eIDAS Identity Provider [experimental feature]

eIDAS is EU regulation 910/2014 that establishes a network of trust service providers enabling Citizen-to-Business-to-Government secure and trusted electronic service provisioning. To connect to the eIDAS network integration with its broker needs to be ensured. In this case KPN (Dutch telecommunication company) is acting as a broker.

SAML Identity Provider

eIDAS is a SAML based Identity Provider, therefore to get a full understanding of how it works, please look at the SAML Identity Providers topic guide first.

What is required?

To successfully complete this topic guide you need to ensure following prerequisites:

  • Onegini IDP instance must to be running, for the sake of this guide we assume it's available under http://idp-core.dev.onegini.me address
  • KPN broker must be accessible from the Onegini IDP instance
  • The Onegini IDP must be registered as a Service Provider within the KPN broker
  • Elliptic curve keys used in BSN polymorphic encryption / decryption must be available
  • PKIo certificates for SAML signing and encryption must be available
  • PKIo certificates for mutual SSL connection must be available
  • KPN broker metadata (preferably in the version 1.13)
  • Service Provider's (the Onegini IDP's) entityID - the value should be issued by the broker and follow strictly defined format, ex. urn:etoegang:DV:00000003123456780000:entities:9093
  • service identifier referencing the a service instance registered within the Service Catalog (ex. https://aggregator.etoegang.nl/test/1.13/servicecatalog.xml), this identifier must follow specific format, ex. urn:etoegang:DV:00000003123456780000:services:1

Mutual SSL

To ensure user specific sensitive information, like the BSN number, will not be eavesdropped eIDAS requires mutual SSL connection to be established in between the Service Provider represented by the Onegini IDP and the KPN broker. In the following steps you will learn how mutual SSL keys should be registered within the Onegini IDP and associated with eIDAS Identity Provider.

Configure keys

In order to make eIDAS working it is required to configure the following keys:

  • private key and certificate for mutual SSL connection that will be used by the Onegini IDP when establishing artifact resolution connection, client side (keys be provided by KPN)
  • broker certificate for mutual SSL connection that will be used used by the Onegini IDP when establishing artifact resolution connection in order to ensure the trust, server side (the certificate can be resolved from KPN website that serves the SAML metadata or should be provided by KPN)
  • private and public key for SAML encryption and signing (keys provided by KPN)
  • elliptic curve keys for BSN decryption (keys provided by KPN)

Each type of credentials must be configured separately in the Onegini IDP under System -> Key pairs tab. The SAML signing and encryption keys must be registered under specific name, KPN suggests that the certificate (public key) fingerprint should be used for that purpose. You can use the following command to calculate the value:

openssl x509 -fingerprint -noout -in <path/to/cert.pem> | tr -d ':' | cut -d'=' -f2

For the sake of this topic guide let's assume that they are available under below names:

  • mutual SSL keys client side -> eidas_mutual_ssl_client_keys
  • mutual SSL certificate server side -> eidas_mutual_ssl_server_certificate
  • SAML encryption and signing keys -> use the certificate fingerprint as name here, ex. 00F70FF45EEAE42193D7763A8DCB5E9568EFDD26
  • BSN decryption key -> eidas_bsn_key

We will be referencing these configurations in the next steps when defining eIDAS Identity Provider.

Configure eIDAS Identity Provider in the Onegini IDP

To register a new IdP of OIDC type please visit the http://idp-core.dev.onegini.me:8082/admin page and login to the Onegini IDP admin console. Select Config menu option and navigate to Identity Providers tab.Hit the + button to create a new Identity Provider configuration. Fill in the form as follows:

General information

  1. Type - open the dropdown list and select eIDAS
  2. Name - name your eIDAS Identity Provider instance
  3. Authentication Level - choose desired authentication level which will be associated with the user session in the Onegini IDP after successful authentication at eIDAS
  4. Enabled - mark your Identity Provider as enabled
  5. Synchronise attributes - flag indicating whether the Onegini IDP should synchronize person's profile attributes with the ones retrieved from eIDAS Identity Provider
  6. Migration during sign up - flag indicating whether the Onegini IDP allow person migration with anther email address than the one returned by eIDAS Identity Provider

