Got questions?

ClickID is an EU-hosted, open-source SAML 2.0 identity provider built on Keycloak. It lets organisations replace DigiD as their user-authentication layer while keeping data inside the EU, making the full source code auditable, and running on infrastructure you control.

No. DigiD is the Dutch government's mandatory system for services that require it by law — healthcare regulated under the Wgbo, tax filing, and similar use cases. ClickID is for organisations that rely on DigiD by convention rather than legal obligation: membership portals, subscription services, alumni platforms, and any B2C service that simply wants the same "log in with your Dutch digital identity" UX without handing data to a US-owned chain.

Any private-sector service provider operating in the Netherlands or EU that: • Uses DigiD out of habit, not legal necessity • Wants full control over authentication data • Needs an auditable, self-hostable alternative • Is concerned about the sovereignty of identity infrastructure after recent acquisition news

Yes. ClickID is released under the European Union Public Licence 1.2 (EUPL-1.2) — a strong copyleft licence designed specifically for European public-sector software. You can read, fork, and self-host the entire stack at no cost. Commercial plans cover managed hosting, support, and an SLA, not a software licence fee.

SAML 2.0 (Security Assertion Markup Language) — the same protocol DigiD uses. Your existing SAML metadata, assertion consumer service URLs, and attribute mappings work without modification. You point your SP metadata at ClickID instead of DigiD and you're done.

A Sector-ID is a pseudonymous, per-SP identifier derived from a user's identity using HMAC-SHA256. Each service provider sees a different opaque identifier for the same user, so it is impossible to cross-correlate users across services by comparing NameIDs. This mirrors DigiD's sector-based BSN pseudonymisation and is a core privacy requirement under the eIDAS framework.

By default each assertion includes: • NameID (persistent, pseudonymous Sector-ID per SP) • Email address • Given name and family name • Authentication context class (SUBSTANTIAL) Additional attributes can be mapped per SP via the self-service portal.

Yes. Both SP-initiated and IdP-initiated Single Logout are supported via the standard SAML 2.0 SLO binding. The SLO endpoint is published in the IdP metadata you download from the portal.

The sandbox realm (clickid-sandbox) is pre-configured for fast integration testing: • No email verification required • No TOTP enforcement • 8-character minimum password (versus 12 in production) • No brute-force protection • Pre-seeded demo user: resident@example.nl / Welkom12345! You get a fully functional SAML flow for automated tests without fighting MFA prompts.

Yes. A production-ready Helm chart is included in the repository under infra/helm/clickid/. It includes: • Keycloak with KUBE_PING clustering (RBAC pre-configured) • Bitnami PostgreSQL subchart • Health probes on the Keycloak management port • Secrets with helm.sh/resource-policy: keep to prevent accidental deletion Run helm install clickid ./infra/helm/clickid -f your-values.yaml and you're live.

TOTP (Time-based One-Time Password, compatible with Google Authenticator, Aegis, Bitwarden Authenticator) and WebAuthn / Passkeys. TOTP is enforced by default in production. WebAuthn can be enabled per realm via the Keycloak admin console.

Yes — the Sandbox plan is permanently free. You can register unlimited service providers, run full SAML flows with test users, and keep the integration in your CI pipeline forever. The sandbox is rate-limited and not suitable for production user traffic.

One successful SAML authentication response sent to a service provider. Failed logins, session refreshes, and SLO requests do not count. You can monitor your usage in real time from the SP portal dashboard.

We never hard-cut your users off. Traffic above your plan's included limit is billed as overage: • Cloud: €0.005 per additional authentication • Scale: €0.003 per additional authentication You will receive an email warning at 80 % and 100 % of your limit. Upgrade at any time to move to a higher base tier.

Yes, indefinitely. The EUPL-1.2 licence imposes no restriction on self-hosting. You pay nothing to Anthropic or ClickID contributors for running the software. Commercial plans exist for organisations that want managed hosting, guaranteed SLAs, and direct engineering support — not for the right to use the code.

Yes. Annual billing carries a 20 % discount versus monthly. Contact hello@clickid.eu or use the Enterprise contact form to set up annual invoicing.

Upgrades take effect immediately and are prorated for the remainder of the billing period. Downgrades take effect at the start of the next billing cycle.

Managed ClickID infrastructure runs exclusively in EU data centres (Amsterdam and Frankfurt regions). No authentication data, user attributes, or logs are ever transferred outside the European Economic Area. For self-hosted deployments, you choose the location entirely.

No. ClickID does not integrate with DigiD or GDI and therefore never receives a BSN. Users register with email and password (or a future eIDAS node). The Sector-ID system generates pseudonymous identifiers independently of any government ID number.

Yes. Key GDPR controls are built in: • Data minimisation — only name, email, and authentication events are stored by default • Purpose limitation — Sector-IDs prevent cross-SP tracking • Right to erasure — user deletion cascades across all SP sessions • Data residency — all processing stays in the EU • Audit logging — every authentication event is logged with tamper-evident signatures

All SAML assertions are signed with RSA-SHA256. HTTPS is enforced everywhere with TLS 1.2 minimum (TLS 1.3 preferred). Passwords are hashed using Argon2id via Keycloak's credential store. Sector-ID derivation uses HMAC-SHA256 with a per-deployment secret pepper.

ClickID issues assertions at the SUBSTANTIAL assurance level as defined by eIDAS. It is not an eIDAS notified scheme itself — i.e. it cannot be used as a cross-border eIDAS identity node — but assertions are structured to match eIDAS attribute profiles and assurance levels.

Please use responsible disclosure. Email security@clickid.eu with a description of the issue and reproduction steps. We target a first response within 48 hours and a patch within 14 days for critical findings. Public CVEs are coordinated with the reporter before disclosure.

Most developers complete sandbox integration in under an hour. You need to: 1. Register your SP in the portal (2 minutes) 2. Download IdP metadata and configure your SAML library (15–30 minutes) 3. Test the full auth flow with the demo user 4. Promote to production when satisfied No contracts, procurement cycles, or manual review gates.

Yes. Many service providers run both during a transition period. Your application can offer "Log in with DigiD" and "Log in with ClickID" simultaneously. Users who migrate their account simply authenticate via ClickID from that point on. Both IdPs can be active indefinitely.

No account migration is required. ClickID uses persistent Sector-IDs — the first time an existing user logs in via ClickID, a new pseudonymous identifier is issued. You can map this to your internal user record using a one-time re-link flow (user logs in and confirms their account). We provide example code for common frameworks in the documentation.

Community support via GitHub Discussions and the public documentation site (docs.clickid.eu). Paid plans add email support (Cloud), priority email and video calls (Scale), and 24/7 dedicated engineering support (Enterprise).

Scale and Enterprise customers can book onboarding sessions with the engineering team. For Cloud customers, guided integration is available as a one-off service — contact hello@clickid.eu for pricing. Community contributors may also be available for contract work via GitHub Discussions.