DigiD

DigiD (Digital Identity) is the authentication service of the central Dutch Government, serving hundreds of sites while authenticating millions of users. DigiD is a product of GBO.Overheid and is part of the e-Government initiative by the Dutch government.

Advantages of using the DigiD Authentication Method

The DigiD Authentication Method allows OpenASelect to use DigiD Burger as a remote identity provider. This in turn enables you to use OpenASelect as the identity provider for your web application(s), instead of directly using DigiD. There are several advantages to this approach, which are explained here by using a city's web portal as an example. Suppose that the city has an existing portal in place that uses its own authentication mechanism (tied to a local account store). The city plans to use the OpenASelect server for authentication instead. The OpenASelect server will be configured to use the local account store, a local authentication method, and the DigiD authentication method. This is illustrated in the picture below:

Compared to the web portal using DigiD directly, the above setup has the following advantages:

• The portal can use any protocol supported by OpenASelect, including SAML2, OpenID, and the A-Select 1.5 protocol. If the portal is a SAML2 service provider, for example, then connecting it to OpenASelect is a trivial change in configuration.
• The portal can now provide its services to both users that have a local account, as well as users that have a DigiD account. It doesn't have to abandon its existing account store nor any user attributes that might be stored in there.
• The city can trivially implement Single Sign-On (SSO) between its Portal and other applications (e.g. Web Applications 1 & 2 in the example picture.) Note that DigiD imposes some restrictions on the use of SSO. For example, if web application 1 is not allowed to obtain the user's BSN, then that application must be left out of the SSO group.
• By using the right combination of user ID transformation, user attributes, and attribute release policies in OpenASelect, you can nearly always implement SSO even if you run into DigiD's restrictions. For example, you can configure OpenASelect to always use / generate a local user ID (with no relation to the BSN), assign the BSN obtained from DigiD to a user attribute, and then configure an Attribute Release Policy (ARP) so that only those applications that are allowed to obtain the BSN actually retrieve that attribute.
• OpenASelect can map DigiD users to local users, thereby linking a user's local account to his DigiD account and allowing any existing, local user attributes to automatically apply to those users.
• OpenASelect can provide stronger / specialized authentication for certain functionality within the portal. For example, if the user tries to access paid content (such as a copy of an official document), he could be asked to (re-)authenticate using an authentication method that invokes an online payment service.

In addition, you have all the regular advantages of OpenASelect, including access to extended security and audit logging, the ability to use and combine any number of authentication methods, the ability to gather user attributes from multiple sources, etc.

OpenASelect adheres to all DigiD security regulations as defined by GBO.Overheid, to the extent that they apply to OpenASelect (some regulations apply only to the web application).

Links

• DigiD Configuration reference for OpenASelect Server.
• DigiD Eenmalig Inloggen for OpenASelect Server (soon to be released, article in Dutch).
• For more information about DigiD Burger, visit the DigiD website, GBO.Overheid or e-Overheid.