DigiD Identity Provider

SAML Identity Provider

DigiD is a SAML based Identity Provider, therefore to get a full understanding of how it works, please look at the SAML Identity Providers topic guide first.

Configuration

DigiD uses SAML Artifact binding support which requires Mutual SSL to be configured.

Important:

  • DigiD only accepts PKI-Government certificates for authentication of web services of service providers
  • Please make sure that the keys are using PKCS1 format.

Mutual SSL

Use Certificates system tab to set up Mutual SSL keys and identity provider server certificate. Then just choose configured items in digid configuration form under the SAML Mutual SSL/TLS configuration section.

Saml message signing

The PKI-Government certificate that has been used to set up the SSL connection MUST be also used for signing SAML messages. The private key provided to the Onegini IdP needs to be in the PKCS1 format. Please check whether the following properties are configured:

  • IDP_SAML_SIGNING_PRIVATEKEY
  • IDP_SAML_SIGNING_CERTIFICATE

Troubleshooting In case you are experiencing issues during SAML Artifact resolution from DigiD and are receiving a 404 Not Found status code in the response please, double check your SAML signing configuration.

Required authentication level

Choose the minimum authentication level. If the user did not meet the required authentication level in DigiD, the authentication will be rejected in Onegini IdP.

DigiD Authentication level (betrouwbaarheidsniveau)
Basic (Basis)
Middle (Midden)
Substantial (Substantieel)
High (Hoog)

Mapping the NameID

It is possible to map DigiD's NameID value to a custom attribute when configuring DigiD as identity provider in Onegini IdP, despite NameID not being a SAML attribute. To map NameID as custom attribute, in Custom attribute mapping section use NameID for Attribute to map from field and choose any name you would like to map it to.