Subject
The subject uniquely identifies the end-user that performed an authentication transaction. It allows you to correlate the end-user activity across multiple authentication sessions.
For different protocols, we return the subject using the following attributes/claims in the response:
After an authentication transaction, you receive the subject always in hashed form. Hashing converts the subject into a fixed-length, irreversible value that ensures consistency and privacy-sensitive identification of an individual without exposing their personal information.
You can also request the raw (unhashed) subject. To do this, you need to specify an additional query parameter in your request, as explained in the How to receive the raw subject section.
Hashing algorithm
We generate the hashed subject using the same hashing algorithm for all protocols with the following function:
Hashed_Subject = Replace(Base64(Sha256(output_of_proprietary_algorithm)))
Here is a step-by-step overview:
- Sha256: The hashing algorithm. Input bytes are created using the
output_of_proprietary_algorithm, which is comprised of the following input elements:idp: Signicat-specific code to indicate the eID used for authentication. For example,nbidfor Norwegian BankID.idpId: Raw subject, as provided by the eID (identity provider). Learn more in the Raw subject section.organizationId: Uniquer identifier of your organisation, as registered in the Signicat Dashboard.
- Base64: Applies Base64 encoding to the hashed input string from the previous step.
- Replace: Replaces all
+and/characters with-.
Subject types
eIDs may return different subject values for the same end-user, thus making it difficult to track the end-user across authentication sessions.
To ensure integrity, we distinguish between two types of subject:
- Persistent: An eID always supplies the exact same value to identify a specific end-user across sessions.
- Transient: The subject varies across authentication sessions. For example, Finnish Trust Network (FTN) provides a different subject identifier for each new session.
Below you can find out how we process each subject type.
Raw subject and the idpId attribute
We process the raw subject, referred to as idpId, from the response we receive from the eID (third-party). The raw subject output varies for each eID, depending on availability and the type of subject.
We apply the following logic to generate the idpId attribute that we send you:
- If an eID returns a Persistent subject identifier to Signicat, we use this value as the
idpIdto generate the hashed subject. - If an eID returns a Transient subject or does not return any subject identifier to Signicat, we try to generate a persistent hashed subject from another attribute. The criteria to choose an attribute is that it must be unique and consistent to identify a specific end-user. For example, we may select the National Identity Number (
nin) as theidpId.
For details on how we process transient (or missing) raw subjects for an eID, refer to the specific eID documentation.
How to receive the raw subject
After an authentication transaction, you always receive the hashed subject. To also receive the raw subject, you need to request it additionally by specifying a query parameter (idpId) in your request. How you format the parameter varies per authentication protocol.
The table below shows how to request the raw subject through the idpId parameter for the different protocols:
After the authentication transaction, you will find the raw subject in the payload of the response. These are the attributes in the response per protocol: