Skip to end of metadata
Go to start of metadata

This chapter describes the format and publication of the Dienstencatalogus (DC) (service catalog).The Service catalog holds the information of services offered by Dienstverleners (service providers). A DV can own one or more Service Definitions and one or more Service Instances:

  • A Service Definition has the elements to describe the functionality of the Service.
  • A Service Instance has the technical details for an implementation of the Service as operated by the Dienstverlener (DV).

In case of Dienstbemiddeling (Service Intermediation): The Service Instance of the Dienstbemiddelaar (DB) (Service Intermediary) references the Service Instance of the Dienstaanbieder (DA) (service supplier) by ServiceUUID, using the IntermediatedService.

In case of an Ondertekendienst (OD) (Signing service): The Service Instance of the Ondertekendienst (OD) references the Service Instance of the Dienstverlener (DV) by ServiceUUID, using the OndertekendienstForService.

Format

The service catalog MUST have the following format:

  • IssueInstant (time at which the service catalog was created)
  • Version (version of the service catalog in the format urn:etoegang:<scheme version >:service-catalogue:<omgeving><sequence number>.
    Example: urn:etoegang:1.11:service-catalogue:T:1
  • Signature (signature from the Beheerorganisatie (BO), Herkenningsmakelaar (HM) or Dienstverlener (DV) for authenticity, integrity and non-repudiation).
  • Per Dienstverlener:
    • IsPublic (attribute that indicates whether the service provider is in public)
    • ServiceProviderID (The service provider's OIN (government ID number)
    • OrganizationDisplayName (the name of the service provider as it MUST be displayed by participants, max 64 characters).
    • Per ServiceDefinition:
      • IsPublic (attribute that indicates whether the service is using eHerkenning in public)
      • ServiceUUID (a universally unique identifier that is used for registering entitlements. It is possible the same UUID is shared between multiple service providers, in that case they will use the same entitlement)
      • ServiceName (name of the service determined by the service provider, max 64 characters).
      • ServiceDescription (short description of the service determined by the service provider, max 1024 characters. MRs MAY use this text to help administrators determine the authorizations).
      • ServiceDescriptionURL (a URL of max 512 characters where a detailed description of the service can be found, determined by the service provider. MRs MAY include this link to help administrators determine the authorizations).
      • AuthnContextClassRef (assurance level that is required for the service, determined by the service provider)
      • HerkenningsmakelaarId (the OIN of the Herkenningsmakelaar (HM) that provides the service catalog entry for this service definition)
      • EntityConcernedTypesAllowed (multivalue entry with the different types of service consumers that are granted access to the service)

        While an SP may indicate to accept more than one EntityConcernedType, for example both EntityConcernedID:KvKnr and EntityConcernedID:Pseudo, only one may be returned per transaction.

        The SP may also indicate to honor restrictions. When an Attribute with a ServiceRestriction is included in the AttributeStatement, users can access the service under the restrictions as specified for that type of restriction. Currently, the only restrictions supported are ServiceRestriction:Vestigingsnr and ServiceRestriction:SubdossierNr (deprecated). The ServiceRestriction:Vestigingsnr CAN be indicated in the Service catalog, in such case both the ServiceRestriction:Vestigingsnr and ServiceRestriction:SubdossierNr will be returned, if applicable. 

      • ServiceRestrictionsAllowed (multivalue entry with the different types of service restrictions the service provider can honor).
      • RequestedAttribute (multivalue entry with all the attributes that may be requested for this service)
        • PurposeStatement (a statement by the service provider why this attribute is requested, 1024 characters).
    • Per ServiceInstance:
      • IsPublic (attribute that indicates whether the service provider is in public)
      • ServiceID (an identifier of a service instance that is unique in the context of the service provider)

        If the DV provides a portal function, it MUST be specified in the service catalog with a reserved index number 0. The portal function can only be used for EntityConcernedTypes that support representation, refer to the table in Identificerende kenmerken.

      • ServiceUUID (a universally unique identifier to allow identifying and referencing this instance)
      • InstanceOfService (a reference to a ServiceUUID of a Service definition being implemented. Either an InstanceOfService OR an IntermediatedService OR an OndertekendienstForService MUST be present).
      • IntermediatedService (a reference to a ServiceUUID of a Service instance in case Dienstbemiddeling applies. An intermediating service MUST NOT reference a service instance that applies Dienstbemiddeling or acts as Ondertekendienst itself).
      • OndertekendienstForService (a reference to a ServiceUUID of a Service instance in case the Service Provider acts as Ondertekendienst for the referenced service. MUST NOT reference a Service instance that is an Ondertekendienst itself).
      • ServiceURL (optional URL of max 512 characters where the service can be found).  
      • PrivacyPolicyURL (a URL of max 512 characters where the privacy policy for this service can be found). Optional for Dienstbemiddeling and Ondertekendienst services.
      • HerkenningsmakelaarId (the OIN of the Herkenningsmakelaar (HM) that provides the service catalog entry for this service instance)
      • AdditionalHerkenningsmakelaarId (multivalue entry with the OINs for the other HMs that provide this service)
      • SSOSupport (a boolean that indicates if the service supports SingleSignOn)
      • EntityConcernedTypesAllowed (In case Dienstbemiddeling (service intermediary) and citizen domain: EntityConcernedTypesAllowed MUST be used if the Dienstbemiddelaar may not request a BSN; the value must be 'urn:etoegang:1.9:EntityConcernedID:Consumer' (see EntityConcernedID:Consumer). MUST NOT be used in other cases).

