Skip to main content

Levels of Assurance

The Level of Assurance (LoA) measures the degree of trust or confidence in the claimed identity of a person. It indicates how certain you can be about the claimed identity of your end-users when they use an eID to access your online services.

This page provides conceptual information about the LoA supported by the eIDs in the eID Hub, next to explanations and examples to help you configure the right level for your authorisation requests.

How it works

The Signicat eID Hub supports four different Levels of Assurance (LoA):

When connecting to an eID, you can specify the LoA for authentication.

Specify LoA in requests

You determine the LoA for an authentication by specifying it as a parameter in your authorisation request. How to do that varies per authentication protocol.

The table below shows how to request a specific (for example high) level of assurance with the different protocols supported by the eID Hub:

Default LoA

If you don't specify any LoA in your authorisation request, the minimum LoA supported by the eID is used by default. For a complete list of values, refer to the LoA supported by eIDs section below.

Authorisation request examples

How you pass the LoA in your requests varies per authentication protocol:

To specify the LoA with OIDC, define acr_values=loa:<LoA> in your authorisation request. For example, to ask for LoA high:

https://<YOUR_SIGNICAT_DOMAIN>/auth/open/connect/authorize?
  &client_id=<OIDC_CLIENT_ID>
  &response_type=<GRANT_TYPE_CODE>
  &redirect_uri=<REDIRECT_URI>
  &scope=openid%20profile
  &state=<STATE>
  &code_challenge=ABC123
  &code_challenge_method=S256
  &acr_values=loa:high
Security validation

The Signicat eID Hub ensures that the same, or a higher, LoA is used for authentication. Learn more in the Security validation section.

View LoA in responses

After an authentication is successful, the response you receive from the Signicat eID Hub contains the level of assurance that the end-user authenticated with.

To find out how the LoA is returned in the response, choose the appropriate authentication protocol below:

After a successful authentication, you receive the LoA in the acr claim of the ID token, according to the ID Token specifications. For example, an authentication performed with LoA High, returns acr: "high" in the payload of the ID Token.

{
    "iss": "https://example.sandbox.signicat.com/auth/open",
    "sub": "pZsWJxH7eOfKa9Y3CR2mxTElnTAhu6o2ZWKOCpyOjWY=",
    "aud": "sandbox-vivid-blade-759",
    "nonce": "n-0S6_WzA2Mj",
    "iat": 1742917663,
    "exp": 1742918263,
    "auth_time": 1742917660,
    "acr": "high"
}

Filter eIDs by LoA

When you have multiple eIDs active in your account and you start an authentication process, the eID Hub authorisation server displays all the eIDs to your end-users in the eID selection screen. Typically, you control and restrict the selection of eIDs with IdP scoping.

When you specify a certain LoA in your request, only the eIDs that support the same level (or higher) will be displayed on the eID selection screen. For example, if you start an authentication request with LoA substantial, end-users can only choose among eIDs that support level substantial or high.

Example

Let's imagine a scenario where you have set up your integration to connect to the following eIDs:

  • SMS OTP (low)
  • Swedish BankID (substantial)
  • MitID (low, substantial, high).

If your application starts an authentication requesting LoA substantial, the following happens:

  • SMS OTP is not displayed in the selection eID selection screen. LoA low is excluded.
  • Swedish BankID and MitID are available in the eID selection screen.
  • End-users can choose between Swedish BankID and MitID for authentication.
  • Authentications occur with a (minimum) Substantial level of assurance.

Security validation

If an eID authenticates end-users with LoA lower than requested by your application, the eID Hub returns an error and the authentication fails. Before completing an authentication, the eID Hub checks the validity of the LoA by applying the following algebraic inequality:

unspecified < low < substantial < high

Example scenario

If you send a request with LoA Substantial but the eID returns a response obtained with LoA Low, the Signicat eID Hub terminates the authentication process and returns an error.

Validation rules

During an authentication process, the eID Hub checks that the LoA returned by an eID meets the following requirements:

  • If the LoA in the response is lower than what you requested in your authorisation request, the eID Hub returns an error and the authentication process fails.
  • If the LoA in the response is equal or higher than what you requested in your authorisation request, the authentication process is valid and proceeds accordingly.

Exceptions

In SAML 2.0 connections with the <samlp:RequestedAuthnContext Comparison="exact"> element in the request:

  • If the LoA in the response is different (not equal) from what you requested, the eID Hub returns an error and the authentication process fails.

LoA supported by eIDs

The table below shows the levels of assurance supported by each eID:

Important

Some eIDs are not eIDAS-notified. In such cases, we map the response from the eID to the closest eIDAS equivalent. However, the process of obtaining an account for these eIDs may not fully comply with eIDAS requirements and the eID may not have been legally validated.

Last updated:
On this page