Service catalog
This chapter describes the format and publication of the Dienstencatalogus (DC) (service catalog).
The Service catalog holds the information of services offered by Dienstverleners (service providers). A DV can own one or more Service Definitions and one or more Service Instances:
A Service Definition has the elements to describe the functionality of the Service.
A Service Instance has the technical details for an implementation of the Service as operated by the Dienstverlener (DV).
In case of Dienstbemiddeling (Service Intermediation): The Service Instance of the Dienstbemiddelaar (DB) (Service Intermediary) references the Service Instance of the Dienstaanbieder (DA)(service supplier) by ServiceUUID, using the IntermediatedService.
Format
The service catalog MUST have the following format:
IssueInstant (time at which the service catalog was created)
Version (version of the service catalog in the format urn:etoegang:<scheme version>:service-catalogue:<omgeving>:<sequence number>.
Example: urn:etoegang:1.11:service-catalogue:T:1Signature (signature from the Beheerorganisatie (BO), Herkenningsmakelaar (HM) or Dienstverlener (DV)for authenticity, integrity and non-repudiation).
Per Dienstverlener:
IsPublic (attribute that indicates whether the service provider is in public)
ServiceProviderID (The service provider's OIN (government ID number)
OrganizationDisplayName (the name of the service provider as it MUST be displayed by participants, max 64 characters).
Per ServiceDefinition:
IsPublic (attribute that indicates whether the service is using eHerkenning in public)
ServiceUUID (a universally unique identifier that is used for registering entitlements. It is possible the same UUID is shared between multiple service providers, in that case they will use the same entitlement)
ServiceName (name of the service determined by the service provider, max 64 characters).
ServiceDescription (short description of the service determined by the service provider, max 1024 characters. MRs MAY use this text to help administrators determine the authorizations).
ServiceDescriptionURL (a URL of max 512 characters where a detailed description of the service can be found, determined by the service provider. MRs MAY include this link to help administrators determine the authorizations).
AuthnContextClassRef (assurance level that is required for the service, determined by the service provider)
HerkenningsmakelaarId (the OIN of the Herkenningsmakelaar (HM) that provides the service catalog entry for this service definition)
IsPortal - Optional attribute used to indicate if the ServiceDefinition is a portal service (IsPortal="true") or not (IsPortal="false" or not defined
Note:
IsPortal of an existing ServiceDefinition (or ServiceInstance) MUST NOT be switched from 'true' to 'false' (or isPortal not present) or vise versa
IF IsPortal="true" a mandate MUST NOT be registered
EntityConcernedTypesAllowed (multivalue entry with the different types of service consumers that are granted access to the service). In case multiple EntityConcernedTypes are defined, they are assigned to Identifier sets (for more information on identifier sets, see below).
ActingSubjectTypesAllowed (multivalue entry with the different types of acting subjects that are granted access to the service). In case multiple ActingSubjectTypes are defined, they are assigned to Identifier sets
Allowed ActingSubjectTypes are:
urn:etoegang:1.13:EntityConcernedID:Pseudo (is always included by default and MUST NOT be specified in the ActingSubjectTypesAllowed identifier set)
If the AD cannot deliver the ASTA, the AD will throw an error, see Interface specifications HM-AD
EntityConcernedTypesAllowed and ActingSubjectTypesAllowed are split in their own lists and MUST be processed accordingly.
The AD MUST process the ActingSubjectTypesAllowed list AND the EntityConcernedID:Pseudo
the MR and EB (in case of inbound authentication requests) MUST process the EntityConcernedTypesAllowed list
Both EntityConcernedTypesAllowed and ActingSubjectTypesAllowed are grouped in separate Identifier Sets. An identifier set is a cluster of identifier Types with the same set number.
Identifier Set MUST adhere to the following rule:
Identifiers MAY be used in multiple identifier sets
Identifier sets either only contain ASTA's or ECTA's
The ASTA's MUST NOT be requested by DV's, ONLY the EB and BRP MAY request ASTA's
ServiceRestrictionsAllowed - multivalue entry with the different types of ServiceRestrictions the Service Provider does support, the only valid restrictions are: ServiceRestriction:Vestigingsnr and ServiceRestriction:SubdossierNr (deprecated).
If a ServiceProvider indicates in the ServiceCatalog to support a specific ServiceRestriction THEN such a ServiceRestriction (when included in the authentication response) MUST be honored by the ServiceProvider
RequestedAttribute (multivalue entry with all the attributes that may be requested for this service)
PurposeStatement (a statement by the service provider why this attribute is requested, 1024 characters).
isRequired: For each requested attribute that is included, the service provider MAY use isRequired to indicate whether the attribute is required for the DV application to work properly. If isRequired is not defined, the default value 'false' is implied.
Per ServiceInstance:
IsPublic (attribute that indicates whether the service provider is in public)
ServiceID (an identifier of a service instance that is unique in the context of the service provider)
IsPortal (Optional attribute used to indicate if the service is a portal service or not. If the attribute is not present (or value="false"), the service is not a portal service.)
PortalForService (Optional element ONLY to be used for portal services (isPortal="true") to indicate what services are part of the portal. If the element is absent: all services for the ServiceProvider are part of this portal service.)
PortalForService MUST ONLY contain existing ServiceIDs referring to service(s) of the same ServiceProvider that the portal belongs to
PortalForService MUST NOT contain ServicesIDs referring to a service that is a Portal Service itself
It is NOT allowed to switch between IsPortal=false (or IsPortal not present) and IsPortal=true. Once a service is aggregated as non-portal service, it is not allowed to reuse the same ServiceDefinition ServiceUUID as portalservice
BsnkStructureVersion - Optional: This element is required when the ECTA or ASTA has a BSN or PseudoID, otherwise it MUST NOT be used. Value must be a valid BsnkStructureVersion (see BSNk confluence "1" or "2"). If no version is used, or if the BsnkStructureVersion is invalid, version 1 MUST be used.
BsnkRecipientKeySetVersion - Optional: This element is required when the ECTA set or ASTA set contains a BSN or PseudoID, otherwise it MUST NOT be used. Value must be identical to the RKSV as noted on the BSNk keys the ServiceProvider is using voor decrypting the BSN or PseudoID.
The old way of getting the recipientKeySetVersion (by retrieving this from the most recent certificate) MUST NOT be used after 1-1-2021.
