Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Twee vergetern referenties naar OD verwijderd.


  • IssueInstant (time at which the service catalog was created)
  • Version (version of the service catalog in the format
    Include Page
    <scheme version >:service-catalogue:<omgeving><sequence number>.
    Include Page
  • Signature (signature from the Beheerorganisatie (BO), Herkenningsmakelaar (HM) or Dienstverlener (DV) for authenticity, integrity and non-repudiation).
  • Per Dienstverlener:
    • IsPublic (attribute that indicates whether the service provider is in public)
    • ServiceProviderID (The service provider's OIN (government ID number)
    • OrganizationDisplayName (the name of the service provider as it MUST be displayed by participants, max 64 characters).
    • Per ServiceDefinition:
      • IsPublic (attribute that indicates whether the service is using eHerkenning in public)
      • ServiceUUID (a universally unique identifier that is used for registering entitlements. It is possible the same UUID is shared between multiple service providers, in that case they will use the same entitlement)
      • ServiceName (name of the service determined by the service provider, max 64 characters).
      • ServiceDescription (short description of the service determined by the service provider, max 1024 characters. MRs MAY use this text to help administrators determine the authorizations).
      • ServiceDescriptionURL (a URL of max 512 characters where a detailed description of the service can be found, determined by the service provider. MRs MAY include this link to help administrators determine the authorizations).
      • AuthnContextClassRef (assurance level that is required for the service, determined by the service provider)
      • HerkenningsmakelaarId (the OIN of the Herkenningsmakelaar (HM) that provides the service catalog entry for this service definition)
      • EntityConcernedTypesAllowed (multivalue entry with the different types of service consumers that are granted access to the service). In case multiple EntityConcernedTypes are defined, they are assigned to Identifier sets.  An identifier set is a cluster of EntityConcernedTypes with the same set number.
        • Identifier Set MUST adhere to the following rules:
          • Identifier sets are not applicable to Idensys EntityConcernedTypes. This means that only 1 EntityConcernedType MUST be specified for an Idensys service. The ECTA's which are in scope for Idensys are: urn:etoegang:1.9:EntityConcernedID:Consumer, urn:etoegang:1.9:EntityConcernedID:BSN, urn:etoegang:1.11:EntityConcernedID:BSNsim, urn:etoegang:1.11:EntityConcernedID:BSNacc.
          • EntityConcernedTypes MAY be used in multiple identifier sets

        Include Page
      • ServiceRestrictionsAllowed (multivalue entry with the different types of service restrictions the service provider can honor).
      • RequestedAttribute (multivalue entry with all the attributes that may be requested for this service)
        • PurposeStatement (a statement by the service provider why this attribute is requested, 1024 characters).
    • Per ServiceInstance:
      • IsPublic (attribute that indicates whether the service provider is in public)
      • ServiceID (an identifier of a service instance that is unique in the context of the service provider)


        If the DV provides a portal function, it MUST be specified in the service catalog with a reserved index number 0. The portal function can only be used for EntityConcernedTypes that support representation, refer to the table in Identificerende kenmerken, except for eIDASLegalIdentifier.

      • ServiceUUID (a universally unique identifier to allow identifying and referencing this instance)
      • InstanceOfService (a reference to a ServiceUUID of a Service definition being implemented. Either an InstanceOfService OR an IntermediatedService OR MUST be present).
      • IntermediatedService (a reference to a ServiceUUID of a Service instance in case Dienstbemiddeling applies. An intermediating service MUST NOT reference a service instance that applies Dienstbemiddeling or acts as Ondertekendienst itself).
      • ServiceURL (optional URL of max 512 characters where the service can be found).  
      • PrivacyPolicyURL (a URL of max 512 characters where the privacy policy for this service can be found). Optional for Dienstbemiddeling and Ondertekendienst services.
      • HerkenningsmakelaarId (the OIN of the Herkenningsmakelaar (HM) that provides the service catalog entry for this service instance)
      • AdditionalHerkenningsmakelaarId (multivalue entry with the OINs for the other HMs that provide this service)
      • SSOSupport (a boolean that indicates if the service supports SingleSignOn)
      • EntityConcernedTypesAllowed (In case Dienstbemiddeling (service intermediary) and citizen domain: EntityConcernedTypesAllowed MUST be used if the Dienstbemiddelaar may not request a BSN; the value must be 'urn:etoegang:1.9:EntityConcernedID:Consumer' (see EntityConcernedID:Consumer). MUST NOT be used in other cases).

      • ServiceCertificate (Service provider's PKI certificate with a public key that can be used to encrypt requested attributes and IDs). This certificate MUST be a valid PKIoverheid certificate. Note that multiple certificates may be provided for cases like changing certificates. (Additonally: Signing certificates must NOT be used here but should be placed in the DV metadata for HM).
      • ServiceIntermediation (indication if intermediation of the service (Dienstbemiddeling) requires approval of the Service Provider, see AUC7 Proces verlenen toestemming dienstbemiddeling)
        • @intermediationAllowed (attribute indicating approval is required; possible values "noIntermediation" (default), "generalAvailable", "serviceProviderOnly", "requiresApproval")
        • ServiceIntermediationAllowed (optional, holds one or more OINs of any Dienstbemiddelaar allowed to intermediate a service if @intermediationAllowed has the value "requiresApproval").
      • Classifiers (optional, multivalued entry that allows for one or more classifications of a ServiceInstance)
        • Classifier (value indicating a particular classification applied for this SerivceInstance)
          The following classifiers are defined:

          ClassifierDescriptionUsage restrictions
          PublicDomainThe ServiceInstance is operated by the Dienstverlener (Service Provider) to implement a service under a responsibility in the public domain.

          The Dienstverlener MUST operate under "Artikel 1:1 Algemene Wet Bestuursrecht".


          Although a service in the public domain will typically request an urn:etoegang:1.9:EntityConcernedID:BSN or EntityConcernedID:RSIN, this is not mandatory. Other identifiers may be used by services classified as PublicDomain as well.

          Service requesting aforementioned identifiers typically do operate as a PublicDomain service.

          In case the ServiceInstance is classified as 'eIDAS-outbound' as well, the actual DV in another member state operates under an equivalent legislation and are requested as such via the eIDAS interoperability framework (eIDAS: SPType 'public').

          eIDAS-inboundThe service is an eTD-service that is receptive to users from other eIDAS-member states.

          Services that want to accept authentication and authorization through eIDAS MUST be classified as 'eIDAS-inbound'.

          eIDAS-outboundThe service is a proxy for services in other member states under the eIDAS regulation. 

          The eIDAS-berichtenservice has proxy-services listed in the Service Catalog for services in other eIDAS-member states that may be accessed through eIDAS. These proxy services MUST be classified as 'eIDAS-outbound'.

          NativeAppIndicates the application used to offer the Dienst is a native app. If absent this ServiceInstance is used via 'web', indicating a SAML-based web application.ServiceInstance marked as "NativeApp" MUST use the native app interface specifications.