Z">
        <saml:Issuer>urn:etoegang:HM:...</saml:Issuer>
        ...
    </saml:Assertion>
</samlp:Response>

HM Summary assertion

This paragraph describes a HM summary <Assertion>

Element/@Attribute0..1Description

@ID

1

SAML: MUST identify the <Assertion> uniquely within the scope of the Issuer for a period of at least 12 months.

@Version

1

SAML: Version of the SAML protocol. The value MUST be '2.0'.

@IssueInstant

1

SAML: Time of issuing of the assertion.

Issuer

1

Elektronische Toegangsdiensten: MUST contain the EntityID of the HM

@NameQualifier0
Elektronische Toegangsdiensten: MUST NOT be included.
@SPNameQualifier0
Elektronische Toegangsdiensten: MUST NOT be included.
@Format0
Elektronische Toegangsdiensten: MUST NOT be included.
@SPProvidedID0
Elektronische Toegangsdiensten: MUST NOT be included.

Signature

1

Elektronische Toegangsdiensten: MUST contain the Digital signature of the Issuer (HM) for the enveloping Assertion.

Subject

1

Elektronische Toegangsdiensten: MUST be included.

BaseID0
Elektronische Toegangsdiensten: MUST NOT be included.
NameID0..1

Rules for processing request requires NameID to contain a TransientID or an ActingEntityID (DV connects to r1.09 or older, for older specifications see https://afsprakenstelsel.etoegang.nl/display/archief/Archief).

EncryptedID0..1

Elektronische Toegangsdiensten: MUST NOT be included.

SubjectConfirmation1...2SAML: Contains the SubjectConfirmation conform the WebSSO profile.

Other SubjectConfirmation or SubjectConfirmationData elements MUST NOT be included.

Conditions

1

Elektronische Toegangsdiensten: MUST be included.

@NotBefore1
Elektronische Toegangsdiensten: MUST be included.
@NotOnOrAfter0..1
Elektronische Toegangsdiensten: MAY be included.
Condition0
Elektronische Toegangsdiensten: MUST NOT be used.
AudienceRestriction1SAML: MUST be included.
Audience1
Elektronische Toegangsdiensten: Contains the EntityID(s) for all relevant parties that are intended to receive and process this assertion, as per SAML WebSSO profile. In case of Dienstbemiddeling (service intermediation), both the Dienstaanbieder (service supplier) and Dienstbemiddelaar (service intermediary) are a relevant party and must be listed as audience. For a Dienstaanbieder for whom only the OIN is known, the notation 'urn:etoegang:DV:<OIN>' is to be used.
ProxyRestriction0
Elektronische Toegangsdiensten: MUST NOT be included.

Advice

0..1

Elektronische Toegangsdiensten: SHOULD be included. See below under processing rules.

AssertionIDRef0
Elektronische Toegangsdiensten: MUST NOT be included.
AssertionURIRef0
Elektronische Toegangsdiensten: MUST NOT be included.
Assertion1
Elektronische Toegangsdiensten: Contains the original <Assertion> elements this assertion is composed of.
EncryptedAssertion0
Elektronische Toegangsdiensten: MUST NOT be included.

AuthnStatement

1

Elektronische Toegangsdiensten: MUST be included.

The AuthenticatingAuthority element MUST be populated with the EntityID of the AD that performed the authentication.

@AuthnInstant1

Elektronische Toegangsdiensten: MUST contain the time of authentication.

@SessionIndex0..1
Elektronische Toegangsdiensten: MAY be included.
AuthnContext1
Elektronische Toegangsdiensten: MUST be included.
AuthnContextClassRef1

Elektronische Toegangsdiensten: MUST be included. Contains either the value 'urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified' (default) or the obtained effective Level of assurance, see below under "rules for processing responses".

AttributeStatement

1

Elektronische Toegangsdiensten: MUST contain an <AttributeStatement> in accordance with the following section and the rules for processing responses.

