Attributes reference
You use DigiD to verify the end-user's identity and obtain relevant personal details about them.
This page shows the end-user information you can retrieve with each authentication protocol.
Available attributes
BSN
End-users authenticate with DigiD using their citizen service number (BSN). The BSN is available in the response from the authentication flow. Note that BSN corresponds to the national identity number (NIN) returned by other ID methods.
Sector code
The sector code provides information on the type of personal number:
Sector code | Type of personal number |
---|---|
S00000001 | Social security number (SSN), for example used by Social Insurance Bank (SVB) for Dutch nationals who emigrated before the BSN was introduced. |
S00000000 | Burgerservicenummer (BSN). Citizen service number in the Netherlands. |
The sector code is returned in the "idpID" field of a response, by default. Example of a combination of sector code with personal number <sector_code>:<personal_number>
: s00000000:999999990
.
Note that you should check whether the sector code as returned complies with the expected sector code and handle it appropriately. If an unexpected sector code is returned, the authentication must be cancelled.
Strip the sector code
You can remove the sector code from the response by default. To achieve this:
- Go to Signicat Dashboard > ID Methods.
- Select DigiD to edit the connection configuration.
- Tick Strip sector code from nameId to not return the sector code in the response.
OIDC scopes and claims
You can use the following scopes to request user information from an end-user using DigiD:
Scope | OIDC Claim | Example | Description |
---|---|---|---|
idp-id | idp_id | S00000001:999999990 | Personal identifier set by the identity provider containing the sector scope. |
nin | nin | 999999990 | National identification number (burgerservicenummer; BSN) of the end-user, consisting of 9 digits. |
nin_issuing_country | NL | Issuing country of the national identity. | |
nin_type | BSN or SSN | Type of sector code. If sector code is s00000000 , then nin.type is BSN . If s00000001 , then SSN . |
OIDC responses
To trigger an end-user authentication flow with OIDC, the URL could look like:
https://<YOUR_DOMAIN>/auth/open/connect/authorize?
client_id=<YOUR_OIDC_CLIENT_ID>
&response_type=code
&redirect_uri=<REDIRECT_URI>
&scope=openid%20nin%20idp-id
&acr_values=idp:digid
&prompt=login
After an end-user completes the authentication flow with DigiD, you receive a server response with an access token and an ID token in the body of the response.
An ID token is a JWT that looks like: eyJhbGciOiJSUzI...AiOiJKV1QifQ.eyJpc3Mi...J1ZX0.nmupzTs...H9whojA
What is a JWT?
A JSON Web Token (JWT) consists of three parts separated by dots (.
), which correspond to:
- Header
- Payload
- Signature
A JWT typically looks like:
xxxxx.yyyyy.zzzzz
The decoded payload (data) part of the ID token for DigiD would then look like:
{
"iss": "https://<YOUR_DOMAIN>/auth/open",
"nbf": 1709652445,
"iat": 1709652445,
"exp": 1709653045,
"aud": "<YOUR_OIDC_CLIENT_ID>",
"amr": [
"external"
],
"at_hash": "r99QeeZDCO4XHixurU_HTA",
"sid": "5866A06...D1433A9649",
"sub": "M8DuuHPYvP...Z0vsnZivrfFjs=",
"auth_time": 1709652442,
"idp": "digid",
"idp_id": "s00000000:999999990",
"nin": "999999990",
"nin_type": "BSN",
"nin_issuing_country": "NL",
"idp_issuer": "https://<DIGID_DOMAIN>/saml/idp/metadata",
"transaction_id": "94b2b88c-d2f7-5942-ff4f1cb966f8"
}
nin
Note that ID Token is configured by default to return only the claims defined in the OIDC standard (standard scopes). With DigiD, nin
is not present in the ID token by default.
To control the data returned in the ID Token, edit the Id Token User data in the Advanced > Security tab of your OIDC client configuration. Alternatively, you may retrieve the nin
from the UserInfo endpoint.
OIDC response example
The response examples below show user information that could be contained in the ID Token or retrieved from the UserInfo endpoint.
Example with all scopes and sector code
Scope: openid idp-id nin
.