IsPortal MUST have the same value as the IsPortal attribute in the ServiceDefinition referenced in InstanceOfService
IsPortal of an existing ServiceInstance (or ServiceDefinition) MUST NOT be switched from 'true' to 'false' (or isPortal not present) or vise versa
ServiceUUID (a universally unique identifier to allow identifying and referencing this instance)
InstanceOfService (a reference to a ServiceUUID of a Service definition being implemented. An InstanceOfService or IntermediatedService MUST be present)
IntermediatedService (a reference to a ServiceUUID of a Service instance in case Dienstbemiddeling
Note: Service Intermediation only available for eIDAS outbound) applies. An intermediating service MUST NOT reference a service instance that applies Dienstbemiddeling. The intermediated Service MAY have the same InstanceOfService and therefore only require one mandate.
ServiceURL (optional URL of max 512 characters where the service can be found).
PrivacyPolicyURL (a URL of max 512 characters where the privacy policy for this service can be found). Optional for Dienstbemiddeling services.
HerkenningsmakelaarId (the OIN of the Herkenningsmakelaar (HM)that provides the service catalog entry for this service instance)
AdditionalHerkenningsmakelaarId (multivalue entry with the OINs for the other HMs that provide this service)
SSOSupport (a boolean that indicates if the service supports SingleSignOn)
ServiceCertificate (Service provider's PKI certificate with a public key that can be used to encrypt requested attributes and IDs). This certificate MUST be a valid PKIoverheid certificate. Note that multiple certificates may be provided for cases like changing certificates. (Additonally: Signing certificates must NOT be used here but should be placed in the DV metadata for HM).
ServiceIntermediation (indication if intermediation of the service (Dienstbemiddeling) requires approval of the Service Provider, see AUC7 Proces verlenen toestemming dienstbemiddeling)
@intermediationAllowed (attribute indicating approval is required; possible values "noIntermediation" (default), "generalAvailable", "serviceProviderOnly", "requiresApproval")
ServiceIntermediationAllowed (optional, holds one or more OINs of any Dienstbemiddelaar allowed to intermediate a service if @intermediationAllowed has the value "requiresApproval").
IsPortal - Optional attribute used to indicate that the ServiceInstance is a portal service (IsPortal="true") or not (IsPortal="false" or not defined)
PortalForService - Optional element, ONLY used when isPortal="true", to indicate what service (ServiceInstances) are part of the portal. IF isPortal="true" AND PortalForService attribuut is absent THEN All (other) ServiceInstances for the ServiceProvider are part of this PortalForService.
PortalForService MUST NOT contain a Service of another ServiceProvider (a ServiceID with another OIN than the ServiceID of the ServiceInstance itself)
PortalForService MUST NOT contain a PortalService (a ServiceID referring to a ServiceInstance with IsPortal ="true")
PortalForService MUST NOT contain an IntermediatedService (a ServiceID referring to a ServiceInstance with an IntermediatedService attribuut)
Classifiers (optional, multivalued entry that allows for one or more classifications of a ServiceInstance)
Classifier (value indicating a particular classification applied for this SerivceInstance)
The following classifiers are defined:
Classifier | Description | Usage restrictions |
---|---|---|
PublicDomain | The ServiceInstance is operated by the Dienstverlener (Service Provider) to implement a service under a responsibility in the public domain. | The Dienstverlener MUST operate under "Artikel 1:1 Algemene Wet Bestuursrecht". Although a service in the public domain will typically request an urn:etoegang:1.12 or EntityConcernedID:RSIN, this is not mandatory. Other identifiers may be used by services classified as PublicDomain as well. Service requesting aforementioned identifiers typically do operate as a PublicDomain service. In case the ServiceInstance is classified as 'eIDAS-outbound' as well, the actual DV in another member state operates under an equivalent legislation and are requested as such via the eIDAS interoperability framework (eIDAS: SPType 'public'). |
eIDASinbound | The service is an eTD-service that is receptive to users from other eIDAS-member states. | Services that want to accept authentication and authorization through eIDAS MUST be classified as 'eIDAS-inbound'. Currently the eIDAS-berichtenservice only accepts messages in the public domain. Therefore a service must use BOTH classifiers 'eIDAS-inbound' AND 'PublicDomain' combined to connect effectively to eIDAS. |
eIDASoutbound | The service is a proxy for services in other member states under the eIDAS regulation. | The eIDAS-berichtenservice has proxy-services listed in the Service Catalog for services in other eIDAS-member states that may be accessed through eIDAS. These proxy services MUST be classified as 'eIDAS-outbound'. |
The elements OrganizationDisplayName, ServiceName, ServiceDescription, ServiceDescriptionURL, PurposeStatement, ServiceURL and PrivacyPolicyURL MAY be included for different languages.
Note: At this moment the use of ASTA-sets and Service Intermediation is limited to the EB for eIDAS Outgoing.
Any ServiceProvider interested in ServiceIntermediation or ASTA-sets should contact their HM for the proper procedure.
Any changes in ServiceIntermediation elements in the ServiceCatalog will not be propagated automatically.
Rules for processing Service Catalog
All ServiceUUIDs MUST be both global and temporal unique. The Beheerorganisatie MUST verify all UUIDs that are used are defined only once. Significant changes to a Service SHOULD result in a new distinct ServiceUUID. ServiceDefinitions with the same ServiceUUID are exempt from global uniqueness, these are shared services and MUST be identical (identical but excluding @IsPublic and HerkenningsmakelaarId).
Herkenningsmakelaar passes on the ServiceUUID of the ServiceInstance matching the requested combination of Dienstverlener- AttributeConsumingServiceIndex, or whatever other mechanic used in the bilateral DV-HM interface, in further authentication and attribute requests.
A receiving AD/MR/BSNk inspects the Service Catalogue to determine the exact authorization demands and relying parties for the requested ServiceInstance based upon the ServiceUUID. The following logic applies:
The ServiceUUID of the referenced ServiceDefinition is always used to determine the mandate/authorization demands.
The requested ServiceInstance always determine the relying entity (or entities) for the authorization request.
In case of service intermediation: a service instance references a service instance (rather than a service definition) via the IntermediatedService element.
In case of service intermediation: the service instance pointed to is considered the true relying party; the requesting party is merely an acceptable attesting entity (only to be included in subjectconfirmation HoK).
Participants MUST check the validity of the Service Certificate when using any attributes in the certficate.
