This chapter describes the format and publication of the Dienstencatalogus (DC) (service catalog).The Service catalog holds the information of services offered by Dienstverleners (service providers). A DV can own one or more Service Definitions and one or more Service Instances:
- A Service Definition has the elements to describe the functionality of the Service.
- A Service Instance has the technical details for an implementation of the Service as operated by the Dienstverlener (DV).
In case of Dienstbemiddeling (Service Intermediation): The Service Instance of the Dienstbemiddelaar (DB) (Service Intermediary) references the Service Instance of the Dienstaanbieder (DA) (service supplier) by ServiceUUID, using the IntermediatedService.
In case of an Ondertekendienst (OD) (Signing service): The Service Instance of the Ondertekendienst (OD) references the Service Instance of the Dienstverlener (DV) by ServiceUUID, using the OndertekendienstForService.
The service catalog MUST have the following format:
- IssueInstant (time at which the service catalog was created)
- Version (version of the service catalog in the format urn:etoegang:<scheme version >:service-catalogue:<omgeving><sequence number>.
- Signature (signature from the Beheerorganisatie (BO), Herkenningsmakelaar (HM) or Dienstverlener (DV) for authenticity, integrity and non-repudiation).
- Per Dienstverlener:
- IsPublic (attribute that indicates whether the service provider is in public)
- ServiceProviderID (The service provider's OIN (government ID number)
- OrganizationDisplayName (the name of the service provider as it MUST be displayed by participants, max 64 characters).
- Per ServiceDefinition:
- IsPublic (attribute that indicates whether the service is using eHerkenning in public)
- ServiceUUID (a universally unique identifier that is used for registering entitlements. It is possible the same UUID is shared between multiple service providers, in that case they will use the same entitlement)
- ServiceName (name of the service determined by the service provider, max 64 characters).
- ServiceDescription (short description of the service determined by the service provider, max 1024 characters. MRs MAY use this text to help administrators determine the authorizations).
- ServiceDescriptionURL (a URL of max 512 characters where a detailed description of the service can be found, determined by the service provider. MRs MAY include this link to help administrators determine the authorizations).
- AuthnContextClassRef (assurance level that is required for the service, determined by the service provider)
- HerkenningsmakelaarId (the OIN of the Herkenningsmakelaar (HM) that provides the service catalog entry for this service definition)
- EntityConcernedTypesAllowed (multivalue entry with the different types of service consumers that are granted access to the service)
The SP may also indicate to honor restrictions. When an Attribute with a ServiceRestriction is included in the AttributeStatement, users can access the service under the restrictions as specified for that type of restriction. Currently, the only restrictions supported are ServiceRestriction:Vestigingsnr and ServiceRestriction:SubdossierNr (deprecated). The ServiceRestriction:Vestigingsnr CAN be indicated in the Service catalog, in such case both the ServiceRestriction:Vestigingsnr and ServiceRestriction:SubdossierNr will be returned, if applicable.
- ServiceRestrictionsAllowed (multivalue entry with the different types of service restrictions the service provider can honor).
- RequestedAttribute (multivalue entry with all the attributes that may be requested for this service)
- PurposeStatement (a statement by the service provider why this attribute is requested, 1024 characters).
- Per ServiceInstance:
- IsPublic (attribute that indicates whether the service provider is in public)
ServiceID (an identifier of a service instance that is unique in the context of the service provider)
- ServiceUUID (a universally unique identifier to allow identifying and referencing this instance)
- InstanceOfService (a reference to a ServiceUUID of a Service definition being implemented. Either an InstanceOfService OR an IntermediatedService OR an OndertekendienstForService MUST be present).
- IntermediatedService (a reference to a ServiceUUID of a Service instance in case Dienstbemiddeling applies. An intermediating service MUST NOT reference a service instance that applies Dienstbemiddeling or acts as Ondertekendienst itself).
- OndertekendienstForService (a reference to a ServiceUUID of a Service instance in case the Service Provider acts as Ondertekendienst for the referenced service. MUST NOT reference a Service instance that is an Ondertekendienst itself).
- ServiceURL (optional URL of max 512 characters where the service can be found).
- HerkenningsmakelaarId (the OIN of the Herkenningsmakelaar (HM) that provides the service catalog entry for this service instance)
- AdditionalHerkenningsmakelaarId (multivalue entry with the OINs for the other HMs that provide this service)
- SSOSupport (a boolean that indicates if the service supports SingleSignOn)
EntityConcernedTypesAllowed (In case Dienstbemiddeling (service intermediary) and citizen domain: EntityConcernedTypesAllowed MUST be used if the Dienstbemiddelaar may not request a BSN; the value must be 'urn:etoegang:1.9:EntityConcernedID:Consumer' (see EntityConcernedID:Consumer). MUST NOT be used in other cases).
- ServiceCertificate (Service provider's PKI certificate with a public key that can be used to encrypt requested attributes and IDs). This certificate MUST be a valid PKIoverheid certificate.