Example HM Assertion

XML
<saml:Assertion Version="2.0"
    ID="_535162e2-de06-11e4-98a2-080027a35b78"
    IssueInstant="2015-04-08T16:30:05Z">
    <saml:Issuer>urn:etoegang:HM:...</saml:Issuer>
    <ds:Signature>
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#_535162e2-de06-11e4-98a2-080027a35b78">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>...</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>...</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:KeyName>...</ds:KeyName>
        </ds:KeyInfo>
    </ds:Signature>
    <saml:Subject>        
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData Recipient="https://..." NotOnOrAfter="2015-04-08T16:40:03Z" InResponseTo="_6984066c-de03-11e4-a571-080027a35b78"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2015-04-08T16:29:04Z" NotOnOrAfter="2015-04-08T17:00:04Z">
        <saml:AudienceRestriction>
            <saml:Audience>urn:etoegang:DV:...</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:Advice>
        <saml:Assertion IssueInstant="2015-04-08T16:30:04Z" ID="_8a792d9e-de07-11e4-9db2-080027a35b78" Version="2.0">
            <saml:Issuer>urn:etoegang:AD:...</saml:Issuer>
            <!-- Verbatim copy of AD declaration of identity contents -->
        </saml:Assertion>
    </saml:Advice>
    <saml:AuthnStatement AuthnInstant="2015-04-08T16:30:04Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa4</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
        ...
    </saml:AttributeStatement>
</saml:Assertion>

Example HM Assertion for minimal DV request

XML
 <saml:Assertion Version="2.0"
    ID="_535162e2-de06-11e4-98a2-080027a35b78"
    IssueInstant="2015-04-08T16:30:05Z">
    <saml:Issuer>urn:etoegang:HM:...</saml:Issuer>
    <ds:Signature>
        ...
    </ds:Signature>
    <saml:Subject>        
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData Recipient="https://..." NotOnOrAfter="2015-04-08T16:40:03Z" InResponseTo="_6984066c-de03-11e4-a571-080027a35b78"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2015-04-08T16:29:04Z" NotOnOrAfter="2015-04-08T17:00:04Z">
        <saml:AudienceRestriction>
            <saml:Audience>urn:etoegang:DV:...</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:Advice>
        <saml:Assertion IssueInstant="2015-04-08T16:30:04Z" ID="_8a792d9e-de07-11e4-9db2-080027a35b78" Version="2.0">
            <saml:Issuer>urn:etoegang:AD:...</saml:Issuer>
            <!-- Verbatim copy of AD declaration of identity contents -->
        </saml:Assertion>
    </saml:Advice>
    <saml:AuthnStatement AuthnInstant="2015-04-08T16:30:04Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa4</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
        ...
    </saml:AttributeStatement>
</saml:Assertion>

Example HM Assertion for Representation

XML
 Vraag het op bij de BO / Ask BO

Example HM Assertion for citizen domain

XML
 <saml:Assertion Version="2.0"
    ID="_535162e2-de06-11e4-98a2-080027a35b78"
    IssueInstant="2015-04-08T16:30:05Z">
    <saml:Issuer>urn:etoegang:HM:...</saml:Issuer>
    <ds:Signature>
        ...
    </ds:Signature>
    <saml:Subject>       
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData Recipient="https://..." NotOnOrAfter="2015-04-08T16:40:03Z" InResponseTo="_6984066c-de03-11e4-a571-080027a35b78"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2015-04-08T16:29:04Z" NotOnOrAfter="2015-04-08T17:00:04Z">
        <saml:AudienceRestriction>
            <saml:Audience>urn:etoegang:DV:...</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:Advice>
        <saml:Assertion IssueInstant="2015-04-08T16:30:04Z" ID="_8a792d9e-de07-11e4-9db2-080027a35b78" Version="2.0">
            <saml:Issuer>urn:etoegang:AD:...</saml:Issuer>
            <!-- Verbatim copy of AD declaration of identity contents -->
        </saml:Assertion>
        <saml:Assertion IssueInstant="2015-04-08T16:30:04Z" ID="_8a792d9e-de07-11e4-9db2-080027a35b78" Version="2.0">
            <saml:Issuer>urn:etoegang:KR:...</saml:Issuer>
            <!-- Verbatim copy of KR declaration of sectoral identity contents -->
        </saml:Assertion>
    </saml:Advice>
    <saml:AuthnStatement AuthnInstant="2015-04-08T16:30:04Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa4</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
        ...
    </saml:AttributeStatement>
</saml:Assertion>