In case of service intermediation; the approval verification MUST be based on the ServiceIntermediation element belonging to the referenced service instance. The following rules apply:
@intermediationAllowed | Processing rule |
---|---|
noIntermediation | Participants MUST NOT allow service intermediation for the Service (default) |
generalAvailable | Participants MUST allow service intermediation by any dienstverlener listed in the Service Catalog as service intermediary for the Service |
serviceProviderOnly | Participants MUST only allow the Service Provider itself to perform service intermediation (Dienstbemiddelaar = Dienstaanbieder) |
requiresApproval | Participants MUST allow only those Service Intermediaries that have their OIN listed under ServiceIntermediationAllowed to perform service intermediation for the Service |
Make sure to look at the rule relating to the use of BSN and minimal level of assurance mentioned in Betrouwbaarheidsniveaus
The XML schema of the Service Catalog below is currently not correct. Use it only as example.
A new initiative was started to automatically validate various XML-schemas, which always uses up-to-date XML-schemas.
XML schema Service Catalog
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:esc="urn:etoegang:1.13:service-catalog"
targetNamespace="urn:etoegang:1.13:service-catalog"
elementFormDefault="qualified"
attributeFormDefault="unqualified">
<xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
<xs:import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd"/>
<xs:import namespace="urn:oasis:names:tc:SAML:2.0:metadata" schemaLocation="http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd"/>
<!--Elements-->
<xs:element name="ServiceDefinition" type="esc:ServiceDefinitionType" />
<xs:complexType name="ServiceDefinitionType">
<xs:sequence>
<xs:element ref="esc:ServiceUUID" />
<xs:element ref="esc:ServiceName" maxOccurs="unbounded"/>
<xs:element ref="esc:ServiceDescription" maxOccurs="unbounded"/>
<xs:element ref="esc:ServiceDescriptionURL" minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="saml2:AuthnContextClassRef"/>
<xs:element ref="esc:HerkenningsmakelaarId"/>
<xs:element ref="esc:EntityConcernedTypesAllowed" minOccurs="1" maxOccurs="unbounded"/>
<xs:element ref="esc:ActingSubjectTypesAllowed" minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="esc:ServiceRestrictionsAllowed" minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="esc:RequestedAttribute" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute ref="esc:IsPublic" use="required"/>
<xs:attribute ref="esc:IsPortal" use="optional"/>
</xs:complexType>
<xs:element name="ServiceInstance" type="esc:ServiceInstanceType" />
<xs:complexType name="ServiceInstanceType">
<xs:sequence>
<xs:element ref="esc:ServiceID" minOccurs="1"/>
<xs:element ref="esc:ServiceUUID" />
<xs:element ref="esc:InstanceOfService" minOccurs="0" maxOccurs="1"/>
<xs:element ref="esc:IntermediatedService" minOccurs="0" maxOccurs="1"/>
<xs:element ref="esc:ServiceURL" minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="esc:PrivacyPolicyURL" minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="esc:HerkenningsmakelaarId"/>
<xs:element ref="esc:AdditionalHerkenningsmakelaarId" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="SSOSupport" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
<xs:element ref="esc:EntityConcernedTypesAllowed" minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="esc:ServiceCertificate" minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="esc:ServiceIntermediation" minOccurs="0" />
<xs:element ref="esc:Classifiers" minOccurs="0" />
<xs:element ref="esc:BsnkStructureVersion" minOccurs="0"/>
<xs:element ref="esc:BsnkRecipientKeySetVersion" minOccurs="0"/>
<xs:element ref="esc:PortalForService" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute ref="esc:IsPublic" use="required"/>
<xs:attribute ref="esc:IsPortal" use="optional"/>
</xs:complexType>
<xs:element name="ServiceCatalogue">
<xs:complexType>
<xs:sequence>
<xs:element ref="ds:Signature"/>
<xs:element ref="esc:ServiceProvider" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute ref="esc:IssueInstant" use="required"/>
<xs:attribute ref="esc:Version" use="required"/>
<xs:attribute name="ID" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element name="EntityConcernedTypesAllowed">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:anyURI">
<xs:attribute name="setNumber" type="xs:nonNegativeInteger" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="ActingSubjectTypesAllowed">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:anyURI">
<xs:attribute name="setNumber" type="xs:nonNegativeInteger" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="ServiceRestrictionsAllowed">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:anyURI"/>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="ServiceDescription">
<xs:complexType>
<xs:simpleContent>
<xs:restriction base="md:localizedNameType">
<xs:maxLength value="1024"/>
</xs:restriction>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="ServiceDescriptionURL">
<xs:complexType>
<xs:simpleContent>
<xs:restriction base="md:localizedURIType">
<xs:maxLength value="512"/>
</xs:restriction>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="ServiceURL">
<xs:complexType>
<xs:simpleContent>
<xs:restriction base="md:localizedURIType">
<xs:maxLength value="512"/>
</xs:restriction>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="PrivacyPolicyURL">
<xs:complexType>
<xs:simpleContent>
