DigiD Identity Provider¶
SAML Identity Provider¶
DigiD is a SAML based Identity Provider, therefore to get a full understanding of how it works, please look at the SAML Identity Providers topic guide first.
Configuration¶
DigiD uses SAML Artifact binding support which requires Mutual SSL to be configured.
Important:
- DigiD only accepts PKI-Government certificates for authentication of web services of service providers
- Please make sure that the keys are using PKCS1 format.
Mutual SSL¶
Use Certificates
system tab to set up Mutual SSL keys and identity provider server certificate.
Then just choose configured items in digid configuration form under the SAML Mutual SSL/TLS configuration
section.
Saml message signing¶
The PKI-Government certificate that has been used to set up the SSL connection MUST be also used for signing SAML messages. The private key provided to the Onegini IdP needs to be in the PKCS1 format. Please check whether the following properties are configured:
IDP_SAML_SIGNING_PRIVATEKEY
IDP_SAML_SIGNING_CERTIFICATE
Troubleshooting
In case you are experiencing issues during SAML Artifact resolution from DigiD and are receiving a 404 Not Found status code in the response please, double check your SAML signing configuration.
Required authentication level¶
Choose the minimum authentication level. If the user did not meet the required authentication level in DigiD, the authentication will be rejected in Onegini IdP.
DigiD Authentication level (betrouwbaarheidsniveau) |
---|
Basic (Basis) |
Middle (Midden) |
Substantial (Substantieel) |
High (Hoog) |
Mapping the NameID¶
It is possible to map DigiD's NameID value to a custom attribute when configuring DigiD as identity provider in Onegini IdP, despite NameID not being a SAML attribute.
To map NameID
as custom attribute, in Custom attribute mapping
section use NameID
for Attribute to map from
field and choose any name you would like to map it to.