SAML attributes

  1. Required level of assurance - the level of assurance that will be requested from the broker, the value is related with the registered service identifier (requested attributes), for example in order to receive a BSN number the minimum level of assurance must be 3 - Substantial
  2. Entity ID - the Service Provider's (Onegini IDP's) entity ID, the value should be provided by the KPN broker
  3. Encryption key - keys that should be used in SAML encryption, in this tutorial it's 00F70FF45EEAE42193D7763A8DCB5E9568EFDD26
  4. Signing key - keys that should be used in SAML signing, in this tutorial it's 00F70FF45EEAE42193D7763A8DCB5E9568EFDD26
  5. BSN decryption key - key that should be used for decrypting the BSN number, in this tutorial it's eidas_bsn_key
  6. IdP Metadata - the KPN's broker SAML metadata (ex. the contents of https://eid-pp.kpn.com/metadata/brk9113_nmd.xml)

Generating SAML metadata for KPN on-boarding process

In order to successfully integrate with eIDAS you need to generate a SAML metadata that will be provided to the broker during the on-boarding flow. As of Today the Onegini IDP will not generate it automatically for you based on the configuration you have defined in the previous step which means that you would need to do it manually.

An example metadata will look as follows:

<?xml version="1.0" encoding="UTF-8" standalone="no"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:eme="urn:etoegang:1.13:metadata-extension" ID="I02435843EAF2F520EBE4A9B7D28993E9F88120F9" eme:version="1.13" entityID="urn:etoegang:DV:00000003302392690000:entities:9005"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>Sefe4RLKqpIhVMpFdqNQ1L4iutZL2i5Fgpk2ArHDSYk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
aOC9O1ddSor8pYo+j+cNX8DGwx7egfDzd+t/evVJUeIIWZTDCbMBa3UbdsMrEyQsYXsjDPBqaNfi
8hhVBmr5/j0uTofh35Vq+F6Ms9VW9mZn831qRPXtwzz5L3QCxfzWdUZyK8+lza/WzPelAunzBfS9
846p5FQ3VuldVAWMcYrP3erTsQcU7QT5xywq23VOIaEtAKf2nz+6dYIGSbxWBc0GjvJsDh0a7vpI
qu+4LztM7Ap1fkMdAHKKWuiEcCLTT3ABgL0O4buFpyPpg6g4QbegZUdAyRix0bVVlrGnSvJ/no/z
iPqETFpyOSbleRX/NkBvIM+PGzxrdaYFK70xwQ==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
1snOyyXvIdWkY7oQeXWh0d467al133Whb8jw9LiM+Av1SYtzbjMQYueqyYpnC6/VSoZGnI+nGrXj
WC9jZ+jrU8qKRmtohXrXSe7fo1HjjUFqUoZZI9I6RnLZv58/z87CiqVEX39TaEKBf6feBlEnjh8i
WI0HDKiZ0I09ZjABlp1QnSSsa0c/ZmeVOHkxZLLX2Iqs8VvnjSf/B8bPXSrZhPSb3/Lr1HDM8r/B
QfF3PuLhq0gYhYRZ4eiA22Y9H6oEIBZYzbmzI8h6YXFobnvhD9ts6uBgDtnN3JxcYLRLRdqYMOXq
ad1jYqpjOFDMFySvGBwlxPzTSXsnWA7FmMzRsQ==
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
<ds:X509Data>
<ds:X509Certificate>