<xs:restriction base="md:localizedURIType">
<xs:maxLength value="512"/>
</xs:restriction>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="ServiceID" type="xs:anyURI"/>
<xs:element name="ServiceUUID" type="xs:string"/>
<xs:element name="BsnkStructureVersion" type="xs:string"/>
<xs:element name="BsnkRecipientKeySetVersion" type="xs:string"/>
<xs:element name="PortalForService" type="xs:anyURI"/>
<xs:element name="ServiceName">
<xs:complexType>
<xs:simpleContent>
<xs:restriction base="md:localizedNameType">
<xs:maxLength value="64"/>
</xs:restriction>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="ServiceProvider">
<xs:complexType>
<xs:sequence>
<xs:element ref="esc:ServiceProviderID"/>
<xs:element ref="esc:OrganizationDisplayName" maxOccurs="unbounded"/>
<xs:element ref="esc:ServiceDefinition" minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="esc:ServiceInstance" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute ref="esc:IsPublic" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="ServiceProviderID" type="esc:OINType"/>
<xs:element name="RequestedAttribute" type="esc:RequestedAttributeType" />
<xs:complexType name="RequestedAttributeType">
<xs:complexContent>
<xs:extension base="md:RequestedAttributeType">
<xs:sequence>
<xs:element ref="esc:PurposeStatement" maxOccurs="unbounded"/>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:element name="PurposeStatement" type="esc:PurposeStatementType"/>
<xs:complexType name="PurposeStatementType">
<xs:simpleContent>
<xs:restriction base="md:localizedNameType">
<xs:maxLength value="1024" />
</xs:restriction>
</xs:simpleContent>
</xs:complexType>
<xs:element name="ServiceCertificate">
<xs:complexType>
<xs:sequence>
<xs:element ref="md:KeyDescriptor"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="HerkenningsmakelaarId" type="esc:OINType"/>
<xs:element name="AdditionalHerkenningsmakelaarId" type="esc:OINType"/>
<xs:element name="OrganizationDisplayName">
<xs:complexType>
<xs:simpleContent>
<xs:restriction base="md:localizedNameType">
<xs:maxLength value="64"/>
</xs:restriction>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="InstanceOfService" type="xs:string"/>
<xs:element name="IntermediatedService" type="xs:string"/>
<xs:element name="ServiceIntermediation">
<xs:complexType>
<xs:sequence>
<xs:element ref="esc:ServiceIntermediationAllowed" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="intermediationAllowed" type="esc:IntermediationAllowedType" default="noIntermediation"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="IntermediationAllowedType">
<xs:restriction base="xs:string">
<xs:enumeration value="noIntermediation"/>
<xs:enumeration value="generalAvailable"/>
<xs:enumeration value="serviceProviderOnly"/>
<xs:enumeration value="requiresApproval"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="ServiceIntermediationAllowed" type="esc:OINType"/>
<xs:simpleType name="OINType">
<xs:restriction base="xs:string">
<xs:pattern value="[0-9]{20}"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="Classifiers" type="esc:ClassifiersType" />
<xs:complexType name="ClassifiersType">
<xs:sequence>
<xs:element name="Classifier" type="xs:string" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!--Attributes-->
<xs:attribute name="IssueInstant" type="xs:dateTime"/>
<xs:attribute name="IsPublic" type="xs:boolean"/>
<xs:attribute name="Version" type="xs:anyURI"/>
<xs:attribute name="IsPortal" type="xs:boolean"/>
</xs:schema>
XML example service catalog: 3 portal services
<?xml version="1.0" encoding="UTF-8"?>
<esc:ServiceProvider esc:IsPublic="true" xmlns:esc="urn:etoegang:1.13:service-catalog">
<esc:ServiceProviderID>00000003244440010000</esc:ServiceProviderID>
<esc:OrganizationDisplayName xml:lang="nl">Connectis</esc:OrganizationDisplayName>
<esc:ServiceDefinition esc:IsPublic="true">
<esc:ServiceUUID>4c331e1f-8da0-4fb2-9e04-306d3f1bc443</esc:ServiceUUID>
<esc:ServiceName xml:lang="nl">portaaldienst 0: all services for this ServiceProvider</esc:ServiceName>
...
</esc:ServiceDefinition>
<esc:ServiceDefinition esc:IsPublic="true" esc:IsPortal="true">
<esc:ServiceUUID>3e928926-b491-47b2-af37-cf7b5ef0f4bb</esc:ServiceUUID>
<esc:ServiceName xml:lang="nl">portaaldienst 1</esc:ServiceName>
...
</esc:ServiceDefinition>
<esc:ServiceDefinition esc:IsPublic="true" esc:IsPortal="true">
<esc:ServiceUUID>26d6dfa9-33b3-48e2-b620-0f564f5984c5</esc:ServiceUUID>
<esc:ServiceName xml:lang="nl">portaaldienst 2</esc:ServiceName>
</esc:ServiceDefinition>
...
ServiceDefinitions
...
<esc:ServiceInstance esc:IsPublic="true" esc:IsPortal="true">
<esc:ServiceID>urn:etoegang:DV:...:services:0</esc:ServiceID>
...
<esc:InstanceOfService>4c331e1f-8da0-4fb2-9e04-306d3f1bc443</esc:InstanceOfService>
...
</esc:ServiceInstance>
<esc:ServiceInstance esc:IsPublic="true" esc:IsPortal="true">
<esc:ServiceID>urn:etoegang:DV:...:services:1</esc:ServiceID>
...
<esc:InstanceOfService>3e928926-b491-47b2-af37-cf7b5ef0f4bb</esc:InstanceOfService>
<esc:portalForService>urn:etoegang:DV:...:services:3</esc:portalForService>
<esc:portalForService>urn:etoegang:DV:...:services:4</esc:portalForService>
...
</esc:ServiceInstance>
<esc:ServiceInstance esc:IsPublic="true" esc:IsPortal="true">
<esc:ServiceID>urn:etoegang:DV:...:services:2</esc:ServiceID>
...
<esc:InstanceOfService>26d6dfa9-33b3-48e2-b620-0f564f5984c5</esc:InstanceOfService>
<esc:portalForService>urn:etoegang:DV:...:services:4</esc:portalForService>
<esc:portalForService>urn:etoegang:DV:...:services:5</esc:portalForService>
...
</esc:ServiceInstance>
...
ServiceInstances
...
