Authenticating Dutch organizations via eHerkenning
Introduction
In The Netherlands, citizens can interact with digital government services using a central username and password through an authentication scheme called DigiD. This helps these services to hook into a central registry of users, thus providing them with a single identity corresponding to a single username and password. DigiD is a widely spread and well known authentication system that people use to file their taxes, interact with their local government etc.
The interesting challenge comes when one can offer digital services to organizations rather than individuals. From a business perspective, when people work for a certain organization they also interact with government services but do that on behalf of their organization, not on their own account. Also in time, people might switch jobs and therefore represent different organizations over time.
To deal with this issue, another national authentication scheme has been created that isn’t that well-known yet but is quickly gaining popularity: eHerkenning (meaning e-Recognition in Dutch).
eHerkenning overview
With eHerkenning, the idea is that organizations arrange accounts for users that represent them with one of the available eHerkenning brokers. Users can then authenticate with any system that offers eHerkenning integration. Those systems will receive a unique identifier for the user after a successful authentication attempt, as well as an organization ID that includes the registration number for the Dutch Chamber of Commerce. This allows government services to verify that users are truly acting on behalf of the organization they claim to represent. Authentication can be username/password based, but eHerkenning supports higher degrees of security as well by offering services with different security levels. That means that depending on the desired security level, something like 2-factor authorization with SMS or even based on PKI certificates handed out only face-to-face to the users involved can be required.
On the back-end, eHerkenning makes use of open security standards like SAML, on top of which it defines a custom profile. Initially the possibility to offer services that integrate with eHerkenning was restricted to government organizations, but this year the system is opened up for commercial services wishing to offer this ease of authentication through a central system as well.
eHerkenning for Ascert SMART 2.0
Trifork Amsterdam is delivering the new version of a system for Ascert (an organization in the asbestos removal branch), which in particular focuses on inventories of asbestos sources found on site at construction projects, called SMART 2.0. This application allows users from all SC-540 licensed organizations (i.e. organizations that are allowed to produce official asbestos inventory reports) to enter projects with one or more asbestos sources which are classified based on the user’s input. The input, classification result and working instructions for the removal company are then included in a report for the project’s asbestos sources. Other interested organizations, like city councils or asbestos removal organizations, can also enter sources but are not allowed to produce official reports.
The owner of the SMART 2.0 application is the Ascert foundation. Part of their requirements for this rebuild of their current application was authentication based on eHerkenning. Trifork has successfully added eHerkenning support to the SMART 2.0 application by integrating a Java adapter offered by the chosen eHerkenning broker with Spring Security, the open source framework used in most of our applications to provide authentication and authorization services. Since the information available after successfully authenticating with eHerkenning is limited to a meaningless user ID and the organization ID, users are required to complete their profile by entering their names and email addresses after logging in for the first time. The first user of an organization currently needs to update the organization profile with relevant details as well; if desired, future releases could easily automate this by integrating with a third-party web service that offers this data based on the Chamber of Commerce identifier that’s part of the organization ID.
Authorization, i.e. determining who is allowed to access what functionality and data, is still the job of the service implementation. Fortunately Spring Security enforces a very strict distinction between authentication and authorization, so adding an authentication mechanism like eHerkenning doesn’t affect the way that authorization is performed. This means that support for eHerkenning can be added to existing applications on demand with relatively little time and effort required.
Conclusion
While eHerkenning is not yet as widely adopted as something like DigiD, it’s expected that more and more government services will offer or even require it in the near future as the way to let users acting on behalf of other organizations authenticate themselves.
Trifork is now able to offer eHerkenning as one of the supported authentication mechanisms in our custom solutions, either exclusively or in addition to other mechanism like form-based login pages. Please contact us if you’d like more information about the options of using eHerkenning for your online services!
A Dutch version on this post Identificeren van bedrijven via eHerkenning is available on our website.