Attributes reference

When you implement iDIN to verify the identity of users accessing your online services, you request and receive personal information relevant to your use case.

To view examples of requests or responses, and discover what data is available per authentication protocol, visit the respective pages:

• iDIN attributes in OpenID Connect (OIDC)
• iDIN attributes in SAML 2.0
• iDIN attributes in the Signicat Authentication REST API

Use cases

Authentications with iDIN can follow one of these use cases:

• Login: Allow existing end-users to perform recurring authentications with your services.
• Age verification: Determine whether end-users are adults or minors.
• Identification: Onboard and verify the identity of new end-users accessing your services.
• Electronic signing: Only available on request.

The use case you choose also determines the data you receive and the plan you purchase in your agreement with Signicat. The table below shows what data is available to retrieve per use case:

To specify the use case, you need to pass appropriate parameters in the authorization request. You send these appropriate value(s) in the scope (OIDC) or requestedAttributes properties. Note that the user experience may vary depending on the use case.

Available attributes

Attributes (scopes in OIDC) are parameters that map to personal user data.

In your authorization request, you specify what attributes to request from iDIN during authentication. After the end-user consents to share their data with you and completes authentication with iDIN, your application can retrieve the user data from an endpoint. How to do this varies per authentication protocol.

Data varies per use case and plan

The attributes you can request depend on the use case and the billing plan in your agreement with Signicat.

Bank Identification Number (BIN)

The Bank Identification Number (BIN) is a persistent identifier specific for each issuer bank. It is unique, not shared among issuers, and consists of two parts:

• Prefix: Two-letter country code (ISO 3166-1) of the issuer bank followed by four-letter (alphabetic) identifier (ISO 9362).
• Issuer bank specific identifier: A transportable string of max 1020 chars.

Note that BIN differs from IBAN in that it is unique per user-merchant combination.

Re-authenticate returning users

The BIN represents a user uniquely, therefore it is the ideal attribute to re-authenticate returning users.

Subject

The Subject identifies the end-user that performed an authentication transaction. After an authentication transaction, you always receive the hashed subject in the response.

In the case of iDIN, Signicat returns the hashed value of Bank Identification Number (BIN) as subject in the response. The table below shows how hashed and raw subjects map per protocol:

Note that we use the same hashing algorithm for all authentication protocols. Learn more about how the subject is processed in eID and Wallet Hub Concepts > Subject guide.

Raw BIN

To also receive the raw value of BIN, as provided by iDIN, you need to request it explicitly in your authentication request using the idpId (idp-id for OIDC) parameter. To find out more, see the attribute tables for each protocol.

Age verification

Age verification allows you to verify whether end-users are 18 years old or older.

To initiate an authentication flow for Age verification, specify only the 18OrOlder (eighteen-or-older for OIDC) attribute in your authorization request, without including any other attributes, except for the optional IdpId (idp-id).

A successful authentication transaction returns a boolean (true or false) in the response, where true indicates that the end-user is 18 years old or older.

Including other attributes

Including other attributes (scopes) in your request, for example gender, leads to an authentication flow for the Identification use case, instead.

Important

If you specify both 18OrOlder (eighteen-or-older) and dateOfBirth (date-of-birth), Signicat returns an error and the authentication fails.

Address

The residential address of an end-user is formatted according to the following formula:

<addressIntermediate>, <internationalAddress>, country

which consists of the following attributes:

• addressIntermediate is composed of:
  • street: Street name (max 43 characters).
  • houseno: House number or "huisnummer" (max 5 numbers).
  • housenosuf: House number suffix or "huisnummertoevoeging" (max 5 numbers).
    How to enable

    The house number suffix is disabled, by default. To enable, go to the Dashboard > eID and Wallet Hub > eIDs, select iDIN to edit the configuration, then go to the Advanced tab and tick the Receive housenumber suffix as a separate attribute box.

  • addressextra: Additional address details (max 70 characters long).
  • postalcode: Postal code of the user's address (4 numbers and 2 letters).
  • city: Name of the city in NL.
• internationalAddress is used for non-NL addresses only. It is made up of three chunks of free text strings (intaddressline1, intaddressline2, intaddressline3) of max 70 characters.
• country: Two-letter country code in ISO 3166-1.

The expanded address field corresponds to:

street houseno housenosuf addressextra, postalcode, city, intaddressline1, intaddressline2, intaddressline3, country

Example

Pascalstreet 19 A, 0000AA, Aachen, DE

Note that missing data is not included in the response. You can learn more about the properties of these iDIN-native attributes in the official Consumer attributes table.

First name

Note that iDIN does not return the first name of the end-user.