</esc:ServiceProvider>
Example Service Catalog with one service
<?xml version="1.0" encoding="UTF-8"?>
<esc:ServiceCatalogue xmlns:esc="urn:etoegang:1.11:service-catalog" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" esc:IssueInstant="2015-12-28T10:19:57Z" esc:Version="urn:etoegang:1.11:service-catalogue:P:506" ID="_dc">
<ds:Signature>...</ds:Signature>
<esc:ServiceProvider esc:IsPublic="true">
<esc:ServiceProviderID>99999999000000000099</esc:ServiceProviderID>
<esc:OrganizationDisplayName xml:lang="nl">Voorbeeld DV</esc:OrganizationDisplayName>
<esc:OrganizationDisplayName xml:lang="en">Example SP</esc:OrganizationDisplayName>
<esc:ServiceDefinition esc:IsPublic="true">
<esc:ServiceUUID>6bae98e3-5ef9-4576-98c8-5aba4b8e672d</esc:ServiceUUID>
<esc:ServiceName xml:lang="nl">Voorbeelddienst</esc:ServiceName>
<esc:ServiceName xml:lang="en">Example Service</esc:ServiceName>
<esc:ServiceDescription xml:lang="nl">Voorbeelddienst (attributen LoA3)</esc:ServiceDescription>
<esc:ServiceDescription xml:lang="en">Example Service (attributes LoA3)</esc:ServiceDescription>
<esc:ServiceDescriptionURL xml:lang="nl">http://example.etoegang.nl</esc:ServiceDescriptionURL>
<saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa3</saml:AuthnContextClassRef>
<esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
<esc:EntityConcernedTypesAllowed>urn:etoegang:1.9:EntityConcernedID:Pseudo</esc:EntityConcernedTypesAllowed>
<esc:RequestedAttribute Name="urn:etoegang:1.9:attribute:FirstName" isRequired="false">
<esc:PurposeStatement xml:lang="nl">Om voornaam te kunnen testen...</esc:PurposeStatement>
<esc:PurposeStatement xml:lang="en">For testing Firstname...</esc:PurposeStatement>
</esc:RequestedAttribute>
<esc:RequestedAttribute Name="urn:etoegang:1.9:attribute:Initials" isRequired="false">
<esc:PurposeStatement xml:lang="nl">Om initialen te kunnen testen...</esc:PurposeStatement>
<esc:PurposeStatement xml:lang="en">For testing initials</esc:PurposeStatement>
</esc:RequestedAttribute>
<esc:RequestedAttribute Name="urn:etoegang:1.9:attribute:FamilyName" isRequired="true">
<esc:PurposeStatement xml:lang="nl">Om achternaam te kunnen testen...</esc:PurposeStatement>
<esc:PurposeStatement xml:lang="en">For testing family name...</esc:PurposeStatement>
</esc:RequestedAttribute>
<esc:RequestedAttribute Name="urn:etoegang:1.9:attribute:DateOfBirth" isRequired="true">
<esc:PurposeStatement xml:lang="nl">Om geboortedatum te kunnen testen...</esc:PurposeStatement>
<esc:PurposeStatement xml:lang="en">For testing birthdate...</esc:PurposeStatement>
</esc:RequestedAttribute>
</esc:ServiceDefinition>
<esc:ServiceInstance esc:IsPublic="true">
<esc:ServiceID>urn:etoegang:DV:99999999000000000099:services:9999</esc:ServiceID>
<esc:ServiceUUID>9adfede3-eda5-4385-b938-9ccb954b2ad5</esc:ServiceUUID>
<esc:InstanceOfService>6bae98e3-5ef9-4576-98c8-5aba4b8e672d</esc:InstanceOfService>
<esc:ServiceURL xml:lang="nl">http://example.nl</esc:ServiceURL>
<esc:ServiceURL xml:lang="en">http://example.com</esc:ServiceURL>
<esc:PrivacyPolicyURL xml:lang="nl">http://example.etoegang.nl/privacy.html</esc:PrivacyPolicyURL>
<esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
<esc:SSOSupport>false</esc:SSOSupport>
<esc:ServiceCertificate>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:KeyName>...</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
</esc:ServiceCertificate>
</esc:ServiceInstance>
</esc:ServiceProvider>
</esc:ServiceCatalogue>
Example Service with service intermediation
...
<esc:ServiceProvider esc:IsPublic="true">
<esc:ServiceProviderID>99999999000000000098</esc:ServiceProviderID>
<esc:OrganizationDisplayName xml:lang="nl">Voorbeeld DV</esc:OrganizationDisplayName>
<esc:OrganizationDisplayName xml:lang="en">Example SP</esc:OrganizationDisplayName>
<esc:ServiceDefinition esc:IsPublic="true">
<esc:ServiceUUID>cf48b0d3-ea45-4436-a6c4-fde50e19ef70</esc:ServiceUUID>
<esc:ServiceName xml:lang="nl">Voorbeelddienst</esc:ServiceName>
<esc:ServiceName xml:lang="en">Example Service</esc:ServiceName>
<esc:ServiceDescription xml:lang="nl">Voorbeelddienst (BSN LoA3)</esc:ServiceDescription>
<esc:ServiceDescription xml:lang="en">Example Service (BSN LoA3)</esc:ServiceDescription>
<esc:ServiceDescriptionURL xml:lang="nl">http://example.etoegang.nl</esc:ServiceDescriptionURL>
<saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa3</saml:AuthnContextClassRef>
<esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
<esc:EntityConcernedTypesAllowed>urn:etoegang:1.12:EntityConcernedID:BSN</esc:EntityConcernedTypesAllowed>
</esc:ServiceDefinition>
<esc:ServiceInstance esc:IsPublic="true">
<esc:ServiceID>urn:etoegang:DV:99999999000000000098:services:9998</esc:ServiceID>
<esc:ServiceUUID>94148585-90e3-467e-be43-5f5270326215</esc:ServiceUUID>
<esc:InstanceOfService>cf48b0d3-ea45-4436-a6c4-fde50e19ef70</esc:InstanceOfService>
<esc:ServiceURL xml:lang="nl">http://example.nl</esc:ServiceURL>
<esc:PrivacyPolicyURL xml:lang="nl">http://example.etoegang.nl/privacy.html</esc:PrivacyPolicyURL>
<esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
<esc:SSOSupport>false</esc:SSOSupport>
<esc:ServiceCertificate>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:KeyName>...</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
</esc:ServiceCertificate>
<esc:ServiceIntermediation intermediationAllowed="requiresApproval">
<esc:ServiceIntermediationAllowed>99999999000000000098</esc:ServiceIntermediationAllowed>
<esc:ServiceIntermediationAllowed>99999999000000000097</esc:ServiceIntermediationAllowed>
</esc:ServiceIntermediation>
</esc:ServiceInstance>
</esc:ServiceProvider>
<esc:ServiceProvider esc:IsPublic="true">
<esc:ServiceProviderID>99999999000000000097</esc:ServiceProviderID>
<esc:OrganizationDisplayName xml:lang="nl">Voorbeeld Dienstbemiddelaar</esc:OrganizationDisplayName>
<esc:OrganizationDisplayName xml:lang="en">Example Service Intemediary</esc:OrganizationDisplayName>
<esc:ServiceInstance esc:IsPublic="true">
<esc:ServiceID>urn:etoegang:DV:99999999000000000097:services:9997</esc:ServiceID>
<esc:ServiceUUID>71dccfdd-2d4f-44e5-b03d-01c6580fad80</esc:ServiceUUID>
<esc:IntermediatedService>94148585-90e3-467e-be43-5f5270326215</esc:IntermediatedService>
<esc:ServiceURL xml:lang="en">http://example.com</esc:ServiceURL>
<esc:PrivacyPolicyURL xml:lang="en">http://example.etoegang.nl/privacy_en.html</esc:PrivacyPolicyURL>
<esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
<esc:SSOSupport>false</esc:SSOSupport>
<esc:ServiceCertificate>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:KeyName>...</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
</esc:ServiceCertificate>
</esc:ServiceInstance>
</esc:ServiceProvider>
...
Example Service with one EntityConcernedType
...