Example - HM Assertion - eIDAS-OUT withService Intermediation

XML
<saml2:Assertion ID="_67d2200a8bd8401dc1b7274106731ca6" IssueInstant="2019-02-26T10:35:43.000Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:etoegang:HM:00000003271247010000:entities:7611</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#_67d2200a8bd8401dc1b7274106731ca6">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue/>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue/>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:KeyName>f04a58c387f4f8b5f1fa3a614f79f073f3f08953</ds:KeyName>
        </ds:KeyInfo>
    </ds:Signature>
    <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">ed3d5655-b6ee-47bf-87d5-fb77302e14b4</saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml:SubjectConfirmationData InResponseTo="_d3fda417414c17b2667995961cf79fc5" NotOnOrAfter="2019-02-26T10:37:39Z" Recipient="https://brk.eid-tst.ad.nl/brk/HM1CServiceProvider" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml2:Conditions NotBefore="2019-02-26T10:35:43Z" NotOnOrAfter="2019-02-26T10:37:43Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:AudienceRestriction>
            <saml2:Audience>urn:etoegang:DV:00000001111111110000:entities:9113</saml2:Audience>
            <saml2:Audience>urn:etoegang:DV:00000002222222220000:entities:9613</saml2:Audience>
        </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml:AuthnStatement AuthnInstant="2019-04-08T16:30:07Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa4</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml2:Advice>
        <saml:Assertion IssueInstant="2019-04-08T16:30:04Z" ID="_8a792d9e-de07-11e4-9db2-080027a35b78" Version="2.0">
            <saml:Issuer> urn:etoegang:AD:00000004444444445001:entities:9042</saml:Issuer>
            <!-- Verbatim copy of AD declaration of identity contents -->
        </saml:Assertion>
        <saml:Assertion IssueInstant="2019-04-08T16:30:07Z" ID="dd4dae83-0f35-4695-b24a-29d470a63ea7" Version="2.0">
            <saml:Issuer> urn:etoegang:MR:00000005555555555001:entities:9042</saml:Issuer>
            <!-- Verbatim copy of MR declaration of identity contents -->
        </saml:Assertion>
    </saml2:Advice>
    <saml2:AuthnStatement AuthnInstant="2019-02-26T10:35:43Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa4</saml2:AuthnContextClassRef>
            <saml2:AuthenticatingAuthority>urn:etoegang:AD:00000004444444445001:entities:9042</saml2:AuthenticatingAuthority>
        </saml2:AuthnContext>
    </saml2:AuthnStatement>
    <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        . . . . . 
    </saml2:AttributeStatement>
</saml2:Assertion>

Example HM assertion - Attribute Statement - eIDAS-OUT using Service Intermediation

