link

# itsme

Belgian Mobile ID (BMID), also referred to as 'itsme', is an identity scheme originating from Belgium. The scheme is co-created by banks and telecom providers to allow easy digital identity proofing and signing use cases. Currently itsme has millions of users in the Belgium market, which is still increasing significantly. itsme provides a mobile application to citizens requiring users to perform a one-time registration before users can start using the service. Users can either onboard in the itsme application either through a bank account or derive the identity directly from the Belgian National Identity Card (Belgium eID).

itsme offers a secure and easy means of electronic identification that allows end-users to digitally log in to and/or register for business and government services and sign documents.

# Demo

If you would like to see how itsme works, you can use Signicat's demo service to simulate an itsme transaction in our test environment. You will need an itsme test account in order to complete the demo flow. Information on how to obtain such a test account, can be found further below on this page.

# Method types

The itsme scheme supports different method types, designed for different purposes. The available methods are listed below:

  • Identity proofing: used to identify, onboard users and/or sign documents (AES)
  • Authentication: used to authenticate recurring users
  • Sign: used to sign documents (QES)

Both the signing and the identity proofing methods can be used in Signicat's electronic signature solution. Where the identity proofing method will lead to an Advanced Electronic Signature (AES) according to eIDAS, the dedicated Sign method will deliver a Qualified Electronic Signature (AES). How both methods can be used in the signing service is further illustrated below.

# Available attributes

The itsme identity proofing method can be used to identify users, which is most applicable for account creation / onboarding use cases. The following attributes can be derived from an itsme identity proofing flow. Please note that other itsme methods will return a limited data set. The list below illustrates the available attributes within the itsme scheme.

The following attributes can be obtained from the itsme identity proofing method:

  • Family name
  • Given name(s)
  • Gender
  • Birthdate
  • Phone number
  • Email address*
  • Address*
  • Postal code*
  • City*
  • Country*
  • Locale*

Additionally to the attributes above, it's possible to request additional data from the user through itsme. Signicat needs a justification per attribute before enabling these additional data attributes on the service. This will be agreed on during the onboarding process.

  • Place of birth
  • eID number (the eID card serial number)
  • National identification number (in Belgium: "Rijksregisternummer")
  • Nationality*
  • Issuance locality*
  • Validity of the eID card*
  • eID picture* (portrait picture of the card holder)

The itsme authentication method only returns a unique ID for that specific user that can be linked to a previous itsme identity proofing, which also contains this unique ID.

Data availability

*itsme does not guarantee the availability of these attributes for all users

# End-user experience

itsme can be used to securely identify users electronically with validated attributes. Merchants can implement itsme in their own client application and provide users the possibility to identify and/or authenticate through their own trusted bank environment.

Typically the following is applicable when going through the itsme flow

  • The consumer visits the merchant's website and proceeds to onboard / authenticate through itsme.
  • The merchant redirects to the Signicat platform and starts an itsme transaction for that specific user.
  • The consumer will be redirected to itsme and the user needs to provide the mobile phone number in the itsme UI.
  • The user then needs to give consent in the mobile itsme application to share the attributes and the user will be redirected to the merchant's website.
  • Signicat then retrieves a confirmation of a successful transaction and returns the attributes to the merchant.

# Technical integration

This section provides technical details how customers can use each of the four itsme methods on the Signicat platform. Signicat offers an OIDC identity hub, which requires customers to start transactions through an authentication URL. For further information about the authentication URL, see the Authentication API.

# Using itsme through OIDC

In the authentication URL, it's mandatory to provide a method name in the acr_values to trigger the required itsme method. The method names for the two itsme methods are listed below.

Value Description
itsme-register itsme identity proofing method
itsme-login itsme authentication method

In order to fetch the attributes, you can use the following OIDC scope: signicat.itsme, this make sure the corresponding itsme attributes are part of the response.

An example of an authorisation URL for the itsme-register method is listed below.

https://eu01.preprod.signicat.com/oidc/authorize?response_type=code&scope=openid+profile+address&client_id=demo-preprod-basic&redirect_uri=https://labs.signicat.com/redirect&acr_values=urn:signicat:oidc:method:itsme-register&state=123

# OIDC response example

For a response example from a typical itsme authentication, see the OIDC response examples page.

# Using itsme in the Sign API

itsme can also be used as a signing method in the Sign API. The Sign API requires a different integration than OIDC, for more information about the electronic signature service and the required technical integration, please see Sign API.

In the Sign API, it's possible to define the required signing method. In case itsme needs to be used as a signing method, the following object can be used on task level in the Sign API.

"signatureMethods": {
    "handwritten": false,
    "name": "itsme-register",
    "type": "AUTHENTICATION_BASED"
}
"signatureMethods": {
    "handwritten": false,
    "name": "itsme-qes-sign",
    "type": "THIRD_PARTY"
}

App switching limitation for itsme QES

Currently mobile redirects / app switching is not supported when using itsme QES. This means that when a user opens a signing link in the browser on a mobile device, the user should manually open the itsme application, confirm the signature and navigate back to the browser where the signing process was started to succesfully complete the transaction.