      • ServiceCertificate (Service provider's PKI certificate with a public key that can be used to encrypt requested attributes and IDs). This certificate MUST be a valid PKIoverheid certificate.
      • ServiceIntermediation (indication if intermediation of the service (Dienstbemiddeling) requires approval of the Service Provider, see AUC7 Proces verlenen toestemming dienstbemiddeling)
        • @intermediationAllowed (attribute indicating approval is required; possible values "noIntermediation" (default), "generalAvailable", "serviceProviderOnly", "requiresApproval")
        • ServiceIntermediationAllowed (optional, holds one or more OINs of any Dienstbemiddelaar allowed to intermediate a service if @intermediationAllowed has the value "requiresApproval").
      • OndertekendienstId (multivalued entry containing the OIN of the Ondertekendienst (OD) that provides signing for this service). MUST NOT be used in case this ServiceInstance has an OndertekendienstForService element.
      • Classifiers (optional, multivalued entry that allows for one or more classifications of a ServiceInstance)
        • Classifier (value indicating a particular classification applied for this SerivceInstance)
          The following classifiers are defined:

          ClassifierDescriptionUsage restrictions
          PublicDomainThe ServiceInstance is operated by the Dienstverlener (Service Provider) to implement a service under a responsibility in the public domain.

          The Dienstverlener MUST operate under "Artikel 1:1 Algemene Wet Bestuursrecht".

          Although a service in the public domain will typically request an EntityConcernedID:BSN or EntityConcernedID:RSIN, this is not mandatory. Other identifiers may be used by services classified as PublicDomain as well.

          Service requesting aforementioned identifiers typically do operate as a PublicDomain service.

          In case the ServiceInstance is classified as 'eIDAS-outbound' as well, the actual DV in another member state operates under an equivalent legislation and are requested as such via the eIDAS interoperability framework (eIDAS: SPType 'public').

          eIDAS-inboundThe service is an eTD-service that is receptive to users from other eIDAS-member states.

          Services that want to accept authentication and authorization through eIDAS MUST be classified as 'eIDAS-inbound'.

          eIDAS-outboundThe service is a proxy for services in other member states under the eIDAS regulation. 

          The eIDAS-berichtenservice has proxy-services listed in the Service Catalog for services in other eIDAS-member states that may be accessed through eIDAS. These proxy services MUST be classified as 'eIDAS-outbound'.

          NativeAppIndicates the application used to offer the Dienst is a native app. If absent this ServiceInstance is used via 'web', indicating a SAML-based web application.ServiceInstance marked as "NativeApp" MUST use the native app interface specifications.

The elements OrganizationDisplayName, ServiceName, ServiceDescription, ServiceDescriptionURL, PurposeStatement, ServiceURL and PrivacyPolicyURL MAY be included for different languages.

Rules for processing Service Catalog

  • All ServiceUUIDs MUST be both global and temporal unique. The Beheerorganisatie MUST verify all UUIDs that are used are defined only once. Significant changes to a Service SHOULD result in a new distinct ServiceUUID. ServiceDefinitions with the same ServiceUUID are exempt from global uniqueness, these are shared services and MUST be identical (identical but excluding @IsPublic and HerkenningsmakelaarId).
  • Herkenningsmakelaar passes on the ServiceUUID of the ServiceInstance matching the requested combination of Dienstverlener- AttributeConsumingServiceIndex, or whatever other mechanic used in the bilateral DV-HM interface, in further authentication and attribute requests.
  • A receiving AD/MR/KR inspects the Service Catalogue to determine the exact authorization demands and relying parties for the requested ServiceInstance based upon the ServiceUUID. The following logic applies:
    • The ServiceUUID of the referenced ServiceDefinition is always used to determine the mandate/authorization demands.
    • The requested ServiceInstance always determine the relying entity (or entities) for the authorization request.
    • In case of service intermediation: a service instance references a service instance (rather than a service definition) via the IntermediatedService element.
    • In case of service intermediation: the service instance pointed to is considered the true relying party; the requesting party is merely an acceptable attesting entity (only to be included in subjectconfirmation HoK).
    • In case of Ondertekenen: a service instance references a service instance (rather than a service definition) via the OndertekendienstForService element.
    • In case of Ondertekenen: the service instance pointed to is considered the true relying party; the requesting party MUST be an Ondertekendienst (has role 'OD' in entityID and is listed as such in Network metadata).
  • In case of service intermediation; the approval verification MUST be based on the ServiceIntermediation element belonging to the referenced service instance. The following rules apply:

    @intermediationAllowedProcessing rule
    noIntermediationParticipants MUST NOT allow service intermediation for the Service (default)
    generalAvailableParticipants MUST allow service intermediation by any dienstverlener listed in the Service Catalog as service intermediary for the Service
    serviceProviderOnlyParticipants MUST only allow the Service Provider itself to perform service intermediation (Dienstbemiddelaar = Dienstaanbieder)
    requiresApprovalParticipants MUST allow only those Service Intermediaries that have their OIN listed under ServiceIntermediationAllowed to perform service intermediation for the Service
XML schema Service Catalog
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:esc="urn:etoegang:1.11:service-catalog"
    targetNamespace="urn:etoegang:1.11:service-catalog"
    elementFormDefault="qualified"
    attributeFormDefault="unqualified">

    <xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd/xmldsig-core-schema.xsd"/>
    <xs:import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd"/>
    <xs:import namespace="urn:oasis:names:tc:SAML:2.0:metadata" schemaLocation="http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd"/>

    <!--Elements-->
    <xs:element name="ServiceDefinition" type="esc:ServiceDefinitionType" />
    <xs:complexType name="ServiceDefinitionType">
        <xs:sequence>
            <xs:element ref="esc:ServiceUUID" />
            <xs:element ref="esc:ServiceName" maxOccurs="unbounded"/>
            <xs:element ref="esc:ServiceDescription" maxOccurs="unbounded"/>
            <xs:element ref="esc:ServiceDescriptionURL" minOccurs="0" maxOccurs="unbounded"/>
            <xs:element ref="saml2:AuthnContextClassRef"/>
            <xs:element ref="esc:HerkenningsmakelaarId"/>
            <xs:element ref="esc:EntityConcernedTypesAllowed" minOccurs="1" maxOccurs="unbounded"/>
            <xs:element ref="esc:ServiceRestrictionsAllowed" minOccurs="0" maxOccurs="unbounded"/>
            <xs:element ref="esc:RequestedAttribute" minOccurs="0" maxOccurs="unbounded"/>
        </xs:sequence>
        <xs:attribute ref="esc:IsPublic" use="required"/>
    </xs:complexType>
    <xs:element name="ServiceInstance" type="esc:ServiceInstanceType" />
    <xs:complexType name="ServiceInstanceType">
        <xs:sequence>
            <xs:element ref="esc:ServiceID" minOccurs="1"/>
            <xs:element ref="esc:ServiceUUID" />
            <xs:choice>
                <xs:element ref="esc:InstanceOfService" />
                <xs:element ref="esc:IntermediatedService"/>
                <xs:element ref="esc:OndertekendienstForService"/>
            </xs:choice>
            <xs:element ref="esc:ServiceURL" minOccurs="0" maxOccurs="unbounded"/>
            <xs:element ref="esc:PrivacyPolicyURL" minOccurs="0" maxOccurs="unbounded"/>
            <xs:element ref="esc:HerkenningsmakelaarId"/>
            <xs:element ref="esc:AdditionalHerkenningsmakelaarId" minOccurs="0" maxOccurs="unbounded"/>
            <xs:element name="SSOSupport" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
            <xs:element ref="esc:EntityConcernedTypesAllowed" minOccurs="0" maxOccurs="unbounded"/>
            <xs:element ref="esc:ServiceCertificate" minOccurs="0" maxOccurs="unbounded"/>
            <xs:element ref="esc:ServiceIntermediation" minOccurs="0" />
            <xs:element ref="esc:OndertekendienstId" minOccurs="0" maxOccurs="unbounded" />
            <xs:element ref="esc:Classifiers" minOccurs="0" />
        </xs:sequence>
        <xs:attribute ref="esc:IsPublic" use="required"/>
    </xs:complexType>

