Skip to main content

Attributes reference

You use DigiD to verify the end-user's identity and obtain relevant personal details about them.

This page shows the end-user information you can retrieve with each authentication protocol.

Available attributes

BSN

End-users authenticate with DigiD using their citizen service number (BSN). The BSN is available in the response from the authentication flow. Note that BSN corresponds to the national identity number (NIN) returned by other ID methods.

Sector code

The sector code provides information on the type of personal number:

Sector codeType of personal number
S00000001Social security number (SSN), for example used by Social Insurance Bank (SVB) for Dutch nationals who emigrated before the BSN was introduced.
S00000000Burgerservicenummer (BSN). Citizen service number in the Netherlands.

The sector code is returned in the "idpID" field of a response, by default. Example of a combination of sector code with personal number <sector_code>:<personal_number>: s00000000:999999990.

Check the sector code

Note that you should check whether the sector code as returned complies with the expected sector code and handle it appropriately. If an unexpected sector code is returned, the authentication must be cancelled.

Strip the sector code

You can remove the sector code from the response by default. To achieve this:

  1. Go to Signicat Dashboard > ID Methods.
  2. Select DigiD to edit the connection configuration.
  3. Tick Strip sector code from nameId to not return the sector code in the response.

OIDC scopes and claims

You can use the following scopes to request user information from an end-user using DigiD:

ScopeOIDC ClaimExampleDescription
idp-ididp_idS00000001:999999990Personal identifier set by the identity provider containing the sector scope.
ninnin999999990National identification number (burgerservicenummer; BSN) of the end-user, consisting of 9 digits.
nin_issuing_countryNLIssuing country of the national identity.
nin_typeBSN or SSNType of sector code. If sector code is s00000000, then nin.type is BSN. If s00000001, then SSN.

OIDC responses

To trigger an end-user authentication flow with OIDC, the URL could look like:

https://<YOUR_DOMAIN>/auth/open/connect/authorize?
client_id=<YOUR_OIDC_CLIENT_ID>
&response_type=code
&redirect_uri=<REDIRECT_URI>
&scope=openid%20nin%20idp-id
&acr_values=idp:digid
&prompt=login

After an end-user completes the authentication flow with DigiD, you receive a server response with an access token and an ID token in the body of the response.

An ID token is a JWT that looks like: eyJhbGciOiJSUzI...AiOiJKV1QifQ.eyJpc3Mi...J1ZX0.nmupzTs...H9whojA

What is a JWT?

A JSON Web Token (JWT) consists of three parts separated by dots (.), which correspond to:

  • Header
  • Payload
  • Signature

A JWT typically looks like:

xxxxx.yyyyy.zzzzz

The decoded payload (data) part of the ID token for DigiD would then look like:


{
"iss": "https://<YOUR_DOMAIN>/auth/open",
"nbf": 1709652445,
"iat": 1709652445,
"exp": 1709653045,
"aud": "<YOUR_OIDC_CLIENT_ID>",
"amr": [
"external"
],
"at_hash": "r99QeeZDCO4XHixurU_HTA",
"sid": "5866A06...D1433A9649",
"sub": "M8DuuHPYvP...Z0vsnZivrfFjs=",
"auth_time": 1709652442,
"idp": "digid",
"idp_id": "s00000000:999999990",
"nin": "999999990",
"nin_type": "BSN",
"nin_issuing_country": "NL",
"idp_issuer": "https://<DIGID_DOMAIN>/saml/idp/metadata",
"transaction_id": "94b2b88c-d2f7-5942-ff4f1cb966f8"
}

ID Token with nin

Note that ID Token is configured by default to return only the claims defined in the OIDC standard (standard scopes). With DigiD, nin is not present in the ID token by default.

To control the data returned in the ID Token, edit the Id Token User data in the Advanced > Security tab of your OIDC client configuration. Alternatively, you may retrieve the nin from the UserInfo endpoint.

OIDC response example

The response examples below show user information that could be contained in the ID Token or retrieved from the UserInfo endpoint.

Example with all scopes and sector code

Scope: openid idp-id nin.


