LoA setting for eHerkenning

Configure Identify System Setup to Support eID Messages


After you create a tenant, log in to the Admin site and navigate to the System Setup page where you need to configure the following settings:

  • Sign metadata: Set it to True.
  • SAML 2 Profile: Select the eHerkenning profile.
  • Security token resolver factory: Select the option: “Safewhere.IdentityProvider.Saml2.Tokens.CustomSubResolverSecurityTokenResolverFactory, Safewhere.IdentityProvider.Saml2”.
  • Signing security token sub resolvers: Select Select All.
  • Encrypting security token sub resolvers: Select Select All.

Here is the screenshot:

sign_metadata

saml2_profile

After saving all the changes by clicking the Save button, you need to reset IIS so that the changes are applied.

Create and Configure Level of Assurance (LoA)


In this step, you are going to set up LoA for eHerkenning by using the Authentication context method class (ACMC):

    1. Go to the System Setup tab > Authentication context method class and create context classes, as described in the link above.
    2. Saml2 Protocol (DV) Connection: Set the “Default requested authentication context class:” to a desired value.
      saml2 protocol DV

      This value has two usages:

        • Identify sets it to AuthnRequest that is sent to the AD when an AuthnRequest from the DV doesn’t have it specified.
        • It is also the LoA of the DV in the Service Catalog.
    3. Saml2 Authentication (AD) Connection:
      1. Set “Authentication context method class” to a desired LoA.
      2. Check “Set RequestedAuthnContext to AuthnRequest” so that Identify can include LoA in AuthnRequest that it sent to the AD.

Saml2 Authentication AD

Create and Configure a SAML 2.0 Protocol Connection for the DV


  1. Create a new SAML 2.0 Protocol Connection.
  2. Import metadata for the newly created SAML 2.0 Protocol Connection.
  3. Open the connection and choose Eherkenning for the SAML 2 Profile:

saml2 profile eherkening

Save the connection. After the page is saved and reloaded, it will look like this:

saml2 profile eherkening2

Because Eherkenning requires that assertion must not be encrypted, enable the “Do not encrypt assertions” option:

Do not encryption

Create and Configure a SAML 2.0 Authentication Connection for the AD


  1. Create a new SAML 2.0 Authentication Connection.
  2. Import metadata to the newly created connection.
  3. Open the connection and choose Eherkenning for the SAML 2 Profile.

saml2 profile eherkening