# Sandbox environment

Signicat offers an open and free access preproduction test environment, eu01.preprod.signicat.com. All itsme methods can be used in the test environment and this also accounts for the Sign API. This test environment can be used to start integrating with itsme.

# Connecting to the sandbox environment

In order to integrate with the open test environment, you can use the following endpoint and credentials.

Value Description
https://eu01.preprod.signicat.com Endpoint of the test environment
demo-preprod-basic Client ID of the test environment
KmcxXfuttfBGnn86DlW8Tg3_dYu6khWafkn5uVo7fGg Client Secret of the test environment

Please note that this is an open and test environment. Therefore it's not possible to apply any custom configurations on this service. However, in case you already have your own client credentials and service, you can re-use that connection to make an integration with itsme.

# Example response

An example of an itsme response from the identity proofing flow, taken from the test envrironment is illustrated below. Please note that the example below contains all the available attributes.

{
	"itsme.sub": "fjdnfhr7264jfnr9sjwhfnrjwu",
	"itsme.birthdate": "1990-01-01",
	"itsme.email_verified": "true",
	"itsme.gender": "male",
	"itsme.iss": "https://merchant.itsme.be/oidc",
	"itsme.phone_number_verified": "true",
	"itsme.given_name": "John",
	"itsme.aud": "HERv3bE2k5",
	"itsme.name": "John Doe",
	"itsme.phone_number": "+32412345678",
	"itsme.family_name": "Doe",
	"itsme.email": "john.doe@signicat.com",
	"itsme.address.country": "Belgium",
	"itsme.address.street_address": "Place Sainte-Gudule 5",
	"itsme.address.locality": "Bruxelles",
	"itsme.address.postal_code": "1000",
	"itsme.national_number": "12345678987",
	"itsme.eid": "123456789876",
	"itsme.issuance_locality":	"Bruxelles",
	"itsme.validity_from": "2015-06-12T00:00:00+0100",
	"itsme.validity_to": "2025-06-12T00:00:00+0100",
	"itsme.read_date": "2021-05-15T22:00:00+0000",
	"itsme.nationality": "Belg",
	"itsme.city-of-birth": "Bruxelles",
	"itsme.photo": "base64 encoded string"
}

# Obtaining an itsme test account

In order to complete itsme transaction in the Signicat test environment, you will need an itsme test account and you will need to install the E2E itsme test application on a mobile device. Please find the steps below how the account can be activated.

First you need to obtain an itsme account, please send an email to onboarding@itsme.be and request an itsme test account. After receiving the account, please complete the following steps below to setup the account correctly.

To download the E2E itsme app, please use of the links below dependent on the OS of your device

iPhone users

For iPhone users, you need to trust Belgian Mobile ID NV (Go to Settings/General/Profiles & Device Management)

Once the itsme application is installed correctly, please complete the 8 steps below to activate the account:

  1. The first step is to enroll via MyBank using this link (opens new window) on a desktop
  2. Click on "Aanmelden"
  3. Input the card number (cfr. test account file)
  4. click on Logon/Aanmelden (not Openid or itsme - Login)
  5. Then enter the test phone number (cfr. test account file)
  6. Then clicking until you get a token.
  7. Open the E2E mobile App and enter the same test phone number (cfr. test account file)
  8. Enter the token.

In case of specific question to activating the itsme test account, please contact onboarding@itsme.be

itsme test account doesn't work with QES

itsme test accounts can only be used in the test environment and for the following services; identity proofing, authentication and confirm. At the moment it's not possible to use an itsme test account for the hash signing service (QES), as itsme does not have a dedicated test environment for qualified signatures. This means that in the Signicat test environmt you will need an actual itsme production account to complete QES transactions.

# Deployment to production

Once the integration in the test environment is completed and you are ready to deploy the integration to the production environment, please make sure that you have provided Signicat with the following information, so that the service can be correctly configured before your go-live.

Signicat needs to configure the service in collaboration with itsme, therefore please take into account that a couple of working days may be required to fully setup the service in production.

  1. Which itsme methods you would like to use through either OIDC / SAML. The options are; itsme-register or itsme-login
  2. If applicable, which itsme methods you would like to use as a signing method in the Sign API. The options are; itsme-registerfor AES or itsme-register for QES
  3. If applicable, in case you would like to use a custom subdomain, make sure to follow the steps on establishing a subdomain
  4. In order to enable the additional personal attributes, a justification is required before this can be enabled. Please make sure that you have a justification why these attributes are required.
  5. Which redirect URLs should be added to your service, in order to navigate the user correctly after the itsme transaction is completed.
  6. Once the integration is completed, please share a demo video of the integration for a required UX review.

# References

Below a list of useful references to video's and demo's:

# Support

If you have any further questions, contact us at support@signicat.com.

Last updated: 30/11/2022 11:28 UTC