MIIIUDCCBjigAwIBAgIMWaNysxceqBP6ZBqPMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAk5M
MREwDwYDVQQKDAhLUE4gQi5WLjEXMBUGA1UEYQwOTlRSTkwtMjcxMjQ3MDExNjA0BgNVBAMMLUtQ
TiBCViBQS0lvdmVyaGVpZCBPcmdhbmlzYXRpZSBTZXJ2ZXIgQ0EgLSBHMzAeFw0xOTA0MTcwODMw
MTdaFw0yMTA0MTYwODMwMTdaMIGEMQswCQYDVQQGEwJOTDEQMA4GA1UECAwHVXRyZWNodDEQMA4G
A1UEBwwHV29lcmRlbjEQMA4GA1UECgwHT25lZ2luaTEdMBsGA1UEBRMUMDAwMDAwMDMzMDIzOTI2
OTAwMDAxIDAeBgNVBAMMF2lkcC1jb3JlLmRldi5vbmVnaW5pLm1lMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA1snOyyXvIdWkY7oQeXWh0d467al133Whb8jw9LiM+Av1SYtzbjMQYueq
yYpnC6/VSoZGnI+nGrXjWC9jZ+jrU8qKRmtohXrXSe7fo1HjjUFqUoZZI9I6RnLZv58/z87CiqVE
X39TaEKBf6feBlEnjh8iWI0HDKiZ0I09ZjABlp1QnSSsa0c/ZmeVOHkxZLLX2Iqs8VvnjSf/B8bP
XSrZhPSb3/Lr1HDM8r/BQfF3PuLhq0gYhYRZ4eiA22Y9H6oEIBZYzbmzI8h6YXFobnvhD9ts6uBg
DtnN3JxcYLRLRdqYMOXqad1jYqpjOFDMFySvGBwlxPzTSXsnWA7FmMzRsQIDAQABo4ID0jCCA84w
gZQGCCsGAQUFBwEBBIGHMIGEMFgGCCsGAQUFBzAChkxodHRwOi8vY2VydC5tYW5hZ2VkcGtpLmNv
bS9DQWNlcnRzL0tQTkJWUEtJb3ZlcmhlaWRPcmdhbmlzYXRpZVNlcnZlckNBRzMuY2VyMCgGCCsG
AQUFBzABhhxodHRwOi8vZzNvY3NwLm1hbmFnZWRwa2kuY29tMB0GA1UdDgQWBBSqOd4ITPgUQFPD
o7jpVrFNPN9v4zAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFMOapntedCuCtsZy/XROhdKXzf0Y
MIGxBgNVHSAEgakwgaYwgZkGCmCEEAGHawECBQYwgYowNwYIKwYBBQUHAgEWK2h0dHBzOi8vY2Vy
dGlmaWNhYXQua3BuLmNvbS9wa2lvdmVyaGVpZC9jcHMwTwYIKwYBBQUHAgIwQwxBT3AgZGl0IGNl
cnRpZmljYWF0IGlzIGhldCBDUFMgUEtJb3ZlcmhlaWQgdmFuIEtQTiB2YW4gdG9lcGFzc2luZy4w
CAYGZ4EMAQICMF4GA1UdHwRXMFUwU6BRoE+GTWh0dHA6Ly9jcmwubWFuYWdlZHBraS5jb20vS1BO
QlZQS0lvdmVyaGVpZE9yZ2FuaXNhdGllU2VydmVyQ0FHMy9MYXRlc3RDUkwuY3JsMA4GA1UdDwEB
/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwIgYDVR0RBBswGYIXaWRwLWNv
cmUuZGV2Lm9uZWdpbmkubWUwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB2AG9Tdqwx8DEZ2JkA
pFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABaiprEkQAAAQDAEcwRQIhAI3qQPlsxoxIlgfskKW4nod6
qMv2gR08Gi7wWRj+tpRFAiB7NGUz5r2DFtoKdu2XYiGMTyeJRiGHeQ5gsuftKHT1UAB1AFWB1MIW
kDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABaiprEmwAAAQDAEYwRAIgHsogJ/h1i9bChr/0
nozsh4bVdKln6Rk1a0PjtiXJ4UUCIF3545BiFnpck9h2k6dGPavoEaNBtVXX4chB1/fh8uZtAHcA
u9nfvB+KcbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YUAAAFqKmsSRgAABAMASDBGAiEAxaQ3C3Vo
rrWR9OLXWqKsp63G4w1A7F48NYg3hRGDxRACIQDSwuS+39AzxY4ipXXKpI4AnDgSfWnthNoc0myQ
fk/LIzANBgkqhkiG9w0BAQsFAAOCAgEAwzCMtWOLBaw03YXSf5sdPnUYwQylLcgmwBt843UEEC1s
h4hm54e2UTNhHOqPkYjoarz5dLQxitjap+LzcGn2y6iyTIqZYg8TBJPtCHXwwsWAW8HI1gAs5ixo
MOVuWy0rpApivQlyh+4oV7PN65IBt+yEXRuG+17gA43Qc6DcGxAIIEjX90VZfEGEUesKox1we5Xp
tE6r63jpfmq8wWhhz0bXDfjBP4N+Y3u6URE/ENEZlsFIoO6cJkkV3eLxJQtx1MrjdnnqOovm8UqD
