LoA setting for eHerkenning

Configure Identify system set up to support eID messages


After you create a tenant, login to the Admin site and navigate to the system setup page where you need to configure the following settings:

  • Sign metadata: set it to “True”.
  • SAML 2 Profile: select the eHerkenning profile.
  • Security token resolver factory: select the option: “Safewhere.IdentityProvider.Saml2.Tokens.CustomSubResolverSecurityTokenResolverFactory, Safewhere.IdentityProvider.Saml2”
  • Signing security token sub resolvers: select “Select All”
  • Encrypting security token sub resolvers: select “Select All”

Here is the screenshot:

sign_metadata

saml2_profile

After saving all the changes by clicking on the Save button, you need to reset IIS so that the changes are applied.

Create and configure Level of Assurance (LoA)


In this step, you are going to set up LoA for eHerkenning by using Authentication context method class (ACMC)

  1. Go to the System Setup tab > Authentication context method class and create context classes as described in the link above.
  2. Saml2 Protocol (DV) connection: set the “Default requested authentication context class:” to a desired value.
  3. saml2 protocol DV

    This value has two usages:

    • Identify sets it to AuthnRequest that is sent to the AD when an AuthnRequest from the DV doesn’t have it specified.
    • It is also the LoA of the DV in the Service Catalog.
  4. Saml2 Authentication (AD) connection:
    1. Set “Authentication context method class” to a desired LoA.
    2. Check “Set RequestedAuthnContext to AuthnRequest” so that Identify can include LoA in AuthnRequest that it sent to the AD.

Saml2 Authentication AD

Create and configure a SAML 2.0 protocol connection for the DV


  1. Create a new SAML 2.0 protocol connection.
  2. Import metadata for the newly created SAML 2.0 protocol connection.
  3. Open the connection and choose “Eherkenning” for the SAML 2 profile:

saml2 profile eherkening

Save the connection. After the page is saved and reloaded, it will look like this:

saml2 profile eherkening2

Because Eherkenning requires that assertion must not be encrypted, you need to stick on the “Do not encryption” option:

Do not encryption

Create and configure a SAML 2.0 authentication connection for the AD


  1. Create a new SAML 2.0 authentication connection.
  2. Import metadata to the newly created connection.
  3. Open the connection and choose “Eherkenning” for the SAML 2 profile:

saml2 profile eherkening

Was this helpful ?Good Somewhat Bad