XML
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Attribute Name="urn:etoegang:core:ServiceUUID">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">dafca82e-4806-408e-956e-3a7092643e54</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="urn:etoegang:core:ServiceID">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:etoegang:DV:00000001111111110000:services:8002</saml2:AttributeValue>
    </saml2:Attribute>
    <saml:Attribute Name="urn:etoegang:core:Representation" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:boolean">true</saml:AttributeValue>
    </saml:Attribute>
    <!-- igv de service via de Service Catalog vraagt om een ServiceRestriction en de MR-->
    <!-- heeft een service restriction bij de machtiging. Vb restrictie op KvK Vestigingsnr-->
    <saml:Attribute Name="urn:etoegang:1.9:ServiceRestriction:Vestigingsnr">
        <saml:AttributeValue xsi:type="xs:string">123456789012</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:etoegang:core:ActingSubjectID" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml:AttributeValue>
            <!-- # ActingSubjectID - BSN:VP@RVO (PseudoID voor de EB) -->
            <saml:EncrypedID>
                <xenc:EncryptedData Id="_cd52e15a16e2a0aa751725ce76a6b866" Type="http://www.w3.org/2001/04/xmlenc#Element">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
                    <ds:KeyInfo>
                        <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"URI="#_15531f42aa31bbd4" />
                    </ds:KeyInfo>
                    <xenc:CipherData>
                        <xenc:CipherValue>...</xenc:CipherValue>
                    </xenc:CipherData>
                </xenc:EncryptedData>
                <xenc:EncryptedKey Id="_15531f77a9f1e0b5e0cce442aa31bbd4" Recipient="urn:etoegang:DV:00000001111111110000:entities:9613">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    </xenc:EncryptionMethod>
                    <ds:KeyInfo>
                        <ds:KeyName>...</ds:KeyName>
                    </ds:KeyInfo>
                    <xenc:CipherData>
                        <xenc:CipherValue>yRy923JJlgAi2MTgx1qohLiDBgi...</xenc:CipherValue>
                    </xenc:CipherData>
                    <xenc:ReferenceList>
                        <xenc:DataReference URI="#_cd52e15a16e2a0aa751725ce76a6b866" />
                    </xenc:ReferenceList>
                </xenc:EncryptedKey>
            </saml:EncrypedID>
        </saml:AttributeValue>
        <saml:AttributeValue>
            <!-- # ActingSubjectID - BSN:VI@RVIG (BSN voor BRP-Attributendienst)-->
            <saml:EncrypedID>
                <xenc:EncryptedData Id="_ed3457856888ad576a0aa751725ce76a6b866" Type="http://www.w3.org/2001/04/xmlenc#Element">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
                    <ds:KeyInfo>
                        <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"URI="#_4567788aa31bbd4" />
                    </ds:KeyInfo>
                    <xenc:CipherData>
                        <xenc:CipherValue>...</xenc:CipherValue>
                    </xenc:CipherData>
                </xenc:EncryptedData>
                <xenc:EncryptedKey Id="_15531f77a9f1e0b5e0cce442aa31bbd4" Recipient="urn:etoegang:DV:00000002222222220000">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    </xenc:EncryptionMethod>
                    <ds:KeyInfo>
                        <ds:KeyName>...</ds:KeyName>
                    </ds:KeyInfo>
                    <xenc:CipherData>
                        <xenc:CipherValue>UtEw923JJlgAi2MTgx1qohLiDBgi...</xenc:CipherValue>
                    </xenc:CipherData>
                    <xenc:ReferenceList>
                        <xenc:DataReference URI="#_cd52e15a16e2a0aa751725ce76a6b866" />
                    </xenc:ReferenceList>
                </xenc:EncryptedKey>
            </saml:EncrypedID>
        </saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:etoegang:core:LegalSubjectID" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml:AttributeValue>
            <!-- # LegalSubjectID - KvK voor de EB)-->
            <saml:EncryptedID>
                <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_6bc1c98ef545444da370efd74371ff6f" Type="http://www.w3.org/2001/04/xmlenc#Element">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
                    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ds:RetrievalMethod URI="#_105e787ebce14ea2b6655adb4d736b86" Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" />
                    </ds:KeyInfo>
                    <xenc:CipherData>
                        <xenc:CipherValue>lx922tGEfI9T7WgoduHAZ941XA....</xenc:CipherValue>
                    </xenc:CipherData>
                </xenc:EncryptedData>
                <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_105e787ebce14ea2b6655adb4d736b86" Recipient="urn:etoegang:DV:00000001111111110000:entities:9613">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    </xenc:EncryptionMethod>
                    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ds:KeyName>022A8DEA6C6F6CFA466BF18AF714F4CD0611DF3A4CAF23CF67B8BB8F7FC07CAF</ds:KeyName>
                    </ds:KeyInfo>
                    <xenc:CipherData>
                        <xenc:CipherValue>gNDIheioi3mgjeyCTviEXDui3.....</xenc:CipherValue>
                    </xenc:CipherData>
                    <xenc:ReferenceList>
                        <xenc:DataReference URI="#_6bc1c98ef545444da370efd74371ff6f" />
                    </xenc:ReferenceList>
                </xenc:EncryptedKey>
            </saml:EncryptedID>
        </saml:AttributeValue>
        <! # LegalSubjectID - Geen KvK voor de dienstaanbieder.>
    </saml:Attribute>
    <!-- # CompanyName werkgever voor de EB.-->
    <saml:EncryptedAttribute>
        <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_67947663adfasdf9410780097b9bf2f04fa8" Type="http://www.w3.org/2001/04/xmlenc#Element">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            </xenc:EncryptionMethod>
            <ds:KeyInfo>
                <ds:KeyName>57890EA6C6F6CFA466BF18AF714F4CD0611DF3A4CAF23CF67B8BB8F7FC07CAF</ds:KeyName>
            </ds:KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>WYuIOsaf1aNbZdRQPXepQjlw4Tg...</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </saml:EncryptedAttribute>
    <!-- # Optionele Bedrijfs attributen (CompanyName) voor de EB.-->
    <saml:EncryptedAttribute>
        <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_6974a3dsdf9410780097b9bf2f04fa8" Type="http://www.w3.org/2001/04/xmlenc#Element">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            </xenc:EncryptionMethod>
            <!-- # EB should recognise KeyName.-->
            <ds:KeyInfo>
                <ds:KeyName>57890EA6C6F6CFA466BF18AF714F4CD0611DF3A4CAF23CF67B8BB8F7FC07CAF</ds:KeyName>
            </ds:KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>WYuIOsaf1aNbZdRQPXepQjlw4Tg...</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </saml:EncryptedAttribute>
</saml2:AttributeStatement>



AttributeStatement

The <AttributeStatement> in the summary assertion MUST hold the relevant attribute values obtained in the assertions of the authentication process. The HM MUST NOT add any attributes that are not present in the gathered assertion. 

Element/@Attribute0..1Description

Attribute

0..n

Elektronische Toegangsdiensten

Depending on Rules for processing request:

  • One  ActingSubjectID's  with one or more Attribute Values containing an EncryptedID
  • One  LegalSubjectID with one or more Attribute Values containing an EncryptedID
  • One or more EntityConcernedID with one Attribute Value containing an ECTA (Identificerend Kenmerk)
  • ServiceID as multi-valued XACML attribute
  • exactly one IntermediateEntityID, containing exactly one Attribute Value with the identity identity urn:etoegang:1.9:IntermediateEntityID:KvKnr of Intermediate 
  • one or more ServiceRestrictions, eg ServiceRestriction:Vestigingsnr

In case of Ketenmachtiging, MUST contain the attribute IntermediateEntityID.

EncryptedAttribute0..n

Depending on Rules for processing request 

  • one or more EncryptedAttributes  requested by the DV and provided by the AD and/or MR


Example HM AttributeStatement for citizen domain

XML
<saml:AttributeStatement>
    <saml:Attribute Name="urn:etoegang:core:ServiceUUID">
        <saml:AttributeValue xsi:type="xs:string">1ff84f14-df64-11e4-ba1a-080027a35b78</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:etoegang:core:AuthorizationRegistryID">
        <saml:AttributeValue xsi:type="xs:string">urn:etoegang:AD:...</saml:AttributeValue>
    </saml:Attribute>
</saml:AttributeStatement>

Example HM AttributeStatement for consumer domain

XML
<saml:AttributeStatement>
    <saml:Attribute Name="urn:etoegang:core:ServiceUUID">
        <saml:AttributeValue xsi:type="xs:string">0013c492-84cd-4c4b-8206-b13007ac2a1c</saml:AttributeValue>
    </saml:Attribute>
    <saml:EncryptedAttribute>
        <xenc:EncryptedData Id="_copy_Encrypted_FirstName" Type="http://www.w3.org/2001/04/xmlenc#Element">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
            <ds:KeyInfo>
                <ds:Keyname>...</ds:Keyname>
            </ds:KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>...</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </saml:EncryptedAttribute>
    <saml:EncryptedAttribute>
        <xenc:EncryptedData Id="_copy_Encrypted_18OrOlder" Type="http://www.w3.org/2001/04/xmlenc#Element">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
            <ds:KeyInfo>
                <ds:Keyname>...</ds:Keyname>
            </ds:KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>...</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </saml:EncryptedAttribute>
</saml:AttributeStatement>

Example HM AttributeStatement for business domain

XML
<saml:AttributeStatement>
    <saml:Attribute Name="urn:etoegang:core:ServiceID">
        <saml:AttributeValue xsi:type="xs:string">urn:etoegang:DV:...:services:...</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:etoegang:core:ServiceUUID">
        <saml:AttributeValue xsi:type="xs:string">dd4dae83-0f35-4695-b24a-29d470a63ea7</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:etoegang:1.9:EntityConcernedID:KvKnr">
        <saml:AttributeValue xsi:type="xs:string">12345678</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:etoegang:1.9:ServiceRestriction:Vestigingsnr">
        <saml:AttributeValue xsi:type="xs:string">123456789012</saml:AttributeValue>
    </saml:Attribute>
</saml:AttributeStatement>

