View Source

Sequence diagram HM-AD

This page describes the messages that are exchanged between an Herkenningsmakelaar (HM) and an Authenticatiedienst (AD) (identity provider).

In the interface described here, the use case GUC3 Aantonen identiteit consists of an SAML 2.0 AuthnRequest and Response. The specific content of these messages is described below. Detailed information about the value of fields can be found in Attribute elements.

For eIDAS Outbound, the eIDAS Berichtenservice acts as a DV, and as Dienstbemiddelaar (DB) for the BRP. Any statement in this page about the DV should therefore be interpreted as "DV and/or EB".

A column in a message description that starts with 'SAML' indicates that this is the standard value. A value that starts with '' indicates that the value is specific to .

AuthnRequest (1)

@ID	SAML: Unique message attribute
@Version	SAML: Version of the SAML protocol. The value MUST be '2.0'.
@IssueInstant	SAML: Time at which the message was created.
@Destination	SAML: URL of the AD on which the message is offered. MUST match the AD's metadata.
@Consent	: MUST NOT be included.
@ForceAuthn	The value 'true' indicates that an existing single sign-on session MUST NOT be used for the request in question. If the value is 'false' or empty or the specification is missing, the AD MUST use an existing SSO session if one exists, and is applicable (see Single sign-on and user sessions RFC2390).
@IsPassive	: MAY be included. If IsPassive is included, the value MUST be 'false'.
@ProtocolBinding	SAML: MUST NOT be included because AssertionConsumerServiceIndex is required in .
@AssertionConsumerServiceIndex	: This attribute element indicates the URL to which the response must be sent. The value of AssertionConsumerServiceIndex MUST match an index at the assertion consumer service in the HM's metadata.
@AssertionConsumerServiceURL	SAML: MUST NOT be included because AssertionConsumerServiceIndex is required in .
@AttributeConsumingServiceIndex	: The value MUST be '4'. Indicates that it is about the interface described in this document.
@ProviderName	: MAY contain a more detailed description of the provider.
Issuer	: MUST contain the EntityID of the HM. The attributes NameQualifier, SPNameQualifier, Format and SPProvidedID MUST NOT be included.
Signature	: MUST contain the Digital signature of the HM for the enveloping message.
Extensions	: MUST contain the attributes IntendedAudience, ServiceID and the corresponding ServiceUUID. If the DV queries additional attributes (via an AttributeConsumingService as described in Interface specifications DV-HM and the DV metadata for HM), they MUST be included here by the HM. To this extent, one specific RequestedAttributes (see schema below) element MUST be included containing the RequestedAttribute elements reflecting the DV's request. The requested attribute(s) MUST be defined in the Attribuutcatalogus and MUST be declared as RequestedAttribute in the Service catalog entry for the requested service. An AD not able to provide these attributes MUST act as specified in the alternative use case described in Attributen niet leverbaar of niet toegestaan. Other XML attributes MUST NOT be included. Other elements MUST NOT be included.
Subject	: MUST NOT be included
NameIDPolicy	: MUST NOT be included.
Conditions	: MUST NOT be included.
RequestedAuthnContext	: MAY contain an attribute Comparison='minimum' and an element AuthnContextClassRef that contains the minimum Level of assurance required by the DV. When RequestedAuthnContext is included in the request, then it must contain a Level of assurance (AuthnContextClassRef) equal to or lower than the level of assurance included in the Service catalog for the requested service.
Scoping	: MUST NOT be included