Attributes reference
You use eParaksts Mobile to verify the identity of end-users and obtain relevant personal details about them. This page contains information about the user data that you can request and receive for the different authentication protocols.
OIDC scopes and claims
You can use the following scopes to request user information from an end-user using eParaksts Mobile:
Request example
The snippet below shows an example of an OIDC authorisation request with eParaksts Mobile:
https://<YOUR_SIGNICAT_DOMAIN>/auth/open/connect/authorize?
&client_id=<OIDC_CLIENT_ID>
&response_type=code
&redirect_uri=<REDIRECT_URI>
&state=1732871739682-PEu
&scope=openid%20profile%20nin%20idp-id
&code_challenge=21yT9yGQBMebnFQ4mjBJHcBH4-qK30z4VEHA3ggHhE4
&code_challenge_method=S256
Key parameters:
client_id: Your OIDC client ID, as created in the Dashboard.response_type: The grant type of your OIDC flow. Set tocodefor the authorisation code flow.redirect_uri: Your app's callback URL.state: A unique string to maintain request state.scope: Requested scopes. eParaksts Mobile supportsopenid,profile,ninandidp-id.code_challenge: PKCE challenge derived from a verifier.code_challenge_method: Use S256 for SHA-256 hashing.
Directing users to eParaksts Mobile
You can optionally use the acr_values parameter with idp:eparaksts-mobile to automatically redirect authentication requests to eParaksts Mobile, bypassing other eID options configured for your account.
Response example
The response example below only shows the payload of an OIDC response with all claims on display.
Scope: openid, profile, idp-id, nin
{
"iss": "https://<YOUR_SIGNICAT_DOMAIN>/auth/open",
"nbf": 1732871830,
"iat": 1732871830,
"exp": 1732871830,
"aud": "<CLIENT_ID>",
"amr": [
"external"
],
"at_hash": "gZmDUKYpNSGb38OMxobojg",
"sid": "5359DA7806241119D78C06F0C9B48CAA",
"sub": "uxkLTjA30C2M40aaY9wM4nEUfNpenoiavD1FyE8Dh-M=",
"auth_time": 1732871821,
"idp": "eparaksts-mobile",
"idp_id": "001124-10474",
"name": "Jane Doe",
"family_name": "Doe",
"given_name": "Jane",
"nin": "001124-10474",
"nin_type": "CIVIL",
"nin_issuing_country": "lv",
"idp_issuer": "VAS \"Latvijas Valsts radio un televīzijas centrs\", Reg. Nr. 40003011203, Ērgļu iela 10, Rīga, Latvija, LV-1012",
"transaction_id": "628c0d4f-4a97-XXXX-85a4-7d278af9d4eb",
"sandbox": true
}
Authentication REST API attributes
The Signicat Authentication REST API supports the following request and response attributes for eParaksts Mobile:
Authentication API request example
To create a session using the Authentication REST API, you send a POST request to the CreateSession endpoint of the Authentication REST API. This is https://api.signicat.com/auth/rest/sessions.
You define the parameters of the session in the payload of the request. For example:
{
"allowedProviders": [
"eparaksts-mobile"
],
"flow": "redirect",
"requestedAttributes": [
"firstName",
"lastName",
"name",
"nin",
"idpId"
],
"callbackUrls": {
"success": "https://example.com/success",
"abort": "https://example.com/abort",
"error": "https://example.com/error"
}
}
Key parameters:
allowedProviders: A list of specific eID provides allowed for authentication. In this example, passingeparaksts-mobilebypasses any other eID active in your Signicat account.flow: Defines the authentication flow.redirectis the only flow supported for eParaksts Mobile.requestedAttributes: Specifies the user attributes the application requests from eParaksts Mobile. See the table above for definitions.callbackUrls: An object containing URLs where the user is redirected after the authentication process.
Response example
Here is a section of the response showing the user information attributes:
"subject": {
"id": "2ULSP7fTILirGvQKmJzSX7z3pY6NIYcK4xYnu3hqIO8=",
"idpId": "001124-10474",
"name": "Jane Doe",
"firstName": "Jane",
"lastName": "Doe",
"nin": {
"value": "001124-10474",
"issuingCountry": "lv",
"type": "CIVIL"
},
}
SAML 2.0 attributes
Integrating with SAML 2.0 supports the following request and response attributes for eParaksts Mobile:
Response example
Here is a section of the SAML response showing the user information attributes:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="..." ID="..." InResponseTo="..." IssueInstant="2024-11-18T13:21:19.716Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://*YOUR_SIGNICAT_DOMAIN*/auth/saml</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" ID="_59c600d2f1f8695fd2b837c6f0be0faf" IssueInstant="2024-11-18T13:21:19.736Z" Version="2.0">
<saml2:Issuer>https://*YOUR_SIGNICAT_DOMAIN*/auth/saml</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_59c600d2f1f8695fd2b837c6f0be0faf">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xsd"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>XML_SIGNATURE</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>X509_CERTIFICATE</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="eparaksts-mobile">VsQFCIOdsM-brFXDGQhMyMfnlkQyeb8pNfkxq6VFppY=</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_2d3e23bb30673b750e73e1f4e5b89f8e" NotOnOrAfter="2024-11-18T13:23:19.736Z" Recipient="RECIPIENT"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2024-11-18T13:21:14.737Z" NotOnOrAfter="2024-11-18T13:23:19.737Z">
<saml2:AudienceRestriction>
<saml2:Audience>ENTITY_ID</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AttributeStatement>
<saml2:Attribute Name="idpId">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">001124-10474</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="nin">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">001124-10474</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="nin.issuingCountry">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">lv</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="nin.type">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">CIVIL</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="name">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Jane Doe</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="firstName">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Jane</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="lastName">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Doe</saml2:AttributeValue>
</saml2:Attribute>
<saml2:AuthnStatement AuthnInstant="2024-11-18T13:21:19.737Z" SessionIndex="2dbfc164-fdff-47c9-b65f-49d64a0e46f9">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>substantial</saml2:AuthnContextClassRef>
<saml2:AuthenticatingAuthority>eparaksts-mobile</saml2:AuthenticatingAuthority>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>