Skip to main content

Subject

The subject uniquely identifies the end-user that performed an authentication transaction. It allows you to correlate the end-user activity across multiple authentication sessions.

For different protocols, we return the subject using the following claims/attributes in the response:

After an authentication transaction, you receive the subject always in hashed form.

Hashing algorithm

We generate the hashed subject using the same hashing algorithm for all protocols with the following function:

Hashed_Subject = Replace(Base64(Sha256(output_of_proprietary_algorithm)))
  • Sha256: The hashing algorithm. Input bytes are created using the output_of_proprietary_algorithm, which is comprised of the following input elements:
    • idp: Signicat-specific code to indicate the eID used in the transaction. For example, nbid for Norwegian BankID.
    • idpId: Raw subject, as provided by the eID (identity provider). Learn more in the Raw subject section.
    • organizationId: Uniquer identifier of your organisation, as registered in the Signicat Dashboard.
  • Base64: Applies Base64 encoding to the hashed input string.
  • Replace: Replaces all + and / characters with -.

Subject types

eIDs may return different subject values for the same end-user, thus making it difficult to track the end-user across sessions.

We distinguish between the following types of subject:

  • Persistent: An eID always returns the same value for a specific end-user across multiple transactions.
  • Transient: The subject varies for each authentication transaction. For example, Finnish Trust Network (FTN) always sends back to Signicat a different subject identifier for each transaction.

Below you can find out how we process each subject type.

Raw subject and the idpId attribute

We build the raw subject, referred to as idpId, from the third-party response we receive from the eID. This process varies for each eID, depending on availability and the type of subject.

We apply the following logic to generate the idpId attribute:

  • If an eID returns a Persistent subject identifier to Signicat, we use this value as the idpId to then generate the hashed subject.
  • If an eID returns a Transient or does not return any subject identifier to Signicat, we try to generate a persistent hashed subject using another attribute, which must be unique for an end-user. For example, we may select the National Identity Number (nin) as the idpId.

For details on how we process a missing or transient raw subject for a specific eID, refer to the eID documentation.

How to receive the raw subject

After an authentication transaction, you always receive the hashed subject. However, to receive the raw subject (idpId), you must specify an additional parameter in your request.

In the table below you find the idpId parameters per protocol:

After the authentication transaction, you will find the raw subject in the payload of the response. These are the fields per protocol:

Last updated:
On this page