DigiD Identity Provider

SAML Identity Provider

DigiD is a SAML based Identity Provider, therefore to get a full understanding of how it works, please look at the SAML Identity Providers topic guide first.

Configuration

DigiD uses SAML Artifact binding support which requires Mutual SSL to be configured.

Important:

  • DigiD only accepts PKI-Government certificates for authentication of web services of service providers
  • Please make sure that the keys are using PKCS1 format.

Mutual SSL

To enable Onegini IDP to establish a secure Mutual SSL connection when SAML artifact is being resolved the following environmental variables are required to be configured. Please follow the properties page to see how to use below properties:

  • IDP_KEYSTORE_FILE
  • IDP_KEYSTORE_ALIAS
  • IDP_KEYSTORE_PASSWORD
  • IDP_HTTPS_TRUST_STORE_FILE
  • IDP_HTTPS_TRUST_STORE_PASSWORD

Please also make sure that the DigiD's public certificate is trusted - added to the TrustStore. If you want to provide your own TustStore file, please have a look at the following configuration properties:

  • IDP_HTTPS_TRUST_STORE_FILE
  • IDP_HTTPS_TRUST_STORE_PASSWORD

Saml message signing

The PKI-Government certificate that has been used to set up the SSL connection MUST be also used for signing SAML messages. The private key provided to the Onegini IDP needs to be in the PKCS1 format. Please follow the properties page to see how to use below properties:

  • IDP_SAML_SIGNING_PRIVATEKEY
  • IDP_SAML_SIGNING_CERTIFICATE

Troubleshooting In case you are experiencing issues during SAML Artifact resolution from DigiD and are receiving a 404 Not Found status code in the response please, double check your SAML signing configuration.

Required authentication level

Choose the minimum authentication level. If the user did not meet the required authentication level in DigiD, the authentication will be rejected in Onegini IDP.

DigiD Authentication level (betrouwbaarheidsniveau)
Basic (Basis)
Middle (Midden)
Substantial (Substantieel)
High (Hoog)

Mapping the NameID

It is possible to map DigiD's NameID value to a custom attribute when configuring DigiD as identity provider in Onegini IDP, despite NameID not being a SAML attribute. To map NameID as custom attribute, in Custom attribute mapping section use NameID for Attribute to map from field and choose any name you would like to map it to.