# Protocols and attributes

# Supported protocols

Signicat supports both the OIDC and SAML 2.0 protocols for MitID.


SAML 1.1 will be deprecated soon. If you are using Signicat's SAML 1.1 client library for NemID and are migrating from scratch, we recommend migrating to OIDC (see How to migrate from SAML 1.1 to OpenID Connect). SAML 2.0 is much more complex to implement on the service provider’s end and usually requires a federation agent already in place.

Integration with MitID is done via the same API as Signicat's other ID methods. See Getting started with authentication. There, you will also find more general information about how to integrate with Signicat using the OIDC and SAML 2.0 protocols:

The following sections provide more specific details and examples for MitID used in both protocol contexts.

# Attributes in the response

You use MitID to verify the end-user’s identity and obtain relevant personal details about them. These attributes can be obtained during authentication (see code examples below the table):

SAML 2.0 OIDC Description
NameID sub The universally unique identifier for the eID of the end-user.
Example value: c8938385-211d-4ab1-968c-ac84bb788c4f
national-identity signicat.national_id The CPR number of the end-user. Only available when using the CPR match flow.
Example value: 2805542112
See: CPR matching
national-identity-country N/A The nationality of the national ID (always "DK"). Only given when using the CPR match flow.
Example value: DK
given-name given_name The first name of the end-user.
Example value: Helle
surname family_name The last name of the end-user.
Example value: Jenssen
common-name name The combined first name and last name of the end-user.
Example value: Helle Jensen
date-of-birth birthdate The end-user's date of birth.
Example value: 1990-01-28
auth-token-id auth_token_id Included if the transaction is configured to be used as the basis for a future Step-up authentication.
Example value: mitid:ce3c6b19-93cd-47f2-a48d-6c902d7761c6
mitid.uuid mitid.uuid See: NameID/sub.
Example value: c8938385-211d-4ab1-968c-ac84bb788c4f
mitid.fal mitid.fal Federated Assurance Level. This will always have the value "HIGH".
Example value: HIGH
See: Level of Assurance
mitid.ial mitid.ial Identity Assurance Level. This value is associated with the end-user's eID, assigned as part of the MitID registration process and later only changeable through additional registration processes.
Example value: SUBSTANTIAL
See: Level of Assurance
mitid.aal mitid.aal Authentication Assurance Level. This is calculated based on the authenticators that have been used and their strengths.
Example value: SUBSTANTIAL
See: Level of Assurance
mitid.loa mitid.loa The Level of Authentication for the authentication. This is calculated as the minimum of IAL, AAL and FAL.
Example value: SUBSTANTIAL
See: Level of Assurance
mitid.psd2 mitid.psd2 Whether or not the transaction was conducted compliant with PSD2.
Example value: false
See: PSD2
mitid.has-cpr mitid.has_cpr Whether or not the user has a registered CPR number.
Example value: true
See: CPR matching
mitid.reference-text-body mitid.reference_text_body The reference text body as it was displayed in the MitID client UI.
Example value: Transfer 200 DKK to Account XYZ.
See: Texts in the MitID box
mitid.transaction-id mitid.transaction_id MitID’s identifier for the transaction.
Example value: 060097fe-9793-11eb-a8b3-0242ac130003
mitid.age mitid.age The end-user's age.
Example value: 31
mitid.identityname mitid.identityname See desctiption for "common-name"/"name".
Example value: Helle Jensen
mitid.cpr mitid.cpr See: national-identity/signicat.national_id.
Example value: 2805542112
See CPR matching
mitid.cpr.source mitid.cpr.source The source of the CPR number. One of “user”, “prefilled”, “database”. Only available in the CPR match flow.
Example value: user
See: CPR matching mitid.name_and_address_protection If included, this attribute indicates that the user has name and address protection. In this case, the common-name/name will be empty.
Example value: true
onbehalfof.orgnr onbehalfof.orgnr Included if the user is logging in or signing on behalf of a company. Corresponds to the CVR number of that company.
Example value: 23456789
See: Using personal MitID on behalf of a company Included if the user is logging in or signing on behalf of a company. Corresponds to the name of that company.
Example value: Jensen Services
See: Using personal MitID on behalf of a company