    <xs:element name="ServiceCatalogue">
        <xs:complexType>
            <xs:sequence>
                <xs:element ref="ds:Signature"/>
                <xs:element ref="esc:ServiceProvider" maxOccurs="unbounded"/>
            </xs:sequence>
            <xs:attribute ref="esc:IssueInstant" use="required"/>
            <xs:attribute ref="esc:Version" use="required"/>
            <xs:attribute name="ID" type="xs:string"/>
        </xs:complexType>
    </xs:element>
    <xs:element name="EntityConcernedTypesAllowed">
        <xs:complexType>
            <xs:simpleContent>
                <xs:extension base="xs:anyURI"/>
            </xs:simpleContent>
        </xs:complexType>
    </xs:element>
    <xs:element name="ServiceRestrictionsAllowed">
        <xs:complexType>
            <xs:simpleContent>
                <xs:extension base="xs:anyURI"/>
            </xs:simpleContent>
        </xs:complexType>
    </xs:element>
    <xs:element name="ServiceDescription">
        <xs:complexType>
            <xs:simpleContent>
                <xs:restriction base="md:localizedNameType">
                    <xs:maxLength value="1024"/>
                </xs:restriction>
            </xs:simpleContent>
        </xs:complexType>
    </xs:element>
    <xs:element name="ServiceDescriptionURL">
        <xs:complexType>
            <xs:simpleContent>
                <xs:restriction base="md:localizedURIType">
                    <xs:maxLength value="512"/>
                </xs:restriction>
            </xs:simpleContent>
        </xs:complexType>
    </xs:element>
    <xs:element name="ServiceURL">
        <xs:complexType>
            <xs:simpleContent>
                <xs:restriction base="md:localizedURIType">
                    <xs:maxLength value="512"/>
                </xs:restriction>
            </xs:simpleContent>
        </xs:complexType>
    </xs:element>
    <xs:element name="PrivacyPolicyURL">
        <xs:complexType>
            <xs:simpleContent>
                <xs:restriction base="md:localizedURIType">
                    <xs:maxLength value="512"/>
                </xs:restriction>
            </xs:simpleContent>
        </xs:complexType>
    </xs:element>
    <xs:element name="ServiceID" type="xs:anyURI"/>
    <xs:element name="ServiceUUID" type="xs:string"/>
    <xs:element name="ServiceName">
        <xs:complexType>
            <xs:simpleContent>
                <xs:restriction base="md:localizedNameType">
                    <xs:maxLength value="64"/>
                </xs:restriction>
            </xs:simpleContent>
        </xs:complexType>
    </xs:element>
    <xs:element name="ServiceProvider">
        <xs:complexType>
            <xs:sequence>
                <xs:element ref="esc:ServiceProviderID"/>
                <xs:element ref="esc:OrganizationDisplayName" maxOccurs="unbounded"/>
                <xs:element ref="esc:ServiceDefinition" minOccurs="0" maxOccurs="unbounded"/>
                <xs:element ref="esc:ServiceInstance" minOccurs="0" maxOccurs="unbounded"/>
            </xs:sequence>
            <xs:attribute ref="esc:IsPublic" use="required"/>
        </xs:complexType>
    </xs:element>
    <xs:element name="ServiceProviderID" type="esc:OINType"/>
    <xs:element name="RequestedAttribute" type="esc:RequestedAttributeType" />
    <xs:complexType name="RequestedAttributeType">
        <xs:complexContent>
            <xs:extension base="md:RequestedAttributeType">
                <xs:sequence>
                    <xs:element ref="esc:PurposeStatement" maxOccurs="unbounded"/>
                </xs:sequence>
            </xs:extension>
        </xs:complexContent>
    </xs:complexType>
    <xs:element name="PurposeStatement" type="esc:PurposeStatementType"/>
    <xs:complexType name="PurposeStatementType">
        <xs:simpleContent>
            <xs:restriction base="md:localizedNameType">
                <xs:maxLength value="1024" />
            </xs:restriction>
        </xs:simpleContent>
    </xs:complexType>
    <xs:element name="ServiceCertificate">
        <xs:complexType>
            <xs:sequence>
                <xs:element ref="md:KeyDescriptor"/>
            </xs:sequence>
        </xs:complexType>
    </xs:element>
    <xs:element name="HerkenningsmakelaarId" type="esc:OINType"/>
    <xs:element name="AdditionalHerkenningsmakelaarId" type="esc:OINType"/>
    <xs:element name="OrganizationDisplayName">
        <xs:complexType>
            <xs:simpleContent>
                <xs:restriction base="md:localizedNameType">
                    <xs:maxLength value="64"/>
                </xs:restriction>
            </xs:simpleContent>
        </xs:complexType>
    </xs:element>
    <xs:element name="InstanceOfService" type="xs:string"/>
    <xs:element name="IntermediatedService" type="xs:string"/>
    <xs:element name="OndertekendienstForService" type="xs:string"/>
    <xs:element name="ServiceIntermediation">
        <xs:complexType>
            <xs:sequence>
                <xs:element ref="esc:ServiceIntermediationAllowed" minOccurs="0" maxOccurs="unbounded"/>
            </xs:sequence>
            <xs:attribute name="intermediationAllowed" type="esc:IntermediationAllowedType" default="noIntermediation"/>
        </xs:complexType>
    </xs:element>
    <xs:simpleType name="IntermediationAllowedType">
        <xs:restriction base="xs:string">
            <xs:enumeration value="noIntermediation"/>
            <xs:enumeration value="generalAvailable"/>
            <xs:enumeration value="serviceProviderOnly"/>
            <xs:enumeration value="requiresApproval"/>
        </xs:restriction>
    </xs:simpleType>
    <xs:element name="ServiceIntermediationAllowed" type="esc:OINType"/>
    <xs:simpleType name="OINType">
        <xs:restriction base="xs:string">
            <xs:pattern value="[0-9]{20}"/>
        </xs:restriction>
    </xs:simpleType>
    <xs:element name="OndertekendienstId" type="esc:OINType"/>
    <xs:element name="Classifiers" type="esc:ClassifiersType" />
    <xs:complexType name="ClassifiersType">
        <xs:sequence>
            <xs:element name="Classifier" type="xs:string" maxOccurs="unbounded"/>
        </xs:sequence>
    </xs:complexType>