<esc:ServiceDefinition esc:IsPublic="true">
<esc:ServiceUUID>cf48b0d3-ea45-4436-a6c4-fde50e19ef70</esc:ServiceUUID>
<esc:ServiceName xml:lang="nl">Voorbeelddienst</esc:ServiceName>
<esc:ServiceName xml:lang="en">Example Service</esc:ServiceName>
<esc:ServiceDescription xml:lang="nl">Voorbeelddienst (BSN LoA3)</esc:ServiceDescription>
<esc:ServiceDescription xml:lang="en">Example Service (BSN LoA3)</esc:ServiceDescription>
<esc:ServiceDescriptionURL xml:lang="nl">http://example.etoegang.nl</esc:ServiceDescriptionURL>
<saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa3</saml:AuthnContextClassRef>
<esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
<esc:EntityConcernedTypesAllowed setNumber="1">urn:etoegang:1.12:EntityConcernedID:PseudoID</esc:EntityConcernedTypesAllowed>
</esc:ServiceDefinition>
...
Example Service with two EntityConcernedTypes simultaniously
...
<esc:ServiceDefinition esc:IsPublic="true">
<esc:ServiceUUID>cf48b0d3-ea45-4436-a6c4-fde50e19ef70</esc:ServiceUUID>
<esc:ServiceName xml:lang="nl">Voorbeelddienst</esc:ServiceName>
<esc:ServiceName xml:lang="en">Example Service</esc:ServiceName>
<esc:ServiceDescription xml:lang="nl">Voorbeelddienst (BSN LoA3)</esc:ServiceDescription>
<esc:ServiceDescription xml:lang="en">Example Service (BSN LoA3)</esc:ServiceDescription>
<esc:ServiceDescriptionURL xml:lang="nl">http://example.etoegang.nl</esc:ServiceDescriptionURL>
<saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa3</saml:AuthnContextClassRef>
<esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
<esc:EntityConcernedTypesAllowed setNumber="1">urn:etoegang:1.9:EntityConcernedID:RSIN</esc:EntityConcernedTypesAllowed>
<esc:EntityConcernedTypesAllowed setNumber="1">urn:etoegang:1.9:EntityConcernedID:KvKnr</esc:EntityConcernedTypesAllowed>
</esc:ServiceDefinition>
...
Example Service with twoEntityConcernedTypes as alternatives
...
<esc:ServiceDefinition esc:IsPublic="true">
<esc:ServiceUUID>cf48b0d3-ea45-4436-a6c4-fde50e19ef70</esc:ServiceUUID>
<esc:ServiceName xml:lang="nl">Voorbeelddienst</esc:ServiceName>
<esc:ServiceName xml:lang="en">Example Service</esc:ServiceName>
<esc:ServiceDescription xml:lang="nl">Voorbeelddienst (BSN LoA3)</esc:ServiceDescription>
<esc:ServiceDescription xml:lang="en">Example Service (BSN LoA3)</esc:ServiceDescription>
<esc:ServiceDescriptionURL xml:lang="nl">http://example.etoegang.nl</esc:ServiceDescriptionURL>
<saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa3</saml:AuthnContextClassRef>
<esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
<esc:EntityConcernedTypesAllowed setNumber="1">urn:etoegang:1.9:EntityConcernedID:RSIN</esc:EntityConcernedTypesAllowed>
<esc:EntityConcernedTypesAllowed setNumber="2">urn:etoegang:1.9:EntityConcernedID:KvKnr</esc:EntityConcernedTypesAllowed>
</esc:ServiceDefinition>
...
Example Service with multiple Identifier sets
...
<esc:ServiceDefinition esc:IsPublic="true">
<esc:ServiceUUID>cf48b0d3-ea45-4436-a6c4-fde50e19ef70</esc:ServiceUUID>
<esc:ServiceName xml:lang="nl">Voorbeelddienst</esc:ServiceName>
<esc:ServiceName xml:lang="en">Example Service</esc:ServiceName>
<esc:ServiceDescription xml:lang="nl">Voorbeelddienst (BSN LoA3)</esc:ServiceDescription>
<esc:ServiceDescription xml:lang="en">Example Service (BSN LoA3)</esc:ServiceDescription>
<esc:ServiceDescriptionURL xml:lang="nl">http://example.etoegang.nl</esc:ServiceDescriptionURL>
<saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa3</saml:AuthnContextClassRef>
<esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
<esc:EntityConcernedTypesAllowed setNumber="1">urn:etoegang:1.9:EntityConcernedID:RSIN</esc:EntityConcernedTypesAllowed>
<esc:EntityConcernedTypesAllowed setNumber="1">urn:etoegang:1.9:EntityConcernedID:KvKnr</esc:EntityConcernedTypesAllowed>
<esc:EntityConcernedTypesAllowed setNumber="2">urn:etoegang:1.12:EntityConcernedID:BSN</esc:EntityConcernedTypesAllowed>
<esc:EntityConcernedTypesAllowed setNumber="2">urn:etoegang:1.9:EntityConcernedID:KvKnr</esc:EntityConcernedTypesAllowed>
</esc:ServiceDefinition>
...
Example Service Accessible for EU-citizens via eIDAS
...