{
"idp_id":"s00000000:999999990",
"nin":"999999990",
"nin_type":"BSN",
"nin_issuing_country":"NL",
"sub":"M8DuuHPYv...nZivrfFjs=",
"idp_issuer":"https://<DIGID_DOMAIN>/saml/idp/metadata"
}
Example with all scopes without sector code
Scope: openid idp-id nin
.
{
"idp_id": "999999990",
"nin": "999999990",
"nin_type": "BSN",
"nin_issuing_country": "NL",
"sub":"ISXRTsmO...F2ZhMWdi9aPc=",
"idp_issuer":"https://<DIGID_DOMAIN>/saml/idp/metadata"
}
Example with sector code and without nin
Scope: openid idp-id
.
{
"idp_id":"s00000000:999999990",
"sub":"M8DuuHPYv...nZivrfFjs=",
"idp_issuer":"https://<DIGID_DOMAIN>/saml/idp/metadata"
}
Example with sector code and without idp-id
Scope: openid
, nin
.
{
"nin":"999999990",
"nin_type":"BSN",
"nin_issuing_country":"NL",
"sub":"M8DuuHPYv...nZivrfFjs=",
"idp_issuer":"https://<DIGID_DOMAIN>/saml/idp/metadata"
}
Example without additional scopes
Scope: openid
.
{
"sub":"M8DuuHPYv...nZivrfFjs=",
"idp_issuer":"https://<DIGID_DOMAIN>/saml/idp/metadata"
}
Authentication REST API attributes
The Signicat Authentication REST API supports the following request attributes for DigiD:
Attributes | Sub-field | Example | Description |
---|---|---|---|
idpId | s00000000:999999990 | Personal identifier set by the identity provider. | |
nin | value | 999999990 | National identification number (BSN) of the end-user. |
issuingCountry | NL | Issuing country of the national identity. | |
type | BSN or SSN | Type of sector code. If sector code is s00000000 , then nin.type is BSN . If s00000001 , then SSN . |
Authentication API response example
Here is a section of the response showing the user information attributes:
...
"subject": {
"id": "999999990",
"idpId": "s00000000:999999990",
"nin": {
"value": "999999990",
"issuingCountry": "NL",
"type": "BSN"
},
}
...
SAML 2.0 attributes
Integrating with SAML 2.0, allows you to use the following request attributes for DigiD:
Attributes | Example | Description |
---|---|---|
idpId | s00000000:999999990 | Personal identifier set by the identity provider. |
nin | 999999990 | National identification number (BSN) of the end-user. |
nin.issuingCountry | NL | Country issuing the national identity. |
nin.type | BSN or SSN | Type of sector code. If sector code is s00000000 , then nin.type is BSN . If s00000001 , then SSN . |
SAML 2.0 response example
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="<YOUR_SAML_ACS_ENDPOINT>" ID="_e79814f9d74c7259e7f0a87942178096" InResponseTo="_60f0e8faf031ee71d585d1a7a52a86d6" IssueInstant="2024-02-21T12:27:04.577Z" Version="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
https://<YOUR_SIGNICAT_DOMAIN>/broker/sp/saml
</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
...
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_35ae4c69abe302f54cf3dbde34f9813e" IssueInstant="2024-02-21T12:27:04.585Z" Version="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer>
https://<YOUR_SIGNICAT_DOMAIN>/broker/sp/saml
</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
...
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="https://was-preprod1.digid.nl/saml/idp/metadata">
HASHED_SUBJECT
</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_60f0e8faf031ee71d585d1a7a52a86d6" NotOnOrAfter="2024-02-21T12:29:04.585Z" Recipient="<YOUR_SAML_ACS_ENDPOINT>"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2024-02-21T12:26:59.585Z" NotOnOrAfter="2024-02-21T12:29:04.585Z">
<saml2:AudienceRestriction>
<saml2:Audience>
https://<YOUR_SIGNICAT_DOMAIN>/broker/authn/saml
</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AttributeStatement>
<saml2:Attribute Name="nin">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
999999990
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="nin.issuingCountry">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
NL
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="nin.type">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
BSN
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
<saml2:AuthnStatement AuthnInstant="2024-02-21T12:27:04.586Z" SessionIndex="4f72bc7f-2613-4377-8f00-1ff67fc4b82f">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml2:AuthnContextClassRef>
<saml2:AuthenticatingAuthority>
https://was-preprod1.digid.nl/saml/idp/metadata
</saml2:AuthenticatingAuthority>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>