# Protocols and attributes
Page contents
# Supported protocols
Signicat supports both the OIDC and SAML 2.0 protocols for MitID.
TIP
SAML 1.1 will be deprecated soon. If you are using Signicat's SAML 1.1 client library for NemID and are migrating from scratch, we recommend migrating to OIDC (see How to migrate from SAML 1.1 to OpenID Connect). SAML 2.0 is much more complex to implement on the service provider’s end and usually requires a federation agent already in place.
Integration with MitID is done via the same API as Signicat's other ID methods. See Getting started with authentication. There, you will also find more general information about how to integrate with Signicat using the OIDC and SAML 2.0 protocols:
The following sections provide more specific details and examples for MitID used in both protocol contexts.
# Attributes in the response
You use MitID to verify the end-user’s identity and obtain relevant personal details about them. These attributes can be obtained during authentication (see code examples below the table):
| SAML 2.0 | OIDC | Description |
|---|---|---|
| NameID | sub | The universally unique identifier for the eID of the end-user. Example value: c8938385-211d-4ab1-968c-ac84bb788c4f |
| national-identity | signicat.national_id | The CPR number of the end-user. Only available when using the CPR match flow. Example value: 2805542112 See: CPR matching |
| national-identity-country | N/A | The nationality of the national ID (always "DK"). Only given when using the CPR match flow. Example value: DK |
| given-name | given_name | The first name of the end-user. Example value: Helle |
| surname | family_name | The last name of the end-user. Example value: Jenssen |
| common-name | name | The combined first name and last name of the end-user. Example value: Helle Jensen |
| date-of-birth | birthdate | The end-user's date of birth. Example value: 1990-01-28 |
| auth-token-id | auth_token_id | Included if the transaction is configured to be used as the basis for a future Step-up authentication. Example value: mitid:ce3c6b19-93cd-47f2-a48d-6c902d7761c6 |
| mitid.uuid | mitid.uuid | See: NameID/sub. Example value: c8938385-211d-4ab1-968c-ac84bb788c4f |
| mitid.fal | mitid.fal | Federated Assurance Level. This will always have the value "HIGH". Example value: HIGH See: Level of Assurance |
| mitid.ial | mitid.ial | Identity Assurance Level. This value is associated with the end-user's eID, assigned as part of the MitID registration process and later only changeable through additional registration processes. Example value: SUBSTANTIAL See: Level of Assurance |
| mitid.aal | mitid.aal | Authentication Assurance Level. This is calculated based on the authenticators that have been used and their strengths. Example value: SUBSTANTIAL See: Level of Assurance |
| mitid.loa | mitid.loa | The Level of Authentication for the authentication. This is calculated as the minimum of IAL, AAL and FAL. Example value: SUBSTANTIAL See: Level of Assurance |
| mitid.psd2 | mitid.psd2 | Whether or not the transaction was conducted compliant with PSD2. Example value: false See: PSD2 |
| mitid.has-cpr | mitid.has_cpr | Whether or not the user has a registered CPR number. Example value: true See: CPR matching |
| mitid.reference-text-body | mitid.reference_text_body | The reference text body as it was displayed in the MitID client UI. Example value: Transfer 200 DKK to Account XYZ. See: Texts in the MitID box |
| mitid.transaction-id | mitid.transaction_id | MitID’s identifier for the transaction. Example value: 060097fe-9793-11eb-a8b3-0242ac130003 |
| mitid.age | mitid.age | The end-user's age. Example value: 31 |
| mitid.identityname | mitid.identityname | See desctiption for "common-name"/"name". Example value: Helle Jensen |
| mitid.cpr | mitid.cpr | See: national-identity/signicat.national_id. Example value: 2805542112 See CPR matching |
| mitid.cpr.source | mitid.cpr.source | The source of the CPR number. One of “user”, “prefilled”, “database”. Only available in the CPR match flow. Example value: user See: CPR matching |
| mitid.name-and-address-protection | mitid.name_and_address_protection | If included, this attribute indicates that the user has name and address protection. In this case, the common-name/name will be empty. Example value: true |
| onbehalfof.orgnr | onbehalfof.orgnr | Included if the user is logging in or signing on behalf of a company. Corresponds to the CVR number of that company. Example value: 23456789 See: Using personal MitID on behalf of a company |
| onbehalfof.name | onbehalfof.name | Included if the user is logging in or signing on behalf of a company. Corresponds to the name of that company. Example value: Jensen Services See: Using personal MitID on behalf of a company |
For additional parameters in the MitID Business response, see the MitID Business flow section.
# OIDC response for MitID
This an OIDC response example of returned user information for MitID:
{
"sub": "c8938385-211d-4ab1-968c-ac84bb788c4f",
"mitid.uuid": "c8938385-211d-4ab1-968c-ac84bb788c4f",
"signicat.national_id": "2805542112",
"mitid.cpr": "2805542112",
"given_name": "Helle",
"family_name": "Jenssen",
"name": "Helle Jenssen",
"birthdate": "1990-01-28",
"auth_token_id": "mitid:ce3c6b19-93cd-47f2-a48d-6c902d7761c6",
"mitid.uuid": "c8938385-211d-4ab1-968c-ac84bb788c4f",
"mitid.fal": "HIGH",
"mitid.ial": "SUBSTANTIAL",
"mitid.aal": "SUBSTANTIAL",
"mitid.loa": "SUBSTANTIAL",
"mitid.psd2": "false",
"mitid.has_cpr": "true",
"mitid.reference_text_body": "Transfer 200 DKK to Account XYZ.",
"mitid.transaction_id": "060097fe-9793-11eb-a8b3-0242ac130003",
"mitid.age": "31",
"mitid.identity_name": "Helle Jensen",
"mitid.cpr": "2805542112",
"mitid.cpr.source": "user"
}
For another example that includes a defined scope, see the OIDC response examples page.