- ServiceIntermediation (indication if intermediation of the service (Dienstbemiddeling) requires approval of the Service Provider, see AUC7 Proces verlenen toestemming dienstbemiddeling)
- @intermediationAllowed (attribute indicating approval is required; possible values "noIntermediation" (default), "generalAvailable", "serviceProviderOnly", "requiresApproval")
- ServiceIntermediationAllowed (optional, holds one or more OINs of any Dienstbemiddelaar allowed to intermediate a service if @intermediationAllowed has the value "requiresApproval").
- OndertekendienstId (multivalued entry containing the OIN of the Ondertekendienst (OD) that provides signing for this service). MUST NOT be used in case this ServiceInstance has an OndertekendienstForService element.
- Classifiers (optional, multivalued entry that allows for one or more classifications of a ServiceInstance)
Classifier (value indicating a particular classification applied for this SerivceInstance)
The following classifiers are defined:
Classifier Description Usage restrictions PublicDomain The ServiceInstance is operated by the Dienstverlener (Service Provider) to implement a service under a responsibility in the public domain.
The Dienstverlener MUST operate under "Artikel 1:1 Algemene Wet Bestuursrecht".
Although a service in the public domain will typically request an urn:etoegang:1.9:EntityConcernedID:BSN or EntityConcernedID:RSIN, this is not mandatory. Other identifiers may be used by services classified as PublicDomain as well.
Service requesting aforementioned identifiers typically do operate as a PublicDomain service.
In case the ServiceInstance is classified as 'eIDAS-outbound' as well, the actual DV in another member state operates under an equivalent legislation and are requested as such via the eIDAS interoperability framework (eIDAS: SPType 'public').
eIDAS-inbound The service is an eTD-service that is receptive to users from other eIDAS-member states.
Services that want to accept authentication and authorization through eIDAS MUST be classified as 'eIDAS-inbound'.
eIDAS-outbound The service is a proxy for services in other member states under the eIDAS regulation.
The eIDAS-berichtenservice has proxy-services listed in the Service Catalog for services in other eIDAS-member states that may be accessed through eIDAS. These proxy services MUST be classified as 'eIDAS-outbound'.
NativeApp Indicates the application used to offer the Dienst is a native app. If absent this ServiceInstance is used via 'web', indicating a SAML-based web application. ServiceInstance marked as "NativeApp" MUST use the native app interface specifications.
The elements OrganizationDisplayName, ServiceName, ServiceDescription, ServiceDescriptionURL, PurposeStatement, ServiceURL and PrivacyPolicyURL MAY be included for different languages.
Rules for processing Service Catalog
- All ServiceUUIDs MUST be both global and temporal unique. The Beheerorganisatie MUST verify all UUIDs that are used are defined only once. Significant changes to a Service SHOULD result in a new distinct ServiceUUID. ServiceDefinitions with the same ServiceUUID are exempt from global uniqueness, these are shared services and MUST be identical (identical but excluding @IsPublic and HerkenningsmakelaarId).
- Herkenningsmakelaar passes on the ServiceUUID of the ServiceInstance matching the requested combination of Dienstverlener- AttributeConsumingServiceIndex, or whatever other mechanic used in the bilateral DV-HM interface, in further authentication and attribute requests.
- A receiving AD/MR/KR inspects the Service Catalogue to determine the exact authorization demands and relying parties for the requested ServiceInstance based upon the ServiceUUID. The following logic applies:
- The ServiceUUID of the referenced ServiceDefinition is always used to determine the mandate/authorization demands.
- The requested ServiceInstance always determine the relying entity (or entities) for the authorization request.
- In case of service intermediation: a service instance references a service instance (rather than a service definition) via the IntermediatedService element.
- In case of service intermediation: the service instance pointed to is considered the true relying party; the requesting party is merely an acceptable attesting entity (only to be included in subjectconfirmation HoK).
- In case of Ondertekenen: a service instance references a service instance (rather than a service definition) via the OndertekendienstForService element.
- In case of Ondertekenen: the service instance pointed to is considered the true relying party; the requesting party MUST be an Ondertekendienst (has role 'OD' in entityID and is listed as such in Network metadata).
The combination of EntityConcernedTypesAllowed BSN (as well as BSNacc or BSNsim in the test network) and ServiceInstance classifier 'eIDAS-inbound' MUST NOT be allowed, because the eIDAS-berichtenservice cannot process BSN.
In case of service intermediation; the approval verification MUST be based on the ServiceIntermediation element belonging to the referenced service instance. The following rules apply:
@intermediationAllowed Processing rule noIntermediation Participants MUST NOT allow service intermediation for the Service (default) generalAvailable Participants MUST allow service intermediation by any dienstverlener listed in the Service Catalog as service intermediary for the Service serviceProviderOnly Participants MUST only allow the Service Provider itself to perform service intermediation (Dienstbemiddelaar = Dienstaanbieder) requiresApproval Participants MUST allow only those Service Intermediaries that have their OIN listed under ServiceIntermediationAllowed to perform service intermediation for the Service
The Beheerorganisatie publishes the service catalog at a predetermined location. Before it is published, the service catalog is sorted by HerkenningsmakelaarId and then by the ServiceID.
A participant MUST process the service catalog according to Proces doorvoeren nieuwe dienstencatalogus.