Skip to main content

Attributes reference

You use DigiD CombiConnect to verify the end-user's identity and obtain relevant personal details about them.

This page shows the end-user information you can retrieve with each authentication protocol.

Available attributes

BSN

End-users authenticate with DigiD using their personal citizen service number (BSN). The BSN is available in the response from the authentication flow. Note that BSN corresponds to the national identity number (NIN) returned by other eIDs.

DigiD Machtigen

When a person logs in on-behalf of someone else, you can retrieve the BSN of both the guardian and the actual individual they are logging in for.

Authentications with DigiD Machtigen will return an additional field in the response (acting_nin for OIDC or actingNin for the other protocols) containing the BSN of the person authorised to manage the end-user's affairs online. This is in addition to the BSN (returned in the nin object) of the actual individual.

OIDC scopes and claims

You can use the following scopes to request user information from an end-user using DigiD CombiConnect:

OIDC request examples

To trigger an end-user authentication flow with OIDC, the URL could look like:

https://<YOUR_DOMAIN>/auth/open/connect/authorize?
client_id=<YOUR_OIDC_CLIENT_ID>
&response_type=code
&redirect_uri=<REDIRECT_URI>
&scope=openid%20nin%20idp-id%20acting-nin
&acr_values=idp:digid-combiconnect
&prompt=login

After a successful authentication, you receive a server response with an access token and an ID token in the body of the response.

An ID token is a JWT similar to eyJhbGciOiJSUzI...AiOiJKV1QifQ.eyJpc3Mi...J1ZX0.nmupzTs...H9whojA

What is a JWT?

A JSON Web Token (JWT) consists of three parts separated by dots (.), which correspond to:

  • Header
  • Payload
  • Signature

A JWT typically looks like:

xxxxx.yyyyy.zzzzz

The decoded payload (data) of the ID token for DigiD CombiConnect would then look like:


{
  "iss": "https://<YOUR_DOMAIN>/auth/open",
  "nbf": 1709652445,
  "iat": 1709652445,
  "exp": 1709653045,
  "aud": "<YOUR_OIDC_CLIENT_ID>",
  "amr": [
    "external"
  ],
  "at_hash": "r99QeeZDCO4XHixurU_HTA",
  "sid": "5866A06...D1433A9649",
  "sub": "M8DuuHPYvP...Z0vsnZivrfFjs=",
  "auth_time": 1709652442,
  "idp": "digid",
  "idp_id": "999999990",
  "nin": "999999990",
  "nin_type": "BSN",
  "nin_issuing_country": "NL",
  "acting_nin": "000000009",
  "idp_issuer": "https://<DIGID_DOMAIN>/saml/idp/metadata",
  "transaction_id": "94b2b88c-d2f7-5942-ff4f1cb966f8"
}

ID Token with nin

By default, the ID Token contains only the claims defined in the OIDC standard (standard scopes). Therefore, the nin is not included in the ID token you receive after authentications with DigiD CombiConnect.

To receive the nin in the ID Token, go to your OIDC client in the Signicat Dashboard and edit the ID Token User data in the Advanced > Security tab. Alternatively, you can fetch the nin from the UserInfo endpoint.

OIDC response example

The response examples below show user information that could be contained in the ID Token or retrieved from the UserInfo endpoint.

Example with standard DigiD authentication

Scope: openid idp-id nin.


{
    "idp_id":"999999990",
    "nin":"999999990",
    "nin_type":"BSN",
    "nin_issuing_country":"NL",
    "sub":"M8DuuHPYv...nZivrfFjs=",
    "idp_issuer":"https://<DIGID_DOMAIN>/saml/idp/metadata"
}

Example with DigiD Machtigen authentication

Scope: openid idp-id nin acting-nin.


{
    "idp_id":"999999990",
    "nin":"999999990",
    "nin_type":"BSN",
    "nin_issuing_country":"NL",
    "acting_nin": "000000009",
    "sub":"M8DuuHPYv...nZivrfFjs=",
    "idp_issuer":"https://<DIGID_DOMAIN>/saml/idp/metadata"
}

Example without additional scopes

Scope: openid.


{
    "sub":"M8DuuHPYv...nZivrfFjs=",
    "idp_issuer":"https://<DIGID_DOMAIN>/saml/idp/metadata"
}

Authentication REST API attributes

The Signicat Authentication REST API supports the following request attributes for DigiD:

Authentication API response example

Here is a section of the response showing the user information attributes:

...
"subject": {
    "id": "999999990",
    "idpId": "999999990",
    "nin": {
        "value": "999999990",
        "issuingCountry": "NL",
        "type": "BSN"
    },
    "actingNin": "000000009",
}
...

SAML 2.0 attributes

Integrating with SAML 2.0, allows you to use the following request attributes for DigiD:

SAML 2.0 response example

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://*SP_CLIENT_DOMAIN*/saml/acs" ID="_e79814f9d74c7259e7f0a87942178096" InResponseTo="_60f0e8faf031ee71d585d1a7a52a86d6" IssueInstant="2024-02-21T12:27:04.577Z" Version="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        https://*YOUR_SIGNICAT_DOMAIN*/auth/saml
    </saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        ...
    </ds:Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_35ae4c69abe302f54cf3dbde34f9813e" IssueInstant="2024-02-21T12:27:04.585Z" Version="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <saml2:Issuer>
            https://*YOUR_SIGNICAT_DOMAIN*/auth/saml
        </saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            ...
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="https://was-preprod1.digid.nl/saml/idp/metadata">
                HASHED_SUBJECT
            </saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData InResponseTo="_60f0e8faf031ee71d585d1a7a52a86d6" NotOnOrAfter="2024-02-21T12:29:04.585Z" Recipient="https://*SP_CLIENT_DOMAIN*/saml/acs"/>
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2024-02-21T12:26:59.585Z" NotOnOrAfter="2024-02-21T12:29:04.585Z">
            <saml2:AudienceRestriction>
                <saml2:Audience>ENTITY_ID</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="nin">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
                    999999990
                </saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="nin.issuingCountry">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
                    NL
                </saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="nin.type">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
                    BSN
                </saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="actingNin">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
                    000000009
                </saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
        <saml2:AuthnStatement AuthnInstant="2024-02-21T12:27:04.586Z" SessionIndex="4f72bc7f-2613-4377-8f00-1ff67fc4b82f">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>
                    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
                </saml2:AuthnContextClassRef>
                <saml2:AuthenticatingAuthority>
                    https://was-preprod1.digid.nl/saml/idp/metadata
                </saml2:AuthenticatingAuthority>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>
On this page