KnfznY4UFMQ/pgbSoUV+8ulGt0UHB1QouHW8cUjfM7sUIkqXM+jD1tCJ7uXYpHUTk61iGysfgLoh
MvQ/0zzQaHTAPd5I/NS1tCuolGwwui23HNgci+LD3sFNRjFW1G2HBvBeLDvIpodEjyN7OiTM6bbA
VuoF+0wXle1OHg3HvQfiGf8ZVmQXbbfPT2/GrGirV2uYW5zacLSvxABCYHaI4zvHNHycDrbfJdxu
E/QAZRYSLZUKK6iJIRiwZe3m4A+dSNnti/Bb2JT8JxUSnz063A7sCcxUZWFeN88KGG/WCxEWLkKU
JPmBYFaZsbnbAnFXEQRbaJOnTRNwWCt7Hxd7ScIFxDtsRh3EHA7rmHOvRq8cV2h6Q6fTo2YChEq4
o4ojgPaQRys9GHS6gKW9eq2YCLNO268=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
    <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:KeyName>00F70FF45EEAE42193D7763A8DCB5E9568EFDD26</ds:KeyName>
                    <ds:X509Certificate>MIIIUDCCBjigAwIBAgIMWaNysxceqBP6ZBqPMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAk5M
MREwDwYDVQQKDAhLUE4gQi5WLjEXMBUGA1UEYQwOTlRSTkwtMjcxMjQ3MDExNjA0BgNVBAMMLUtQ
TiBCViBQS0lvdmVyaGVpZCBPcmdhbmlzYXRpZSBTZXJ2ZXIgQ0EgLSBHMzAeFw0xOTA0MTcwODMw
MTdaFw0yMTA0MTYwODMwMTdaMIGEMQswCQYDVQQGEwJOTDEQMA4GA1UECAwHVXRyZWNodDEQMA4G
A1UEBwwHV29lcmRlbjEQMA4GA1UECgwHT25lZ2luaTEdMBsGA1UEBRMUMDAwMDAwMDMzMDIzOTI2
OTAwMDAxIDAeBgNVBAMMF2lkcC1jb3JlLmRldi5vbmVnaW5pLm1lMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA1snOyyXvIdWkY7oQeXWh0d467al133Whb8jw9LiM+Av1SYtzbjMQYueq
yYpnC6/VSoZGnI+nGrXjWC9jZ+jrU8qKRmtohXrXSe7fo1HjjUFqUoZZI9I6RnLZv58/z87CiqVE
X39TaEKBf6feBlEnjh8iWI0HDKiZ0I09ZjABlp1QnSSsa0c/ZmeVOHkxZLLX2Iqs8VvnjSf/B8bP
XSrZhPSb3/Lr1HDM8r/BQfF3PuLhq0gYhYRZ4eiA22Y9H6oEIBZYzbmzI8h6YXFobnvhD9ts6uBg
DtnN3JxcYLRLRdqYMOXqad1jYqpjOFDMFySvGBwlxPzTSXsnWA7FmMzRsQIDAQABo4ID0jCCA84w
gZQGCCsGAQUFBwEBBIGHMIGEMFgGCCsGAQUFBzAChkxodHRwOi8vY2VydC5tYW5hZ2VkcGtpLmNv
bS9DQWNlcnRzL0tQTkJWUEtJb3ZlcmhlaWRPcmdhbmlzYXRpZVNlcnZlckNBRzMuY2VyMCgGCCsG
AQUFBzABhhxodHRwOi8vZzNvY3NwLm1hbmFnZWRwa2kuY29tMB0GA1UdDgQWBBSqOd4ITPgUQFPD
o7jpVrFNPN9v4zAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFMOapntedCuCtsZy/XROhdKXzf0Y
MIGxBgNVHSAEgakwgaYwgZkGCmCEEAGHawECBQYwgYowNwYIKwYBBQUHAgEWK2h0dHBzOi8vY2Vy
dGlmaWNhYXQua3BuLmNvbS9wa2lvdmVyaGVpZC9jcHMwTwYIKwYBBQUHAgIwQwxBT3AgZGl0IGNl
cnRpZmljYWF0IGlzIGhldCBDUFMgUEtJb3ZlcmhlaWQgdmFuIEtQTiB2YW4gdG9lcGFzc2luZy4w
CAYGZ4EMAQICMF4GA1UdHwRXMFUwU6BRoE+GTWh0dHA6Ly9jcmwubWFuYWdlZHBraS5jb20vS1BO
QlZQS0lvdmVyaGVpZE9yZ2FuaXNhdGllU2VydmVyQ0FHMy9MYXRlc3RDUkwuY3JsMA4GA1UdDwEB
/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwIgYDVR0RBBswGYIXaWRwLWNv
cmUuZGV2Lm9uZWdpbmkubWUwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB2AG9Tdqwx8DEZ2JkA
pFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABaiprEkQAAAQDAEcwRQIhAI3qQPlsxoxIlgfskKW4nod6
qMv2gR08Gi7wWRj+tpRFAiB7NGUz5r2DFtoKdu2XYiGMTyeJRiGHeQ5gsuftKHT1UAB1AFWB1MIW
kDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABaiprEmwAAAQDAEYwRAIgHsogJ/h1i9bChr/0
