Czech Bank iD attributes in SAML 2.0
This page contains information about the user attributes that you can request and retrieve from Czech Bank iD when using SAML 2.0 as an authentication protocol.
Attributes table
Czech Bank iD provides the following data:
AML verification settings
If you set profile.verification to Required when configuring your app in the Czech Bank iD Dashboard, then you must specify at least one of the equivalent attributes (bankidCzVerificationProcess and bankidCzVerificationTrustFramework) in your authentication request.
Examples
Metadata document
The example below shows a Service Provider (SP) metadata document to connect to Czech Bank iD and request the attributes: idpId, address,bankidCzIdCard, bankidCzLimitedLegalCapacity, bankidCzPaymentAccounts, bankidCzPep, bankidCzTitlePrefix, bankidCzTitleSuffix, bankidCzUpdatedAt, countryOfBirth, dateOfBirth, 18OrOlder, email, firstName, gender, lastName, maritalStatus, middleName, name, nationality, nin, phoneNumber, placeOfBirth, bankidCzVerificationTrustFramework, bankidCzVerificationProcess.
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_45f42f65-39f9-4250-898e-f6297cb3f8ce" entityID="SAML Example SP">
<md:SPSSODescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
X509_CERTIFICATE
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://*SP_APP_DOMAIN*/saml/acs" index="1" isDefault="false"/>
<md:AttributeConsumingService index="1" isDefault="false">
<md:ServiceName xml:lang="en" xmlns:xml="http://www.w3.org/XML/1998/namespace">All attributes</md:ServiceName>
<md:RequestedAttribute Name="idpId"/>
<md:RequestedAttribute Name="address"/>
<md:RequestedAttribute Name="bankidCzIdCard"/>
<md:RequestedAttribute Name="bankidCzLimitedLegalCapacity"/>
<md:RequestedAttribute Name="bankidCzPaymentAccounts"/>
<md:RequestedAttribute Name="bankidCzPep"/>
<md:RequestedAttribute Name="bankidCzTitlePrefix"/>
<md:RequestedAttribute Name="bankidCzTitleSuffix"/>
<md:RequestedAttribute Name="bankidCzUpdatedAt"/>
<md:RequestedAttribute Name="countryOfBirth"/>
<md:RequestedAttribute Name="dateOfBirth"/>
<md:RequestedAttribute Name="18OrOlder"/>
<md:RequestedAttribute Name="email"/>
<md:RequestedAttribute Name="firstName"/>
<md:RequestedAttribute Name="gender"/>
<md:RequestedAttribute Name="lastName"/>
<md:RequestedAttribute Name="maritalStatus"/>
<md:RequestedAttribute Name="middleName"/>
<md:RequestedAttribute Name="name"/>
<md:RequestedAttribute Name="nationality"/>
<md:RequestedAttribute Name="nin"/>
<md:RequestedAttribute Name="phoneNumber"/>
<md:RequestedAttribute Name="placeOfBirth"/>
<md:RequestedAttribute Name="bankidCzVerificationTrustFramework"/>
<md:RequestedAttribute Name="bankidCzVerificationProcess"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Request example
SAML 2.0 request example:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AttributeConsumingServiceIndex="SERVICE_INDEX"
Destination="https://*YOUR_SIGNICAT_DOMAIN*/auth/saml/login"
ID="d2d2ae0656604b839d9bf36edca452a7"
IssueInstant="2025-04-26T10:06:19.352Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">SAML Example SP</saml:Issuer>
</samlp:AuthnRequest>
Response example
SAML 2.0 response example:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://*SP_APP_DOMAIN*/saml/acs"
ID="_f6298fea54d5f4090c0ac4ebd3247de7"
InResponseTo="d2d2ae0656604b839d9bf36edca452a7"
IssueInstant="2025-04-26T10:10:05.314Z"
Version="2.0"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
https://*YOUR_SIGNICAT_DOMAIN*/auth/saml
</saml2:Issuer>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
ID="_14bf7ff57d8cd43721c79f63d4db9c0a"
IssueInstant="2025-04-26T10:10:05.314Z"
Version="2.0"
>
<saml2:Issuer>https://*YOUR_SIGNICAT_DOMAIN*/auth/saml</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
gjhtHxMFfm-2bn-YaZ6mh2YfTL62z-EyU2AdnWbx3x4=
</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="d2d2ae0656604b839d9bf36edca452a7"
NotOnOrAfter="2025-04-26T10:10:05.314Z"
Recipient="https://*SP_APP_DOMAIN*/saml/acs"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2025-04-26T10:07:05.314Z" NotOnOrAfter="2025-04-26T10:10:05.314Z">
<saml2:AudienceRestriction>
<saml2:Audience>ENTITY_ID</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AttributeStatement>
<saml2:Attribute Name="idpId">
<saml2:AttributeValue>fed17912-aa8b-4f88-8c0f-9eb2b909d07f</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="address">
<saml2:AttributeValue>PERMANENT_RESIDENCE, Dlouhá, 2, 609, Praha, 11000, CZ, 21722315</saml2:AttributeValue>
</saml2:Attribute>
<saml:Attribute Name="name">
<saml:AttributeValue>Jan Novák</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="firstName">
<saml:AttributeValue>Jan</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="lastName">
<saml:AttributeValue>Novák</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="email">
<saml:AttributeValue>J.novak@example.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="gender">
<saml:AttributeValue>male</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="dateOfBirth">
<saml:AttributeValue>1970-08-01</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="countryOfBirth">
<saml:AttributeValue>CZ</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="18OrOlder">
<saml:AttributeValue>true</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="maritalStatus">
<saml:AttributeValue>MARRIED</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="nin">
<saml:AttributeValue>850321/1234</saml:AttributeValue>
</saml:Attribute>
<saml2:Attribute Name="nin.issuingCountry">
<saml2:AttributeValue>
CZ
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="nin.type">
<saml2:AttributeValue>
PERSON
</saml2:AttributeValue>
</saml2:Attribute>
<saml:Attribute Name="nationality">
<saml:AttributeValue>CZ</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="placeOfBirth">
<saml:AttributeValue>Brno</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="phoneNumber">
<saml:AttributeValue>+420123456789</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="bankidCzIdCard">
<saml:AttributeValue>123456789</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="bankidCzPep">
<saml:AttributeValue>false</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="bankidCzLimitedLegalCapacity">
<saml:AttributeValue>false</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="bankidCzTitlePrefix">
<saml:AttributeValue>Ing.</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="bankidCzTitleSuffix">
<saml:AttributeValue>Ph.D.</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="bankidCzPaymentAccounts">
<saml:AttributeValue>CZ9530300000000999999998, CZ4830300000000999999971</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="bankidCzUpdatedAt">
<saml:AttributeValue>2025-05-01T09:00:00Z</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="bankidCzVerificationTrustFramework">
<saml:AttributeValue>cz_aml</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="bankidCzVerificationProcess">
<saml:AttributeValue>45244782</saml:AttributeValue>
</saml:Attribute>
</saml2:AttributeStatement>
<saml2:AuthnStatement AuthnInstant="2025-04-26T10:07:03.059Z"
SessionIndex="fe187084-671b-4784-997e-7ff69d68ebf5"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
<saml2:AuthenticatingAuthority>urn:etoegang:HM:ORGANISATION_IDENTIFICATION_NUMBER:entities:9713</saml2:AuthenticatingAuthority>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>