# OIDC response for MitID

This an OIDC response example of returned user information for MitID:

  "sub": "c8938385-211d-4ab1-968c-ac84bb788c4f",
  "mitid.uuid": "c8938385-211d-4ab1-968c-ac84bb788c4f",
  "signicat.national_id": "2805542112",
  "mitid.cpr": "2805542112",
  "given_name": "Helle",
  "family_name": "Jenssen",
  "name": "Helle Jenssen",
  "birthdate": "1990-01-28",
  "auth_token_id": "mitid:ce3c6b19-93cd-47f2-a48d-6c902d7761c6",
  "mitid.uuid": "c8938385-211d-4ab1-968c-ac84bb788c4f",
  "mitid.fal": "HIGH",
  "mitid.ial": "SUBSTANTIAL",
  "mitid.aal": "SUBSTANTIAL",
  "mitid.loa": "SUBSTANTIAL",
  "mitid.psd2": "false",
  "mitid.has_cpr": "true",
  "mitid.reference_text_body": "Transfer 200 DKK to Account XYZ.",
  "mitid.transaction_id": "060097fe-9793-11eb-a8b3-0242ac130003",
  "mitid.age": "31",
  "mitid.identity_name": "Helle Jensen",
  "mitid.cpr": "2805542112",
  "mitid.cpr.source": "user"

# SAML 2.0 response for MitID

This a SAML 2.0 response example of returned user information for MitID:

<saml2:Assertion ID="IDkqi3itbx256cl3qvjmzyaebk3c1dndorw278q53g6ejacd94m" IssueInstant="2020-10-13T10:15:58.815Z" Version="2.0">
    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="MitID">
  <saml2:AuthnStatement AuthnInstant="2020-10-13T10:15:56.204Z" SessionIndex="umhnvu56o8l3owdy6wl65b6jbmqk171wopfk3ts9pzi6chkt0">
    <saml2:Attribute Name="national-identity" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValue xsi:type="xs:string">2805542112</saml2:AttributeValue>
    <saml2:Attribute Name="national-identity-country" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValue xsi:type="xs:string">DK</saml2:AttributeValue>
    <saml2:Attribute Name="given-name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValue xsi:type="xs:string">Holger</saml2:AttributeValue>
    <saml2:Attribute Name="surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValue xsi:type="xs:string">Danske</saml2:AttributeValue>
    <saml2:Attribute Name="common-name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValue xsi:type="xs:string">Holger Danske</saml2:AttributeValue>
    <saml2:Attribute Name="date-of-birth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValue xsi:type="xs:string">1990-01-28</saml2:AttributeValue>
    <saml2:Attribute Name="auth-token-id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValue xsi:type="xs:string">mitid:ce3c6b19-93cd-47f2-a48d-6c902d7761c6</saml2:AttributeValue>
    <saml2:Attribute Name="mitid.uuid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValue xsi:type="xs:string">c8938385-211d-4ab1-968c-ac84bb788c4f</saml2:AttributeValue>
    <saml2:Attribute Name="mitid.fal" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValue xsi:type="xs:string">HIGH</saml2:AttributeValue>
    <saml2:Attribute Name="mitid.ial" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValue xsi:type="xs:string">SUBSTANTIAL</saml2:AttributeValue>
    <saml2:Attribute Name="mitid.aal" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValue xsi:type="xs:string">SUBSTANTIAL</saml2:AttributeValue>
    <saml2:Attribute Name="mitid.loa" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValue xsi:type="xs:string">SUBSTANTIAL</saml2:AttributeValue>
    <saml2:Attribute Name="mitid.psd2" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValue xsi:type="xs:string">false</saml2:AttributeValue>
    <saml2:Attribute Name="mitid.has-cpr" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValue xsi:type="xs:string">true</saml2:AttributeValue>
    <saml2:Attribute Name="mitid.reference-text-body" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValue xsi:type="xs:string">Transfer 200 DKK to Account XYZ.</saml2:AttributeValue>
    <saml2:Attribute Name="mitid.transaction-id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValue xsi:type="xs:string">060097fe-9793-11eb-a8b3-0242ac130003</saml2:AttributeValue>
    <saml2:Attribute Name="mitid.age" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValue xsi:type="xs:string">31</saml2:AttributeValue>
    <saml2:Attribute Name="mitid.identity-name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValue xsi:type="xs:string">Holger Danske</saml2:AttributeValue>
    <saml2:Attribute Name="mitid.cpr" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValue xsi:type="xs:string">2805542112</saml2:AttributeValue>
    <saml2:Attribute Name="mitid.cpr.source" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValue xsi:type="xs:string">user</saml2:AttributeValue>