    <!--Attributes-->
    <xs:attribute name="IssueInstant" type="xs:dateTime"/>
    <xs:attribute name="IsPublic" type="xs:boolean"/>
    <xs:attribute name="Version" type="xs:anyURI"/>

</xs:schema>
Example Service Catalog with one service
<?xml version="1.0" encoding="UTF-8"?>
<esc:ServiceCatalogue xmlns:esc="urn:etoegang:1.11:service-catalog" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" esc:IssueInstant="2015-12-28T10:19:57Z" esc:Version="urn:etoegang:1.10:53" ID="_dc">

  <ds:Signature>...</ds:Signature>

  <esc:ServiceProvider esc:IsPublic="true">
    <esc:ServiceProviderID>99999999000000000099</esc:ServiceProviderID>
    <esc:OrganizationDisplayName xml:lang="nl">Voorbeeld DV</esc:OrganizationDisplayName>
    <esc:OrganizationDisplayName xml:lang="en">Example SP</esc:OrganizationDisplayName>

    <esc:ServiceDefinition esc:IsPublic="true">
      <esc:ServiceUUID>6bae98e3-5ef9-4576-98c8-5aba4b8e672d</esc:ServiceUUID>
      <esc:ServiceName xml:lang="nl">Voorbeelddienst</esc:ServiceName>
      <esc:ServiceName xml:lang="en">Example Service</esc:ServiceName>
      <esc:ServiceDescription xml:lang="nl">Voorbeelddienst (attributen LoA3)</esc:ServiceDescription>
      <esc:ServiceDescription xml:lang="en">Example Service (attributes LoA3)</esc:ServiceDescription>
      <esc:ServiceDescriptionURL xml:lang="nl">http://example.etoegang.nl</esc:ServiceDescriptionURL>
      <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa3</saml:AuthnContextClassRef>
      <esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
      <esc:EntityConcernedTypesAllowed>urn:etoegang:1.9:EntityConcernedID:Pseudo</esc:EntityConcernedTypesAllowed>
      <esc:RequestedAttribute Name="urn:etoegang:1.9:attribute:FirstName" isRequired="false">
        <esc:PurposeStatement xml:lang="nl">Om voornaam te kunnen testen...</esc:PurposeStatement>
        <esc:PurposeStatement xml:lang="en">For testing Firstname...</esc:PurposeStatement>
      </esc:RequestedAttribute>
      <esc:RequestedAttribute Name="urn:etoegang:1.9:attribute:Initials" isRequired="false">
        <esc:PurposeStatement xml:lang="nl">Om initialen te kunnen testen...</esc:PurposeStatement>
        <esc:PurposeStatement xml:lang="en">For testing initials</esc:PurposeStatement>
      </esc:RequestedAttribute>
      <esc:RequestedAttribute Name="urn:etoegang:1.9:attribute:FamilyName" isRequired="true">
        <esc:PurposeStatement xml:lang="nl">Om achternaam te kunnen testen...</esc:PurposeStatement>
        <esc:PurposeStatement xml:lang="en">For testing family name...</esc:PurposeStatement>
      </esc:RequestedAttribute>
      <esc:RequestedAttribute Name="urn:etoegang:1.9:attribute:DateOfBirth" isRequired="true">
        <esc:PurposeStatement xml:lang="nl">Om geboortedatum te kunnen testen...</esc:PurposeStatement>
        <esc:PurposeStatement xml:lang="en">For testing birthdate...</esc:PurposeStatement>
      </esc:RequestedAttribute>
    </esc:ServiceDefinition>