<esc:ServiceProvider esc:IsPublic="true">
<esc:ServiceProviderID>99999999000000000099</esc:ServiceProviderID>
<esc:OrganizationDisplayName xml:lang="nl">Voorbeeld DV</esc:OrganizationDisplayName>
<esc:OrganizationDisplayName xml:lang="en">Example SP</esc:OrganizationDisplayName>
<esc:ServiceDefinition esc:IsPublic="true">
<esc:ServiceUUID>c230649d-647d-4289-80c7-b0297e3e6a29</esc:ServiceUUID>
<esc:ServiceName xml:lang="nl">Voorbeelddienst EU-ready</esc:ServiceName>
<esc:ServiceName xml:lang="en">Example Service EU-ready</esc:ServiceName>
<esc:ServiceDescription xml:lang="nl">Voorbeelddienst (BSN LoA3) die open staat voor EU-burgers via eIDAS</esc:ServiceDescription>
<esc:ServiceDescription xml:lang="en">Example Service (BSN LoA3) available for EU-citizens eIDAS</esc:ServiceDescription>
<esc:ServiceDescriptionURL xml:lang="nl">http://example.etoegang.nl</esc:ServiceDescriptionURL>
<saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa3</saml:AuthnContextClassRef>
<esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
<esc:EntityConcernedTypesAllowed>urn:etoegang:1.12:EntityConcernedID:BSN</esc:EntityConcernedTypesAllowed>
</esc:ServiceDefinition>
<esc:ServiceInstance esc:IsPublic="true">
<esc:ServiceID>urn:etoegang:DV:99999999000000000099:services:9994</esc:ServiceID>
<esc:ServiceUUID>fabce53f-7ba6-44d7-aa75-789ec56431ad</esc:ServiceUUID>
<esc:InstanceOfService>c230649d-647d-4289-80c7-b0297e3e6a29</esc:InstanceOfService>
<esc:ServiceURL xml:lang="nl">http://example.nl</esc:ServiceURL>
<esc:ServiceURL xml:lang="en">http://example.com</esc:ServiceURL>
<esc:PrivacyPolicyURL xml:lang="nl">http://example.etoegang.nl/privacy.html</esc:PrivacyPolicyURL>
<esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
<esc:SSOSupport>false</esc:SSOSupport>
<esc:ServiceCertificate>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:KeyName>...</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
</esc:ServiceCertificate>
<esc:Classifiers>
<esc:Classifier>PublicDomain</esc:Classifier>
<esc:Classifier>eIDAS-inbound</esc:Classifier>
</esc:Classifiers>
<esc:BsnkStructureVersion>2</esc:BsnkStructureVersion>
<esc:BsnkRecipientKeySetVersion>20201231</esc:BsnkRecipientKeySetVersion>
</esc:ServiceInstance>
<esc:ServiceInstance esc:IsPublic="true">
<esc:ServiceID>urn:etoegang:DV:99999999000000000099:services:9993</esc:ServiceID>
<esc:ServiceUUID>128d0878-2bc7-4400-9068-8427c5abeb47</esc:ServiceUUID>
<esc:InstanceOfService>c230649d-647d-4289-80c7-b0297e3e6a29</esc:InstanceOfService>
<esc:ServiceURL xml:lang="nl">http://app.example.nl</esc:ServiceURL>
<esc:ServiceURL xml:lang="en">http://app.example.com</esc:ServiceURL>
<esc:PrivacyPolicyURL xml:lang="nl">http://example.etoegang.nl/app/privacy.html</esc:PrivacyPolicyURL>
<esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
<esc:SSOSupport>false</esc:SSOSupport>
<esc:ServiceCertificate>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:KeyName>...</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
</esc:ServiceCertificate>
<esc:Classifiers>
<esc:Classifier>PublicDomain</esc:Classifier>
<esc:Classifier>eIDAS-inbound</esc:Classifier>
</esc:Classifiers>
<esc:BsnkStructureVersion>2</esc:BsnkStructureVersion>
<esc:BsnkRecipientKeySetVersion>20201231</esc:BsnkRecipientKeySetVersion>
</esc:ServiceInstance>
</esc:ServiceProvider>
...
Example: Service Intermediation for eIDAS-UIT - EB intermediates BRP
...
<esc:ServiceProvider>
<esc:ServiceProviderID>99999999000000000098</esc:ServiceProviderID>
<esc:OrganizationDisplayName xml:lang="nl">BRP</esc:OrganizationDisplayName>
<esc:OrganizationDisplayName xml:lang="en">BRP</esc:OrganizationDisplayName>
<esc:ServiceDefinition>
<esc:ServiceUUID>cf48b0d3-ea45-4436-a6c4-fde50e19ef70</esc:ServiceUUID>
<esc:ServiceName xml:lang="nl">Verstrekken BRP-attributen</esc:ServiceName>
<esc:ServiceName xml:lang="en">Verstrekken BRP-attributen</esc:ServiceName>
<esc:ServiceDescription xml:lang="nl">Verstrekken BRP-attributen tbv EU inlog </esc:ServiceDescription>
<esc:ServiceDescription xml:lang="en">Verstrekken BRP-attributen tbv EU inlog </esc:ServiceDescription>
<esc:ServiceDescriptionURL xml:lang="nl">http://eb-toelichting.rvo.nl</esc:ServiceDescriptionURL>
<saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa3</saml:AuthnContextClassRef>
<esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
<esc:EntityConcernedTypesAllowed setNumber="1">urn:etoegang:1.9:EntityConcernedID:KvKnr</esc:EntityConcernedTypesAllowed>
<esc:ActingSubjectTypesAllowed setNumber="1">urn:etoegang:1.12:EntityConcernedID:BSN</esc:ActingSubjectTypesAllowed>
</esc:ServiceDefinition>
<esc:ServiceInstance>
<esc:ServiceID>urn:etoegang:DV:99999999000000000098:services:9998</esc:ServiceID>
<esc:ServiceUUID>94148585-90e3-467e-be43-5f5270326215</esc:ServiceUUID>
<esc:InstanceOfService>cf48b0d3-ea45-4436-a6c4-fde50e19ef70</esc:InstanceOfService>
<esc:ServiceURL xml:lang="nl">http://attrdienst.brp.nl</esc:ServiceURL>
<esc:PrivacyPolicyURL xml:lang="nl">http://statement.brp.nl/privacy.html</esc:PrivacyPolicyURL>
<esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
<esc:SSOSupport>false</esc:SSOSupport>
<esc:ServiceCertificate>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:KeyName>...</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
</esc:ServiceCertificate>
<esc:ServiceIntermediation intermediationAllowed="requiresApproval">
<esc:ServiceIntermediationAllowed>99999999000000000097</esc:ServiceIntermediationAllowed>
</esc:ServiceIntermediation>
<esc:Classifiers>
<esc:Classifier>eIDAS-outbound</esc:Classifier>
</esc:Classifiers>
<esc:BsnkStructureVersion>2</esc:BsnkStructureVersion>
<esc:BsnkRecipientKeySetVersion>20201231</esc:BsnkRecipientKeySetVersion>
</esc:ServiceInstance>
</esc:ServiceProvider>
<esc:ServiceProvider>
<esc:ServiceProviderID>99999999000000000097</esc:ServiceProviderID>
<esc:OrganizationDisplayName xml:lang="nl">NL EU-knooppunt</esc:OrganizationDisplayName>
<esc:OrganizationDisplayName xml:lang="en">NL EU-knooppunt</esc:OrganizationDisplayName>
<esc:ServiceDefinition>
<esc:ServiceUUID>hj67b0d3-eb48-4836-a9a4-fde50e32ac89</esc:ServiceUUID>
<esc:ServiceName xml:lang="nl">Duitsland-overheid</esc:ServiceName>
<esc:ServiceName xml:lang="en">Germany Public service</esc:ServiceName>
<esc:ServiceDescription xml:lang="nl">Duitsland-overheid (BSN LoA3)</esc:ServiceDescription>
<esc:ServiceDescription xml:lang="en">Germany Public service(BSN LoA3)</esc:ServiceDescription>
<esc:ServiceDescriptionURL xml:lang="nl">http://eb-toelichting.rvo.nl</esc:ServiceDescriptionURL>
<saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa3</saml:AuthnContextClassRef>
<esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
<esc:EntityConcernedTypesAllowed setNumber="1">urn:etoegang:1.9:EntityConcernedID:KvK</esc:EntityConcernedTypesAllowed>
<esc:ActingSubjectTypesAllowed setNumber="1">urn:etoegang:1.12:EntityConcernedID:PseudoID</esc:ActingSubjectTypesAllowed>
</esc:ServiceDefinition>
<esc:ServiceInstance>
<esc:ServiceID>urn:etoegang:DV:99999999000000000097:services:9997</esc:ServiceID>
<esc:ServiceUUID>71dccfdd-2d4f-44e5-b03d-01c6580fad80</esc:ServiceUUID>
<esc:InstanceOfService>hj67b0d3-eb48-4836-a9a4-fde50e32ac89</esc:InstanceOfService>
<esc:IntermediatedService>94148585-90e3-467e-be43-5f5270326215</esc:IntermediatedService>
<esc:ServiceURL xml:lang="en">http://example.com</esc:ServiceURL>
<esc:PrivacyPolicyURL xml:lang="en">http://example.etoegang.nl/privacy_en.html</esc:PrivacyPolicyURL>
<esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
<esc:SSOSupport>false</esc:SSOSupport>
<esc:ServiceCertificate>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:KeyName>...</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
</esc:ServiceCertificate>
<esc:Classifiers>
<esc:Classifier>eIDAS-outbound</esc:Classifier>
</esc:Classifiers>
<esc:BsnkStructureVersion>2</esc:BsnkStructureVersion>
<esc:BsnkRecipientKeySetVersion>20201231</esc:BsnkRecipientKeySetVersion>
</esc:ServiceInstance>
</esc:ServiceProvider>
...