Example HM AttributeStatement for business domain with multiple entityconcernedtypes

XML
<saml:AttributeStatement>
    <saml:Attribute Name="urn:etoegang:core:ServiceID">
        <saml:AttributeValue xsi:type="xs:string">urn:etoegang:DV:...:services:...</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:etoegang:core:ServiceUUID">
        <saml:AttributeValue xsi:type="xs:string">dd4dae83-0f35-4695-b24a-29d470a63ea7</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:etoegang:1.9:EntityConcernedID:KvKnr">
        <saml:AttributeValue xsi:type="xs:string">12345678</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:etoegang:1.9:EntityConcernedID:RSIN">         
        <saml:AttributeValue xsi:type="xs:string">987654321</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:etoegang:1.9:ServiceRestriction:Vestigingsnr">
        <saml:AttributeValue xsi:type="xs:string">123456789012</saml:AttributeValue>
    </saml:Attribute>
</saml:AttributeStatement>

Rules for processing responses

On a successful authentication the HM MUST generate a 'Summary Assertion' based on the Assertions gathered during the authentication process, using the following processing rules.

  • MUST sign the enclosed <Assertion> as well as the <Response> (and/or the enclosing <ArtifactResponse>).
  • MUST verify each collected assertion has at minimum the Level of Assurance as requested by the DV. If verification fails, MUST handle the received responses as an unrecoverable error.
  • MUST provide an <AuthnContextClassRef>:
    • By default fill the AuthnContextClassRef with the value 'urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified'.
    • When a DV explicitly requests a detailed LoA by including an AuthnContextClassRef in its AuthnRequest (see above):

      The HM MUST communicate the effective Level of Assurance of the combined assertions. The effective Level of assurance is the minimum of the LoA of the Authentication assertion and (if applicable) the LoA of the Representation authorization assertion(s).

      The MR communicates two Levels of Assurance in its Assertion. A LevelOfAssurance (requested) and a LevelOfAssuranceUsed (actually obtained). The HM MUST use the LevelOfAssuranceUsed from the MR Assertion as the LoA of the Representation authorization.

      .

  • HM MUST provide an <Subject> with the following <NameID>
    • IF DV connects to r1.13 (or newer) AND non-represenation THEN copy AD-assertion: Subject.NameID.TransientID

    • IF DV connects to r1.13 (or newer) AND representation THEN copy MR-assertion: Subject.NameID.TransientID
    • IF DV connects to r1.11 (or older) THEN copy MR-assertion: XACMLAuthz-Decision.Subject.ActingEntityID
  • HM MUST provide an <AttributeStatement> with the following <Attributes> and <EncryptedAttributes>
    • IF DV connects to r1.13 (or newer) THEN
      • the HM must copy all relevant information (see Interface specifications DV-HM) from the below sources to the ActingSubjectID attribute:
        • MR-Assertion: XACMLAuthz-Decision.Subject.ActingSubjectID (EncryptedID) 
        • AD-assertion: Response.Assertion.AttributeStatement.ActingSubjectID. 
        • copy all relevant AD-assertion: AttributeStatement.EncryptedAttribute
    • IF Representation THEN 
      • IF DV connects to r1.13 (or newer) THEN
        • copy all relevant EncryptedID from MR-Assertion: XACMLAuthz-Decision.Subject.LegalSubjectID to <LegalSubjectID>
        • copy all relevant EncryptedID from MR-Assertion: XACMLAuthz-Decision.Subject.ActingSubjectID to <ActingSubjectID>  
        • copy all relevant  MR-assertion: XACMLAuthz-Decision.Resource.EncryptedAttribute
      • IF DV connects to r1.11 (or older) AND Representation THEN copy MR-assertion: XACMLAuthz-Decision.Resource.EntityConcernedID
      • copy MR-Assertion: XACMLAuthz-Decision.Statement.Request.Resource.ServiceID
      • IF available copy all MR-assertion: XACMLAuthz-Decision.Resource.ServiceRestrictions
      • IF Ketenmachtiging THEN copy MR2-Assertion: XACMLAuthz-Decision.Statement.Request.Resource.IntermediateEntityID
    • MUST provide an <Advice>, by default filled with verbatim copy of all Assertions – so that original signatures over the assertions remains verifiable – gathered during the authentication process. HM MAY offer their DV to omit this information, if they archive this information and allow for later retrieval.