    <esc:ServiceInstance esc:IsPublic="true">
      <esc:ServiceID>urn:etoegang:DV:99999999000000000099:services:9999</esc:ServiceID>
      <esc:ServiceUUID>9adfede3-eda5-4385-b938-9ccb954b2ad5</esc:ServiceUUID>
      <esc:InstanceOfService>6bae98e3-5ef9-4576-98c8-5aba4b8e672d</esc:InstanceOfService>
      <esc:ServiceURL xml:lang="nl">http://example.nl</esc:ServiceURL>
      <esc:ServiceURL xml:lang="en">http://example.com</esc:ServiceURL>
      <esc:PrivacyPolicyURL xml:lang="nl">http://example.etoegang.nl/privacy.html</esc:PrivacyPolicyURL>
      <esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
      <esc:SSOSupport>false</esc:SSOSupport>
      <esc:ServiceCertificate>
        <md:KeyDescriptor use="encryption">
          <ds:KeyInfo>
            <ds:KeyName>...</ds:KeyName>
            <ds:X509Data>
              <ds:X509Certificate>...</ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </md:KeyDescriptor>
      </esc:ServiceCertificate>
    </esc:ServiceInstance>

  </esc:ServiceProvider>

</esc:ServiceCatalogue>

Example Service with service intermediation
...
   <esc:ServiceProvider esc:IsPublic="true">
    <esc:ServiceProviderID>99999999000000000098</esc:ServiceProviderID>
    <esc:OrganizationDisplayName xml:lang="nl">Voorbeeld DV</esc:OrganizationDisplayName>
    <esc:OrganizationDisplayName xml:lang="en">Example SP</esc:OrganizationDisplayName>

    <esc:ServiceDefinition esc:IsPublic="true">
      <esc:ServiceUUID>cf48b0d3-ea45-4436-a6c4-fde50e19ef70</esc:ServiceUUID>
      <esc:ServiceName xml:lang="nl">Voorbeelddienst</esc:ServiceName>
      <esc:ServiceName xml:lang="en">Example Service</esc:ServiceName>
      <esc:ServiceDescription xml:lang="nl">Voorbeelddienst (BSN LoA3)</esc:ServiceDescription>
      <esc:ServiceDescription xml:lang="en">Example Service (BSN LoA3)</esc:ServiceDescription>
      <esc:ServiceDescriptionURL xml:lang="nl">http://example.etoegang.nl</esc:ServiceDescriptionURL>
      <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa3</saml:AuthnContextClassRef>
      <esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
      <esc:EntityConcernedTypesAllowed>urn:etoegang:1.9:EntityConcernedID:BSN</esc:EntityConcernedTypesAllowed>
    </esc:ServiceDefinition>

    <esc:ServiceInstance esc:IsPublic="true">
      <esc:ServiceID>urn:etoegang:DV:99999999000000000098:services:9998</esc:ServiceID>
      <esc:ServiceUUID>94148585-90e3-467e-be43-5f5270326215</esc:ServiceUUID>
      <esc:InstanceOfService>cf48b0d3-ea45-4436-a6c4-fde50e19ef70</esc:InstanceOfService>
      <esc:ServiceURL xml:lang="nl">http://example.nl</esc:ServiceURL>
      <esc:PrivacyPolicyURL xml:lang="nl">http://example.etoegang.nl/privacy.html</esc:PrivacyPolicyURL>
      <esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
      <esc:SSOSupport>false</esc:SSOSupport>
      <esc:ServiceCertificate>
        <md:KeyDescriptor use="encryption">
          <ds:KeyInfo>
            <ds:KeyName>...</ds:KeyName>
            <ds:X509Data>
              <ds:X509Certificate>...</ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </md:KeyDescriptor>
      </esc:ServiceCertificate>
      <esc:ServiceIntermediation intermediationAllowed="requiresApproval">
          <esc:ServiceIntermediationAllowed>99999999000000000098</esc:ServiceIntermediationAllowed>
          <esc:ServiceIntermediationAllowed>99999999000000000097</esc:ServiceIntermediationAllowed>
      </esc:ServiceIntermediation>
    </esc:ServiceInstance>
 
  </esc:ServiceProvider>

  <esc:ServiceProvider esc:IsPublic="true">
    <esc:ServiceProviderID>99999999000000000097</esc:ServiceProviderID>
    <esc:OrganizationDisplayName xml:lang="nl">Voorbeeld Dienstbemiddelaar</esc:OrganizationDisplayName>
    <esc:OrganizationDisplayName xml:lang="en">Example Service Intemediary</esc:OrganizationDisplayName>