{
"idp_id":"s00000000:999999990",
"nin":"999999990",
"nin_type":"BSN",
"nin_issuing_country":"NL",
"sub":"M8DuuHPYv...nZivrfFjs=",
"idp_issuer":"https://<DIGID_DOMAIN>/saml/idp/metadata"
}

Example with all scopes without sector code

Scope: openid idp-id nin.

{
"idp_id": "999999990",
"nin": "999999990",
"nin_type": "BSN",
"nin_issuing_country": "NL",
"sub":"ISXRTsmO...F2ZhMWdi9aPc=",
"idp_issuer":"https://<DIGID_DOMAIN>/saml/idp/metadata"
}

Example with sector code and without nin

Scope: openid idp-id.


{
"idp_id":"s00000000:999999990",
"sub":"M8DuuHPYv...nZivrfFjs=",
"idp_issuer":"https://<DIGID_DOMAIN>/saml/idp/metadata"
}

Example with sector code and without idp-id

Scope: openid, nin.


{
"nin":"999999990",
"nin_type":"BSN",
"nin_issuing_country":"NL",
"sub":"M8DuuHPYv...nZivrfFjs=",
"idp_issuer":"https://<DIGID_DOMAIN>/saml/idp/metadata"
}

Example without additional scopes

Scope: openid.


{
"sub":"M8DuuHPYv...nZivrfFjs=",
"idp_issuer":"https://<DIGID_DOMAIN>/saml/idp/metadata"
}

Authentication REST API attributes

The Signicat Authentication REST API supports the following request attributes for DigiD:

AttributesSub-fieldExampleDescription
idpIds00000000:999999990Personal identifier set by the identity provider.
ninvalue999999990National identification number (BSN) of the end-user.
issuingCountryNLIssuing country of the national identity.
typeBSN or SSNType of sector code. If sector code is s00000000, then nin.type is BSN. If s00000001, then SSN.

Authentication API response example

Here is a section of the response showing the user information attributes:

...
"subject": {
"id": "999999990",
"idpId": "s00000000:999999990",
"nin": {
"value": "999999990",
"issuingCountry": "NL",
"type": "BSN"
},
}
...

SAML 2.0 attributes

Integrating with SAML 2.0, allows you to use the following request attributes for DigiD:

AttributesExampleDescription
idpIds00000000:999999990Personal identifier set by the identity provider.
nin999999990National identification number (BSN) of the end-user.
nin.issuingCountryNLCountry issuing the national identity.
nin.typeBSN or SSNType of sector code. If sector code is s00000000, then nin.type is BSN. If s00000001, then SSN.

SAML 2.0 response example

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="<YOUR_SAML_ACS_ENDPOINT>" ID="_e79814f9d74c7259e7f0a87942178096" InResponseTo="_60f0e8faf031ee71d585d1a7a52a86d6" IssueInstant="2024-02-21T12:27:04.577Z" Version="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
https://<YOUR_SIGNICAT_DOMAIN>/broker/sp/saml
</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
...
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_35ae4c69abe302f54cf3dbde34f9813e" IssueInstant="2024-02-21T12:27:04.585Z" Version="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer>
https://<YOUR_SIGNICAT_DOMAIN>/broker/sp/saml
</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
...
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="https://was-preprod1.digid.nl/saml/idp/metadata">
HASHED_SUBJECT
</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_60f0e8faf031ee71d585d1a7a52a86d6" NotOnOrAfter="2024-02-21T12:29:04.585Z" Recipient="<YOUR_SAML_ACS_ENDPOINT>"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2024-02-21T12:26:59.585Z" NotOnOrAfter="2024-02-21T12:29:04.585Z">
<saml2:AudienceRestriction>
<saml2:Audience>
https://<YOUR_SIGNICAT_DOMAIN>/broker/authn/saml
</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AttributeStatement>
<saml2:Attribute Name="nin">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
999999990
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="nin.issuingCountry">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
NL
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="nin.type">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
BSN
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
<saml2:AuthnStatement AuthnInstant="2024-02-21T12:27:04.586Z" SessionIndex="4f72bc7f-2613-4377-8f00-1ff67fc4b82f">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml2:AuthnContextClassRef>
<saml2:AuthenticatingAuthority>
https://was-preprod1.digid.nl/saml/idp/metadata
</saml2:AuthenticatingAuthority>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>