NOTE: When copying encrypted XML elements (<EncryptedID>, <EncryptedAttribute>) to create the summary declaration the HM MUST substitute used XML identifiers to point at the EncryptedTypes for a guaranteed unique identifier. This MAY be accomplished by pre- or suffixing the used identifier in the copy.

(Rationale: @ID values must uniquely identify the elements which bear them. Identifiers that appear once in the summary assertion and once in the advice assertion(s) will break schema validation of assertions).

All relevant

all <EncryptedID> or <EncryptedAttribute> elements except those encrypted for MR

A receiving DV:

  • MUST verify the response matches with the Request responded to.
  • MUST validate the signature on the Assertion as well as the Response (and/or the enclosing ArtifactResponse). Message (elements) MUST be signed using a certificate as listed in the SAML metadata of the HM for the purpose of signing for an IDPSSODescriptor of the responding HM. (NB this should correspond to the certificate as published in the network metadata).
  • SHOULD verify the structure and contents of the Response.
  • SHOULD validate the signature and linking of the Evidence assertions.
  • In case the receiving DV is a Dienstbemiddelaar, the Dienstbemiddelaar MUST provide a verbatim copy of the assertion – so that original signatures over the assertions remains verifiable – to the Dienstaanbieder (service supplier).
  • IF the DV wants to decrypt urn:etoegang:1.12:EntityConcernedID:PseudoID or urn:etoegang:1.12:EntityConcernedID:BSN the DV must use preinstalled BSNk-keymaterial and software to obtain the actual identifier.
  • IF the DV receives a pseudonym THEN the DV SHOULD create a mapping from the obtained Pseudonym to a user account, rather than using the obtained pseudoniem directly as unique key for an account.
  • MUST decrypt an Encrypted Pseudonym or Encrypted Identity in the EncryptedID in the Attribute Statement of the Assertion using preinstalled keymaterial and software to obtain the actual identifier.
  • SHOULD create a mapping from the obtained identifier to a user account, rather than using the obtained identifier directly as unique key for an account. 
  • MUST be able to handle an EncryptedID and EncryptedAttribute encrypted with multiple PKI-certificates, possibly for Multiple Recipients* (see  SAML Encryption).


Multiple Recipients*

Handling multiple PKI-certificates (of the same recipient) is important for a decent PKI-certificate replacement proces and portal-request functionality. Handling multiple recipients is important for Service Intermediation functionality and for Robustness purposes (eg in case of copy errors at HM).

NB. HM should check DV ability of handling Multiple Recipients in the DV onboardingproces or handle Multiple Recipients on behalve of the DV!

LogoutRequest

For single logout, the Single Logout Profile that is part of the SAML 2.0 Web Browser SSO Profile is applied, although considering that the logout message is sent to the AD via the HM. Only supported, is the DV's LogoutRequest where the user chooses to log out from the AD. The DV should never expect a LogoutRequest or a LogoutResponse. The interface for this message is described below.

@ID

SAML: Unique message characteristic

@Version

SAML: Version of the SAML protocol. The value MUST be '2.0'.

@IssueInstant

SAML: Time the message was created

@Destination

SAML: URL of the HM on which the message is offered.

NameID

Elektronische Toegangsdiensten: MUST contain a NameID element with the transient from the Subject of the concomitant AD assertion. This MUST NOT contain any identifier of the user.

Issuer

Elektronische Toegangsdiensten: MUST contain the EntityID of the DV.

Signature

Elektronische Toegangsdiensten: MUST contain the Digital signature of the DV for the envelopping message.


RequestKeyMaterial

A PKIo-certificate of the DV is required, the PKIo-certificate MUST have a (extended) key usage that allows for keyEncipherment. If the DV may request a BSN, the PKIo-certificate MUST have a Subject.serialNumber containing the organizations OIN. 

ProvideKeyMaterial

The Herkenningsmakelaar MUST transfer the PKIo-encrypted key material to the DV unaltered. The HM will receive the DV-keys from the BSNk (see Interface specifications aux HM-BSNk - ProvideDVkeys).

The DV can decrypt the DV-keys using its private key corresponding with the PKIo-certificate used in the request.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.