# SAML 2.0 response for MitID
This a SAML 2.0 response example of returned user information for MitID:
<saml2:Assertion ID="IDkqi3itbx256cl3qvjmzyaebk3c1dndorw278q53g6ejacd94m" IssueInstant="2020-10-13T10:15:58.815Z" Version="2.0">
<saml2:Issuer>
https://test.signicat.com/std
</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="MitID">
c8938385-211d-4ab1-968c-ac84bb788c4f
</saml2:NameID>
</saml2:Subject>
<saml2:AuthnStatement AuthnInstant="2020-10-13T10:15:56.204Z" SessionIndex="umhnvu56o8l3owdy6wl65b6jbmqk171wopfk3ts9pzi6chkt0">
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="national-identity" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xsi:type="xs:string">2805542112</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="national-identity-country" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xsi:type="xs:string">DK</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="given-name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xsi:type="xs:string">Holger</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xsi:type="xs:string">Danske</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="common-name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xsi:type="xs:string">Holger Danske</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="date-of-birth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xsi:type="xs:string">1990-01-28</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="auth-token-id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xsi:type="xs:string">mitid:ce3c6b19-93cd-47f2-a48d-6c902d7761c6</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="mitid.uuid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xsi:type="xs:string">c8938385-211d-4ab1-968c-ac84bb788c4f</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="mitid.fal" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xsi:type="xs:string">HIGH</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="mitid.ial" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xsi:type="xs:string">SUBSTANTIAL</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="mitid.aal" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xsi:type="xs:string">SUBSTANTIAL</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="mitid.loa" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xsi:type="xs:string">SUBSTANTIAL</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="mitid.psd2" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xsi:type="xs:string">false</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="mitid.has-cpr" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xsi:type="xs:string">true</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="mitid.reference-text-body" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xsi:type="xs:string">Transfer 200 DKK to Account XYZ.</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="mitid.transaction-id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xsi:type="xs:string">060097fe-9793-11eb-a8b3-0242ac130003</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="mitid.age" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xsi:type="xs:string">31</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="mitid.identity-name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xsi:type="xs:string">Holger Danske</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="mitid.cpr" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xsi:type="xs:string">2805542112</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="mitid.cpr.source" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xsi:type="xs:string">user</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
# Prefilled parameters
You can define and control prefilled parameters on a per-request basis to affect different aspects of the MitID flow. This is useful, for example, to prefill fields so the end-user does not have to fill in personal information about themselves (e.g. birth date, CPR number) in a repetitive and tedious manner. You can also use prefilled parameters to override default configurations, for example if you want another reference text than Signicat has set up.
Some of the prefilled parameters must be passed in a signed request to ensure they were generated by the service provider and have not been tampered with by other parties (see the "Must be signed" column below). There are a few ways to achieve this: In an OIDC context, a login_hint is considered as authentic. For SAML2, you must use a prefilled parameter extension.
These are the prefilled parameters for MitID:
| Parameter | Must be signed | Must be encrypted | Type | Description |
|---|---|---|---|---|
assuranceLevel | Yes | No | One of: LOW SUBSTANTIAL HIGH | Determines the target LOA or AAL for the transaction, depending on corresponding assuranceMethod. Example value: SUBSTANTIAL See: Level of Assurance |
assuranceMethod | Yes | No | One of: LOA AAL | Determines whether assuranceLevel is to be treated as the target for LOA or AAL. Example value: AAL |
psd2 | Yes | No | Boolean | Determines whether the transaction is conducted under PSD2 compliant conditions. Example value: true See: PSD2 |
referenceText | Yes | No | String | The reference text displayed in the MitID client UI. Example value: Transfer 200 DKK to account 2198.4893.1003.9029See: Reference text |
serviceProviderReference | Yes | No | String | Opaque reference value passed from the service provider via Signicat to MitID and returned in the response as received. Not displayed in UI. Example value: Sample service provider reference |
requestedAttributes | Yes | No | Comma-separated list. Legal values: DATE_OF_BIRTH AGE IAL_IDENTITY_ASSURANCE_LEVEL IDENTITY_NAME | Attributes that the service provider can request from MitID regarding the user. Example value: DATE_OF_BIRTH,AGE |
subject | No | Yes | String | The CPR number of the user. This can be used in the CPR matching context. Given that the prefilled subject gives a positive match, this skips the step where the end-user is prompted to enter the CPR number themselves. Example value: 2805542112 . In this context the prefilled CPR number must be passed in an encrypted request. See CPR-matching. |
authTokenId | No | No | String | Used in the Step-up flow. This ID is returned in the response for the original authentication. A follow-up step-up authentication can then be triggered by using a method configured with a higher AAL/LoA than the original authentication (or prefilling a higher AAL/LoA) and prefilling the authTokenId. The result is that the username input screen is skipped and the user authenticates at the higher level. Example value: mitid:27fbcb32-07d3-4d4b-8db4-e98179f3dfaeSee: Step-up |
cvr | No | No | String | Can be used to preselect the company you want the user to log in or sign on behalf of. Example value: 23456789 See: Using personal MitID on behalf of a company |
For more information about how to sign requests and prefill parameters, see:
- About OpenID Connect > MitID specifics: Signing authorisation requests
- About SAML 2.0 > Specifying prefilled information
- Demo Service > Supported URL parameters.
See also the specific flow descriptions on the Authentication page.