nozsh4bVdKln6Rk1a0PjtiXJ4UUCIF3545BiFnpck9h2k6dGPavoEaNBtVXX4chB1/fh8uZtAHcA
u9nfvB+KcbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YUAAAFqKmsSRgAABAMASDBGAiEAxaQ3C3Vo
rrWR9OLXWqKsp63G4w1A7F48NYg3hRGDxRACIQDSwuS+39AzxY4ipXXKpI4AnDgSfWnthNoc0myQ
fk/LIzANBgkqhkiG9w0BAQsFAAOCAgEAwzCMtWOLBaw03YXSf5sdPnUYwQylLcgmwBt843UEEC1s
h4hm54e2UTNhHOqPkYjoarz5dLQxitjap+LzcGn2y6iyTIqZYg8TBJPtCHXwwsWAW8HI1gAs5ixo
MOVuWy0rpApivQlyh+4oV7PN65IBt+yEXRuG+17gA43Qc6DcGxAIIEjX90VZfEGEUesKox1we5Xp
tE6r63jpfmq8wWhhz0bXDfjBP4N+Y3u6URE/ENEZlsFIoO6cJkkV3eLxJQtx1MrjdnnqOovm8UqD
KnfznY4UFMQ/pgbSoUV+8ulGt0UHB1QouHW8cUjfM7sUIkqXM+jD1tCJ7uXYpHUTk61iGysfgLoh
MvQ/0zzQaHTAPd5I/NS1tCuolGwwui23HNgci+LD3sFNRjFW1G2HBvBeLDvIpodEjyN7OiTM6bbA
VuoF+0wXle1OHg3HvQfiGf8ZVmQXbbfPT2/GrGirV2uYW5zacLSvxABCYHaI4zvHNHycDrbfJdxu
E/QAZRYSLZUKK6iJIRiwZe3m4A+dSNnti/Bb2JT8JxUSnz063A7sCcxUZWFeN88KGG/WCxEWLkKU
JPmBYFaZsbnbAnFXEQRbaJOnTRNwWCt7Hxd7ScIFxDtsRh3EHA7rmHOvRq8cV2h6Q6fTo2YChEq4
o4ojgPaQRys9GHS6gKW9eq2YCLNO268=</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://idp-core.dev.onegini.me:8080/saml/sp-authn-response" index="0" isDefault="true"/>
        <md:AttributeConsumingService index="1" isDefault="true">
            <md:ServiceName xml:lang="nl">Onegini testdienst</md:ServiceName>
            <md:ServiceName xml:lang="en">Onegini test service</md:ServiceName>
            <md:RequestedAttribute Name="urn:etoegang:DV:00000003302392690000:services:5"/>
        </md:AttributeConsumingService>
    </md:SPSSODescriptor>
    <md:Organization>
        <md:OrganizationName xml:lang="nl">Onegini B.V.</md:OrganizationName>
        <md:OrganizationDisplayName xml:lang="nl">Onegini</md:OrganizationDisplayName>
        <md:OrganizationURL xml:lang="nl">https//www.onegini.com</md:OrganizationURL>
    </md:Organization>
    <md:ContactPerson contactType="administrative">
        <md:EmailAddress>support@onegini.com</md:EmailAddress>
        <md:TelephoneNumber>+31307116845</md:TelephoneNumber>
    </md:ContactPerson>
</md:EntityDescriptor>

Please note the following details:

  • the metadata must comply to the rules defined by the broker - https://afsprakenstelsel.etoegang.nl/display/as/DV+metadata+for+HM
  • it uses the predefined entityID - entityID="urn:etoegang:DV:00000003302392690000:entities:9005"
  • it defines AttributeConsumingService which points to a service registered within the broker's Service Catalogue
  • it is signed with the private key provided by the broker that is meant to be used in SAML signing and encryption

If you need any assistance in generating the metadata please contact our support.