Example: Service Intermediation: Intermediate Service and Intermediairy Service have the same InstanceOfService (and therefore only require one mandate)
...
<esc:ServiceProvider>
<esc:ServiceProviderID>99999999000000000098</esc:ServiceProviderID>
<esc:OrganizationDisplayName xml:lang="nl">Naam DienstAanbieder</esc:OrganizationDisplayName>
<esc:OrganizationDisplayName xml:lang="en">Name Intermediated ServiceProvider</esc:OrganizationDisplayName>
<esc:ServiceDefinition>
<esc:ServiceUUID>cf48b0d3-ea45-4436-a6c4-fde50e19ef70</esc:ServiceUUID>
<esc:ServiceName xml:lang="nl">Naam Bemiddelde Dienst</esc:ServiceName>
<esc:ServiceName xml:lang="en">Name Intermediated Service</esc:ServiceName>
<esc:ServiceDescription xml:lang="nl">Beschrijving Bemiddelde Dienst</esc:ServiceDescription>
<esc:ServiceDescription xml:lang="en">Description Intermedated Service</esc:ServiceDescription>
<esc:ServiceDescriptionURL xml:lang="nl">http://example.etoegang.nl/</esc:ServiceDescriptionURL>
<saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa3</saml:AuthnContextClassRef>
<esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
<esc:EntityConcernedTypesAllowed setNumber="1">urn:etoegang:1.9:EntityConcernedID:KvKnr</esc:EntityConcernedTypesAllowed>
</esc:ServiceDefinition>
<esc:ServiceInstance>
<esc:ServiceID>urn:etoegang:DV:99999999000000000098:services:9998</esc:ServiceID>
<esc:ServiceUUID>94148585-90e3-467e-be43-5f5270326215</esc:ServiceUUID>
<esc:InstanceOfService>cf48b0d3-ea45-4436-a6c4-fde50e19ef70</esc:InstanceOfService>
<esc:ServiceURL xml:lang="nl">http://example.nl/</esc:ServiceURL>
<esc:PrivacyPolicyURL xml:lang="nl">http://example.etoegang.nl/privacy.html</esc:PrivacyPolicyURL>
<esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
<esc:SSOSupport>false</esc:SSOSupport>
<esc:ServiceCertificate>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:KeyName>...</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
</esc:ServiceCertificate>
<esc:ServiceIntermediation intermediationAllowed="requiresApproval">
<esc:ServiceIntermediationAllowed>99999999000000000097</esc:ServiceIntermediationAllowed>
</esc:ServiceIntermediation>
</esc:ServiceInstance>
</esc:ServiceProvider>
<esc:ServiceProvider>
<esc:ServiceProviderID>99999999000000000097</esc:ServiceProviderID>
<esc:OrganizationDisplayName xml:lang="nl">DV Naam</esc:OrganizationDisplayName>
<esc:OrganizationDisplayName xml:lang="en">SP Name</esc:OrganizationDisplayName>
<esc:ServiceInstance>
<esc:ServiceID>urn:etoegang:DV:99999999000000000097:services:9997</esc:ServiceID>
<esc:ServiceUUID>71dccfdd-2d4f-44e5-b03d-01c6580fad80</esc:ServiceUUID>
<esc:InstanceOfService>cf48b0d3-ea45-4436-a6c4-fde50e19ef70</esc:InstanceOfService>
<esc:IntermediatedService>94148585-90e3-467e-be43-5f5270326215</esc:IntermediatedService>
<esc:ServiceURL xml:lang="en">http://example.com</esc:ServiceURL>
<esc:PrivacyPolicyURL xml:lang="en">http://example.etoegang.nl/privacy_en.html</esc:PrivacyPolicyURL>
<esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
<esc:SSOSupport>false</esc:SSOSupport>
<esc:ServiceCertificate>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:KeyName>...</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
</esc:ServiceCertificate>
</esc:ServiceInstance>
</esc:ServiceProvider>
...
The use of BsnkRecipientKeySetVersion for BSNk-tranformation service is added tot AUC10.2 (see AUC10.2 Machtigingenregister of Authenticatiedienst gebruikt BSNk transformatie functie)
The use of BsnkStructureVersion to select the appropriate BSNk-tranformation service is added tot AUC10.2 (see AUC10.2 Machtigingenregister of Authenticatiedienst gebruikt BSNk transformatie functie)
Publication
The Beheerorganisatie publishes the service catalog at a predetermined location. Before it is published, the service catalog is sorted by HerkenningsmakelaarId and then by the ServiceID.
A participant MUST process the service catalog according to Proces doorvoeren nieuwe dienstencatalogus.