eHerkenning and eIDAS authentication

Warning

This plugin cannot be configured via the admin interface and requires an update of the Open Forms installation.

Some forms can require authentication. Open Forms supports authentication using eHerkenning and eIDAS. To use eHerkenning and/or eIDAS, you must have a contract with an approved eHerkenning supplier.

Using eHerkenning for authentication will provide the KvK-number (chamber of commerce number) of the authenticated company to the form context. Using the KvK-number, certain fields can be prefilled with relevant personal data.

When using eIDAS, only a pseudoID is provided along with certain attributes that describes the authenticated entity (person or company).

Note

Open Forms currently only supports the same security level for all forms.

eHerkenning

eIDAS

SAML2 AuthnContextClassRef element

EH2

basis/low

urn:etoegang:core:assurance-class:loa2

EH2+

basis/low

urn:etoegang:core:assurance-class:loa2plus

EH3

substantieel

urn:etoegang:core:assurance-class:loa3

EH4

hoog/high

urn:etoegang:core:assurance-class:loa4

Source: Afsprakenstelsel eToegang

Note

Authentication via eIDAS uses the same supplier and generated files as eHerkenning. If you plan on adding eIDAS support to Open Forms, it’s best to do these 2 at the same time.

Step by step overview

  1. Contact an approved eHerkenning supplier to get started. Sometimes, your Open Forms supplier can communicate directly with the eHerkenning supplier. Make sure you indicate if you want to connect using eHerkenning, eIDAS or both and what type of environment (test or production).

  2. Request a PKIoverheid Private Services Server G1 certificate at your PKIO SSL certificate supplier. This is required for backchannel communication with your eHerkenning supplier (if you already have one for Open Forms, it can be re-used).

  3. Send the following information to your Open Forms supplier:

    • Public and private certificate (obtained in step 2)

    • Name of the approved eHerkenning supplier

    • The desired consuming service indexes (or Service IDs)

    • Desired service name(s) in Dutch and English (for example: “Digitaal Loket”)

    • Privacy policy URL of your main website

    • The OIN of your organization.

    Your Open Forms supplier will install the certificates in Open Forms, generate some XML metadata files and sends these back to you, or your eHerkenning supplier directly.

  4. Your eHerkenning supplier will inform you when everything is set up.

Problems? You might want to check out Form authentication issues.