    <esc:ServiceInstance esc:IsPublic="true">
      <esc:ServiceID>urn:etoegang:DV:99999999000000000097:services:9997</esc:ServiceID>
      <esc:ServiceUUID>71dccfdd-2d4f-44e5-b03d-01c6580fad80</esc:ServiceUUID>
      <esc:IntermediatedService>94148585-90e3-467e-be43-5f5270326215</esc:IntermediatedService>
      <esc:ServiceURL xml:lang="en">http://example.com</esc:ServiceURL>
      <esc:PrivacyPolicyURL xml:lang="en">http://example.etoegang.nl/privacy_en.html</esc:PrivacyPolicyURL>
      <esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
      <esc:SSOSupport>false</esc:SSOSupport>
      <esc:ServiceCertificate>
        <md:KeyDescriptor use="encryption">
          <ds:KeyInfo>
            <ds:KeyName>...</ds:KeyName>
            <ds:X509Data>
              <ds:X509Certificate>...</ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </md:KeyDescriptor>
      </esc:ServiceCertificate>
    </esc:ServiceInstance>
  </esc:ServiceProvider>
...
Example Service with ondertekenen
...
  <esc:ServiceProvider esc:IsPublic="true">
    <esc:ServiceProviderID>99999999000000000096</esc:ServiceProviderID>
    <esc:OrganizationDisplayName xml:lang="nl">Voorbeeld DV</esc:OrganizationDisplayName>
    <esc:OrganizationDisplayName xml:lang="en">Example SP</esc:OrganizationDisplayName>

    <esc:ServiceDefinition esc:IsPublic="true">
      <esc:ServiceUUID>4d226dac-7d3c-4b9a-a4dc-a7602563c00d</esc:ServiceUUID>
      <esc:ServiceName xml:lang="nl">Voorbeelddienst</esc:ServiceName>
      <esc:ServiceName xml:lang="en">Example Service</esc:ServiceName>
      <esc:ServiceDescription xml:lang="nl">Voorbeelddienst (KvK LoA3 + ondertekenen)</esc:ServiceDescription>
      <esc:ServiceDescriptionURL xml:lang="nl">http://example.etoegang.nl</esc:ServiceDescriptionURL>
      <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa3</saml:AuthnContextClassRef>
      <esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
      <esc:EntityConcernedTypesAllowed>urn:etoegang:1.9:EntityConcernedID:KvKnr</esc:EntityConcernedTypesAllowed>
    </esc:ServiceDefinition>

    <esc:ServiceInstance esc:IsPublic="true">
      <esc:ServiceID>urn:etoegang:DV:99999999000000000096:services:9996</esc:ServiceID>
      <esc:ServiceUUID>69877b3a-7a32-4564-b721-177b265f6fd8</esc:ServiceUUID>
      <esc:InstanceOfService>4d226dac-7d3c-4b9a-a4dc-a7602563c00d</esc:InstanceOfService>
      <esc:ServiceURL xml:lang="nl">http://example.nl</esc:ServiceURL>
      <esc:PrivacyPolicyURL xml:lang="nl">http://example.etoegang.nl/privacy.html</esc:PrivacyPolicyURL>
      <esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
      <esc:SSOSupport>false</esc:SSOSupport>
      <esc:ServiceCertificate>
        <md:KeyDescriptor use="encryption">
          <ds:KeyInfo>
            <ds:KeyName>...</ds:KeyName>
            <ds:X509Data>
              <ds:X509Certificate>...</ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </md:KeyDescriptor>
      </esc:ServiceCertificate>
      <esc:OndertekendienstId>99999999000000000095</esc:OndertekendienstId>
    </esc:ServiceInstance>
 
  </esc:ServiceProvider>

  <esc:ServiceProvider esc:IsPublic="true">
    <esc:ServiceProviderID>99999999000000000095</esc:ServiceProviderID>
    <esc:OrganizationDisplayName xml:lang="nl">Voorbeeld Ondertekendienst</esc:OrganizationDisplayName>
    <esc:OrganizationDisplayName xml:lang="en">Example Signing Service</esc:OrganizationDisplayName>

    <esc:ServiceInstance esc:IsPublic="true">
      <esc:ServiceID>urn:etoegang:OD:99999999000000000095:services:9995</esc:ServiceID>
      <esc:ServiceUUID>c6572b75-7faa-4015-921c-4e5654e7b363</esc:ServiceUUID>
      <esc:OndertekendienstForService>69877b3a-7a32-4564-b721-177b265f6fd8</esc:OndertekendienstForService>
      <esc:PrivacyPolicyURL xml:lang="nl">http://example.etoegang.nl/privacy.html</esc:PrivacyPolicyURL>
      <esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
      <esc:SSOSupport>false</esc:SSOSupport>
      <esc:ServiceCertificate>
        <md:KeyDescriptor use="encryption">
          <ds:KeyInfo>
            <ds:KeyName>...</ds:KeyName>
            <ds:X509Data>
              <ds:X509Certificate>...</ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </md:KeyDescriptor>
      </esc:ServiceCertificate>
    </esc:ServiceInstance>
  </esc:ServiceProvider>
...
Example Service Provider with one 'public-domain' service, with both a web as well as a native-app instance
...
  <esc:ServiceProvider esc:IsPublic="true">
    <esc:ServiceProviderID>99999999000000000099</esc:ServiceProviderID>
    <esc:OrganizationDisplayName xml:lang="nl">Voorbeeld DV</esc:OrganizationDisplayName>
    <esc:OrganizationDisplayName xml:lang="en">Example SP</esc:OrganizationDisplayName>

