How to connect a public or private online service
This page is for public or private online service providers wanting to learn more about integration with the eIDAS Network in their country. For public service providers, there is an obligation under the eIDAS Regulation to do so by 29 September 2018. For private service providers, there are a number of compelling benefits to doing so.
It is important to note that the specific integration process and activities conducted will differ depending on the situation in your country (eIDAS-Node infrastructure and eID schemes in use), as well as the specific needs of your organisation. The information on this page is therefore indicative only, designed to give you an idea of the sort of activities you can expect to undertake.
You must contact your Single Point of Contact before beginning the process, as they will support you according to your organisation's specific context.
High level process
Below is an outline of the steps and activities you may need to conduct during the connection process. Again, they are indicative only and actual activities may differ.
First, identify the specific requirements of your service and how you intend to use eIDAS eID. This will typically include an initial assessment of your service to determine indicatively what level of identity assurance best meets your organisation’s needs. This initial assessment may address questions such as:
- The purpose of your service - why will users access your service?
- What your service will look like - what will the user journey of your service look like?
- What information will be processed - what records will your service be using?
- What is your user demographic?
- What are the expectations/needs of the users of your service?
- What are the data privacy requirements of your service?
- What are the threats to your service?
- How may your service be attacked or misused?
Once your service has completed an initial assessment of the identity assurance required, your Single Point of Contact should help you determine whether and how eIDAS eID can meet the needs of your service. To facilitate this process, you may complete a proposal detailing how you intend to use eIDAS eID.
2. Needs analysis
You should complete a more detailed assessment of the specific needs of your service, confirm that they can be met, and define how eIDAS will fit into your service. Activities at this stage may include:
- Identifying any planning constraints that may affect the onboarding of your service
- Conducting a full risk assessment of your digital service
- Officially confirming the level of assurance your service requires
- Documenting and sharing the proposed user journeys for your service
- Sharing a recent privacy impact assessment
Reviewing your service’s data quality
Produce a plan showing how you will build and integrate with eIDAS eID. This can be a complex process, so you will undoubtedly work closely with your Single Point of Contact when putting your plans together. This helps make sure the support you need is available when necessary, and gives you access to lessons learned from other services. The plan does not need to be too detailed, just enough to show your approach and give an idea of what will be delivered, by whom, and when within your service.
4. Build and integration testing
Build and integrate your eIDAS eID service and complete end-to-end testing. At a high level, this may include the following activities:
- Building a service that produces and consumes SAML
- Running SAML compliance tests
- Connecting your service to the integration environment
- Running end-to-end testing on all your user journeys in the integration environment
These activities may differ depending on the set-up in your country. Your National Contact Point will provide you with further detail.
5. Production onboarding
Finally, deploy your end-to-end service in a live production environment, confirm operational readiness and go live. This will typically involve connecting your service to the production environment. At this time you may also create a communication plan for the launch and ongoing operation of your service.