# Prefilled parameters

You can define and control prefilled parameters on a per-request basis to affect different aspects of the MitID flow. This is useful, for example, to prefill fields so the end-user does not have to fill in personal information about themselves (e.g. birth date, CPR number) in a repetitive and tedious manner. You can also use prefilled parameters to override default configurations, for example if you want another reference text than Signicat has set up.

Some of the prefilled parameters must be passed in a signed request to ensure they were generated by the service provider and have not been tampered with by other parties (see the "Must be signed" column below). There are a few ways to achieve this: In an OIDC context, a login_hint is considered as authentic. For SAML2, you must use a prefilled parameter extension.

These are the prefilled parameters for MitID:

Parameter Must be signed Type Description
assuranceLevel Yes One of:
Determines the target LOA or AAL for the transaction, depending on corresponding assuranceMethod.
Example value: SUBSTANTIAL
See: Level of Assurance
assuranceMethod Yes One of: LOA
Determines whether assuranceLevel is to be treated as the target for LOA or AAL.
Example value: AAL
psd2 Yes Boolean Determines whether the transaction is conducted under PSD2 compliant conditions.
Example value: true
See: PSD2
referenceText Yes String The reference text displayed in the MitID client UI.
Example value: Transfer 200 DKK to account 2198.4893.1003.9029
See: Reference text
serviceProviderReference Yes String Opaque reference value passed from the service provider via Signicat to MitID and returned in the response as received. Not displayed in UI. Example value: Sample service provider reference
requestedAttributes Yes Comma-separated list. Legal values:
Attributes that the service provider can request from MitID regarding the user.
Example value: DATE_OF_BIRTH,AGE
subject No String The CPR number of the user. This can be used in the CPR matching context. Given that the prefilled subject gives a positive match, this skips the step where the end-user is prompted to enter the CPR number themselves.
Example value: 2805542112
See: CPR matching
uuid No String Used in the Reauthentication flow. Skips the username input screen.
Example value: 7ed3cec8-33cb-4852-bc79-ef3293e1dc52
See: Reauthentication
authTokenId No String Used in the Step-up flow. This ID is returned in the response for the original authentication. A follow-up step-up authentication can then be triggered by using a method configured with a higher AAL/LoA than the original authentication (or prefilling a higher AAL/LoA) and prefilling the authTokenId. The result is that the username input screen is skipped and the user authenticates at the higher level.
Example value: mitid:27fbcb32-07d3-4d4b-8db4-e98179f3dfae
See: Step-up
cvr No String Can be used to preselect the company you want the user to log in or sign on behalf of.
Example value: 23456789
See: Using personal MitID on behalf of a company

For more information about how to sign requests and prefill parameters, see:

See also the specfific flow descriptions on the Authentication page.

Last updated: 8/27/2021, 1:41:11 PM