DigiD authentication

Some forms can require authentication. Open Forms supports authentication using DigiD. Access to DigiD can typically be obtained via Logius.

Using DigiD for authentication will provide the BSN (social security number) of the authenticated person to the form context. Using the BSN, certain fields can be prefilled with relevant personal data.

Steps to request access to a DigiD environment

The high-level overview of steps you need to perform are described here. The following sections provide more details.

  1. Read the requirements for getting access to DigiD on the Logius website. There are several steps that need to be taken on your end that are not covered here.

  2. Request a PKIoverheid Private Services Server G1 certificate at your PKIO SSL certificate supplier. This is required for backchannel communication with Logius (if you already have one for Open Forms, it can be re-used).

    You can prepare the certificates from the admin interface.

  3. Send the following information to your Open Forms supplier in a secure way:

    • Public and private certificate (obtained in step 2, private certificate is already present if you generated the Signing Request (CSR) via the admin)

    • Desired service name (for example: “Digitaal Loket”) shown in DigiD

    • Privacy policy URL of your main website

    Your Open Forms supplier will install the certificates in Open Forms, generate some XML metadata files and send these back to you.

  4. Request access to the pre-production environment on the Logius website and follow the steps there. To request access, you will need the following information:

    • Zekerheidsniveau: Midden

    • DigiD eenmalig inloggen: Nee

    • URL aansluiting: The Open Forms domain, for example: https://forms.organization.com

    • Webdienstnaam: The same desired service name as given in step 3

    • Metadata: The XML-file provided to you by your Open Forms supplier (see previous section)

    • Publieke deel PKIO-certificaat: The public certificate obtained in step 2

    As technical contact, you should provide your Open Forms supplier contact details.

Tip

You can specify a different security level (betrouwbaarheidsniveau) on a per-form basis.

DigiD

SAML2 AuthnContextClassRef element

Basis

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Midden

urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract

Substantieel

urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard

Hoog

urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI

Source: Logius

Preparing the certificates

To request a PKIoverheid certificate, you need a private key and a certificate signing request. You can generate these using openssl or other utilities, or use the built-in signing requests in the admin interface.

Tip

Creating the signing requests from the admin ensures the private key never leaves the server, lessening the chances that it is accidentally leaked.

Using the admin interface

  1. Navigate to the Admin.

  2. In the menu, navigate to Configuration > Signing requests.

  3. In the top right of the page, click the Add signing request button.

  4. Enter the desired fields - the information will be included in the signing request. Consult with your certificate supplier which data is required and what values are expected.

  5. Click Save to persist the changes. The page is reloaded.

  6. Under the section Signing request (CSR), click the Download CSR link.

Now, send the downloaded CSR to your certificate supplier and wait for them to verify it and provide you with the matching certificate. This can take some time (hours to days), as verification is often a manual process.

Once you have received the certificate, navigate back to the admin and locate your signing request.

  1. Edit the original signing request record in the admin.

  2. Navigate to the Upload signed certificate section.

  3. Upload the certificate provided by the certificate supplier.

  4. Save the changes.

If everything is valid, the private key + public cerificate pair is now available and almost ready for use. You can verify it in the admin via Configuration > Certificates.

You can now proceed to Generating the Service Provider metadata.

Generating the Service Provider metadata

In the admin environment we can configure the DigiD identity provider and select our required certificate pair(s). Once this is done, we can generate our service provider metadata.

  1. Navigate to the Admin.

  2. In the menu, navigate to Configuration > DigiD configuration.

  3. Under the X.509 Certificate section, click the Manage (number) link.

  4. Click the Add Digid/eHerkenning certificate button in the top right of the page.

  5. For Config type, select “DigiD”.

  6. For Certificate, click the search icon and select the certificate pair that was created earlier (in the Preparing the certificates section).

  7. Save the configuration and close the window/tab.

  8. Continue on the DigiD configuration page.

  9. In the section Identity provider, enter the identity provider metadata file (XML) URL. E.g. for pre-production: https://was-preprod1.digid.nl/saml/idp/metadata. The metadata will be retrieved and processed.

  10. Next, in the section SAML configuration, enter the fields:

    • Entity ID: This is the entity ID of Open-Forms. For DigiD, this can be the URL where Open-Forms is deployed, for example https://openforms.test.nl.

    • Base URL: Enter the URL where Open-Forms is deployed (and publicly accessible).

    • Resolve artifact binding content type: select text/xml unless you’re using old/legacy brokers or are instructed to pick application/soap+xml.

    • Want assertions signed: This should be checked.

    • Signature algorithm: Select RSA_SHA1.

    • Digest algorithm: Select SHA1.

  11. Continue to the section Service details and fill out the fields:

    • Service name: This is the name of the service for which authentication is needed.

    • Service description: A description of the service for which authentication is needed.

    • Requested attributes: What attributes are expected to be returned by DigiD after authentication. This should be ["bsn"].

    • Leave Single logout unchecked, as we currently don’t support this.

  12. Finally, you should provide some organization details - provide the telephone/e-mail contacts of the organisation responsible for the service requiring DigiD authentication.

Click on Save and continue editing to persist the configuration changes.

On the top right corner of the configuration page, there is a button View SAML metadata (XML). Click this button to download the metadata. The metadata needs to be sent to the broker to obtain access to a (pre-)production environment.

Note

Any changes to the configuration in the Admin page cause a change in the metadata. The updated metadata must be then sent to the broker again for the changes to be effective.

Problems? You might want to check out Form authentication issues.