IdP discovery
If you have more than one ID method configured in your Signicat account, you can use IdP discovery to route the end-user to a specific ID method for authentication, therefore skipping the ID method selection screen where typically the end-user can choose their preferred ID method (from all the methods active in your account). This feature is also known as IdP scoping or IdP routing rules.
With IdP discovery, you can define logic to determine two aspects of an authentication flow:
- ID method discovery: You can define which ID method to use, such as iDIN or Norwegian BankID.
- Provider discovery: You can specify the entity or provider (such as a bank) for an ID method. For example, for iDIN you can choose to route end-user only to one of the banks. Note that this functionality is limited to certain ID methods only.
ID method discovery
To control which ID method to display to your end-users, you can use the allowedProviders
field in the payload of the CreateSession request to the Signicat Authentication REST API.
You can find an overview of the values for each ID method at https://<YOUR_ACCOUNT_DOMAIN>/broker/idps
. Use the value of internalName
.
Skip IdP selection screen
If you define only one ID method in the payload, the end-user is routed to the IdP-specific authentication page, thus automatically skipping the IdP selection screen during authentication.
For example, to direct the end-user to SMS OTP, thus skipping the ID methods selection screen, pass the following payload in your request:
...
"allowedProviders": [
"otp-sms",
],
...
This prevents end-users from choosing other ID methods that may be active in your account.
How to display a subset of ID methods
To let the end-user choose among a subset of ID methods active in your account, specify multiple values in the allowedProviders
key. For example, to display Email OTP and FTN to the end-user in the ID method selection screen, use:
...
"allowedProviders": [
"otp-email",
"ftn",
],
...
When the authentication flow starts, the end-user sees a selection screen where they can choose between Email OTP and FTN.
Provider discovery
In some cases, ID methods are comprised of a network of identity providers (or issuers), such as banks, that collectively offer authentication to their customers. You may want to offer your end-users only a limited number of these providers when the end-users authenticate with an ID method.
To control the providers you make available for each authentication session, use the additionalParameters
field in the payload of the CreateSession request to the Signicat Authentication REST API.
Below, you can find an overview of the attributes available for each ID method:
ID method | Attribute | Providers |
---|---|---|
iDIN | idin_idp | View the list of iDIN issuers (banks) active in your account at https://<YOUR_ACCOUNT_DOMAIN>.com/broker/authn/idin/issuers , where <YOUR_ACCOUNT_DOMAIN> is the domain you registered in the Signicat Dashboard Domain management. |
FTN | ftn_idp | View the list of FTN issuers in the ID method documentation for FTN. |
For example, when authenticating end-users with the Finnish Trust Network (FTN), you can choose which banks to include in the authentication process. To restrict the banks available to end-users to use the following fields in the payload:
...
"additionalParameters": {
"ftn_idp": [
"fi-aktia",
"fi-danskebank",
],
},
...
You can find more details for each ID method in the respective ID method documentation.