Skip to main content

iDIN attributes in SAML 2.0

This page contains information about the user attributes that you can request and retrieve from iDIN when using SAML 2.0 as an authentication protocol.

Attributes table

iDIN provides the following data:

For further details about attributes and data formats, see the official iDIN documentation - Consumer attributes.

Age verification

To initiate an Age verification flow, use only the 18OrOlder attribute in your authorization request, without including other scopes, except for the optional idpId.


If you include other scopes in your request, it will cause an error or initiate authentications with other use cases. Learn more in the Age verification section.

SAML 2.0 examples

Service provider metadata document

The example below shows a Service Provider (SP) metadata document to connect to iDIN:

Requested attributes: idpId (optional)

<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_45f42f65-39f9-4250-898e-f6297cb3f8ce" entityID="SAML Example SP">
    <md:SPSSODescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate><SP_PUBLIC_SIGNING_CERTIFICATE_USED_FOR_SIGNING_REQUESTS></ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://*SP_CLIENT_DOMAIN*/saml/acs" index="1" isDefault="false"/>
        <md:AttributeConsumingService index="1" isDefault="false">
            <md:ServiceName xml:lang="en" xmlns:xml="http://www.w3.org/XML/1998/namespace">Login</md:ServiceName>
            <md:RequestedAttribute Name="idpId"/>
        </md:AttributeConsumingService>
    </md:SPSSODescriptor>
</md:EntityDescriptor>

Request example

SAML 2.0 request example:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    AttributeConsumingServiceIndex="1"
                    Destination="https://*YOUR_SIGNICAT_DOMAIN*/auth/saml/login"
                    ID="d2d2ae0656604b839d9bf36edca452a7"
                    IssueInstant="2024-08-12T07:20:50.265Z"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    Version="2.0"
                    >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">SAML Example SP</saml:Issuer>
</samlp:AuthnRequest>

Response examples

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="..." ID="..." InResponseTo="..." IssueInstant="2023-07-18T13:21:19.716Z" Version="2.0">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://YOUR_DOMAIN.com/auth/saml</saml2:Issuer>
  <saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </saml2p:Status>
  <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" ID="_59c600d2f1f8695fd2b837c6f0be0faf" IssueInstant="2023-07-18T13:21:19.736Z" Version="2.0">
    <saml2:Issuer>https://YOUR_DOMAIN.com/auth/saml</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <ds:Reference URI="#_59c600d2f1f8695fd2b837c6f0be0faf">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
              <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xsd"/>
            </ds:Transform>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
          <ds:DigestValue>...</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>SIGNATURE_VALUE</ds:SignatureValue>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>X509_CERTIFICATE</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </ds:Signature>
    <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="idin">VsQFCIOdsM-brFXDGQhMyMfnlkQyeb8pNfkxq6VFppY=</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData InResponseTo="_2d3e23bb30673b750e73e1f4e5b89f8e" NotOnOrAfter="2023-07-18T13:23:19.736Z" Recipient="RECIPIENT"/>
      </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2023-07-18T13:21:14.737Z" NotOnOrAfter="2023-07-18T13:23:19.737Z">
      <saml2:AudienceRestriction>
        <saml2:Audience>ENTITY_ID</saml2:Audience>
      </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AttributeStatement>
      <saml2:Attribute Name="idpId">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">NLRABOtestdata8de3695d048d9da76b7c09d5a800b51897441e8ae3210731a058e</saml2:AttributeValue>
      </saml2:Attribute>
    </saml2:AttributeStatement>
    <saml2:AuthnStatement AuthnInstant="2023-07-18T13:21:19.737Z" SessionIndex="2dbfc164-fdff-47c9-b65f-49d64a0e46f9">
      <saml2:AuthnContext>
        <saml2:AuthnContextClassRef>substantial</saml2:AuthnContextClassRef>
        <saml2:AuthenticatingAuthority>idin</saml2:AuthenticatingAuthority>
      </saml2:AuthnContext>
    </saml2:AuthnStatement>
  </saml2:Assertion>
</saml2p:Response>

Routing to issuer bank portal

You can display the issuer bank selection page directly on your side and route the end-user to the issuer authentication portal.

iDIN requirements

Make sure to list all the issuers that are active in your Signicat account. You can find the full list at https://<YOUR_ACCOUNT_DOMAIN>.com/broker/authn/idin/issuers, where <YOUR_ACCOUNT_DOMAIN> is the domain you registered in the Dashboard > Settings > Domain Management.

SAML example

To route end-users directly to the issuer authentication portal, you need to pass signicat:param:idin_idp in the RequestedAttribute in your SAML 2.0 request and specify the issuer code in the AttributeValue object. For example, to route to the ING bank authentication portal, pass INGBNL2A in the AttributeValue, as shown below:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest 
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
    AttributeConsumingServiceIndex="1"
    Destination="https://*YOUR_SIGNICAT_DOMAIN*/auth/saml/login" 
    ForceAuthn="false"
    ID="_aeaf5a7ddbc280bde07a1024f0574b70" 
    IssueInstant="2021-03-09T10:47:58.502Z" 
    Version="2.0">
    
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">ENTITY_ID</saml2:Issuer>
    
    <!-- Scoping block -->
    <saml2p:Scoping>
        <saml2p:IDPList>
            <saml2p:IDPEntry ProviderID="idin"/>
        </saml2p:IDPList>
    </saml2p:Scoping>
    
    <!-- Extensions block -->
    <saml2p:Extensions xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
        <req-attr:RequestedAttributes xmlns:req-attr="urn:oasis:names:tc:SAML:protocol:ext:req-attr">
            <md:RequestedAttribute xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                Name="signicat:param:idin_idp"
                isRequired="true">
                    <saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string">
                        INGBNL2A
                    </saml2:AttributeValue>
            </md:RequestedAttribute>
        </req-attr:RequestedAttributes>
    </saml2p:Extensions>

</saml2p:AuthnRequest>
On this page