    <esc:ServiceDefinition esc:IsPublic="true">
      <esc:ServiceUUID>c230649d-647d-4289-80c7-b0297e3e6a29</esc:ServiceUUID>
      <esc:ServiceName xml:lang="nl">Voorbeelddienst</esc:ServiceName>
      <esc:ServiceName xml:lang="en">Example Service</esc:ServiceName>
      <esc:ServiceDescription xml:lang="nl">Voorbeelddienst (BSN LoA3)</esc:ServiceDescription>
      <esc:ServiceDescription xml:lang="en">Example Service (BSN LoA3)</esc:ServiceDescription>
      <esc:ServiceDescriptionURL xml:lang="nl">http://example.etoegang.nl</esc:ServiceDescriptionURL>
      <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa3</saml:AuthnContextClassRef>
      <esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
      <esc:EntityConcernedTypesAllowed>urn:etoegang:1.9:EntityConcernedID:BSN</esc:EntityConcernedTypesAllowed>
    </esc:ServiceDefinition>

    <esc:ServiceInstance esc:IsPublic="true">
      <esc:ServiceID>urn:etoegang:DV:99999999000000000099:services:9994</esc:ServiceID>
      <esc:ServiceUUID>fabce53f-7ba6-44d7-aa75-789ec56431ad</esc:ServiceUUID>
      <esc:InstanceOfService>c230649d-647d-4289-80c7-b0297e3e6a29</esc:InstanceOfService>
      <esc:ServiceURL xml:lang="nl">http://example.nl</esc:ServiceURL>
      <esc:ServiceURL xml:lang="en">http://example.com</esc:ServiceURL>
      <esc:PrivacyPolicyURL xml:lang="nl">http://example.etoegang.nl/privacy.html</esc:PrivacyPolicyURL>
      <esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
      <esc:SSOSupport>false</esc:SSOSupport>
      <esc:ServiceCertificate>
        <md:KeyDescriptor use="encryption">
          <ds:KeyInfo>
            <ds:KeyName>...</ds:KeyName>
            <ds:X509Data>
              <ds:X509Certificate>...</ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </md:KeyDescriptor>
      </esc:ServiceCertificate>
      <esc:Classifiers>
        <esc:Classifier>PublicDomain</esc:Classifier>
      </esc:Classifiers>
    </esc:ServiceInstance>

    <esc:ServiceInstance esc:IsPublic="true">
      <esc:ServiceID>urn:etoegang:DV:99999999000000000099:services:9993</esc:ServiceID>
      <esc:ServiceUUID>128d0878-2bc7-4400-9068-8427c5abeb47</esc:ServiceUUID>
      <esc:InstanceOfService>c230649d-647d-4289-80c7-b0297e3e6a29</esc:InstanceOfService>
      <esc:ServiceURL xml:lang="nl">http://app.example.nl</esc:ServiceURL>
      <esc:ServiceURL xml:lang="en">http://app.example.com</esc:ServiceURL>
      <esc:PrivacyPolicyURL xml:lang="nl">http://example.etoegang.nl/app/privacy.html</esc:PrivacyPolicyURL>
      <esc:HerkenningsmakelaarId>99999999000000000010</esc:HerkenningsmakelaarId>
      <esc:SSOSupport>false</esc:SSOSupport>
      <esc:ServiceCertificate>
        <md:KeyDescriptor use="encryption">
          <ds:KeyInfo>
            <ds:KeyName>...</ds:KeyName>
            <ds:X509Data>
              <ds:X509Certificate>...</ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </md:KeyDescriptor>
      </esc:ServiceCertificate>
      <esc:Classifiers>
        <esc:Classifier>PublicDomain</esc:Classifier>
        <esc:Classifier>NativeApp</esc:Classifier>
      </esc:Classifiers>
    </esc:ServiceInstance>

  </esc:ServiceProvider>
...

Publication

The Beheerorganisatie publishes the service catalog at a predetermined location. Before it is published, the service catalog is sorted by HerkenningsmakelaarId and then by the ServiceID. 

A participant MUST process the service catalog according to Proces doorvoeren nieuwe dienstencatalogus.

  • No labels