Response examples and parameters
You use iDIN to verify the end-user's identity and obtain relevant personal details about them. This page shows examples of response data with property description per supported protocol.
- OpenID Connect
- Authentication REST API
- SAML 2.0
Scopes and claims mapping
| Scope | OIDC claim | Example | Description |
|---|---|---|---|
idp-id | idp_id | NLRABOtestdata8de... | The Bank Identification Number (BIN). BIN is service provider-specific persistent identifier of a user and can be used to re-authenticate the user. BIN consists of two parts:
|
gender | gender | 1 | Biological sex of user. Allowed values:
|
profile | name | Concatenated full name of the user. Custom format: <initials> <family_name> | |
profile | family_name | de Vries | Last name of user with prefixes. |
idin-name | idin_preferred_last_name | Vries-Jansen | Last name as preferred by user without prefixes. |
idin-name | idin_legal_last_name | Vries | Legal last name of user without prefixes. Maximum of 200 characters without numbers. |
idin-name | idin_partner_last_name | Jansen | Last name of user's registered partner. |
idin-name | idin_legal_last_name_prefix | de | Prefix of user's legal last name (i.e. "Tussenvoegsel" in Dutch). |
idin-name | idin_preferred_last_name_prefix | de | Prefix of user's preferred last name. |
idin-name | idin_partner_last_name_prefix | de | Prefix of partner's last name. |
idin-name | initials | VJ | Initials, defined as the first letter of each of the user's first names. Maximum of 24 capitalized letters. |
date-of-birth | birthdate | 19750725 | Date of birth. Format is YYYYMMDD in NEN-ISO 8601. |
eighteen-or-older | eighteen_or_older | true | Boolean field to determine whether user is 18 years old or older. |
address | address | { "formatted": "Pascalstreet 19, 0000AA, Maastricht, NL", "street_address": "Pascalstreet 19", "locality": "Maastricht", "postal_code": "0000AA", "country": "NL"} | Residential address of user. formatted value is a field obtained concatenating multiple attributes. See the same field in the Authentication REST API tab for details. |
phone | phone_number | +31203051900 | Phone number (mobile or landline) of user. |
email | email | info@equensworldline.nl | Email address of user. |
tip
iDIN does not have a firstName attribute.
Age verification
The scopes date-of-birth and eighteen-or-older are mutually exclusive. Choose either of them when sending a request.
Response example
This section shows a response example for the UserInfo endpoint.
Scopes: openid,profile,idp-id,email,address,phone,gender,date-of-birth,idin-name.
Response:
{
"idp_id": "NLRABOtestdata8de3695d048d9da76b7c09d5a800b51897441e8ae3210731a058e",
"name": "VJ de Vries",
"family_name": "de Vries",
"gender": "1",
"birthdate": "19750725",
"email": "info@equensworldline.nl",
"address":
{
"formatted": "Pascalstreet 19, 0000AA, Maastricht, NL",
"street_address": "Pascalstreet 19",
"locality": "Maastricht",
"postal_code": "0000AA",
"country": "NL"
},
"phone_number": "+31203051900",
"idin_legal_last_name": "Vries",
"idin_legal_last_name_prefix": "de",
"idin_preferred_last_name": "Vries-Jansen",
"idin_partner_last_name": "Jansen",
"idin_preferred_last_name_prefix": "de",
"idin_partner_last_name_prefix": "de",
"initials": "VJ",
"sub": "VsQFCIOdsM-brFXDGQhMyMfnlkQyeb8pNfkxq6VFppY=",
"idp_issuer": "idin"
}
Supported attributes
The Signicat Authentication REST API supports the following request and response attributes for iDIN:
| Attributes | Example | Description |
|---|---|---|
idpId | NLRABOtestdata8de... | The Bank Identification Number (BIN). BIN is service provider-specific persistent identifier of a user and can be used to re-authenticate the user. BIN consists of two parts:
|
gender | 1 | Biological sex of user. Allowed values:
|
name | VJ de Vries | Concatenated full name of the user. Custom format: <initials> <lastName> |
lastName | de Vries | Last name of user with prefixes. |
preferredLastName | Vries-Jansen | Last name as preferred by user without prefixes. |
legalLastName | Vries | Legal last name of user without prefixes. Maximum of 200 characters without numbers. |
partnerLastName | Jansen | Last name of user's registered partner. |
legalLastNamePrefix | de | Prefix of user's legal last name (i.e. "Tussenvoegsel" in Dutch). |
preferredLastNamePrefix | de | Prefix of user's preferred last name. |
partnerLastNamePrefix | de | Prefix of partner's last name. |
initials | VJ | Initials, defined as the first letter of each of the user's first names. Maximum of 24 capitalized letters. |
dateOfBirth | 19750725 | Date of birth. Format is YYYYMMDD in NEN-ISO 8601. |
18OrOlder | true | Boolean field to determine whether user is 18 years old or older. |
address | Pascalstreet 19, 0000AA, Maastricht, NL | Residential address of user. Returned value is in a custom format obtained concatenating <addressIntermediate>, <internationalAddress>, _country_*, where:
_street_) are iDIN-native Consumer attributes. ** all address variables apply to NL addresses only, except for _intaddresslineN_. |
phoneNumber | +31203051900 | Phone number (mobile or landline) of user. |
email | info@equensworldline.nl | Email address of user. |
For further details about attributes and data formats, see the official iDIN documentation - Consumer attributes.
tip
iDIN does not have a firstName attribute.
Age verification
The attributes 18OrOlder and dateOfBirth are mutually exclusive. Choose either of them when sending a request. If you specify both attributes in the requestedAttributes field of your request, then only 18OrOlder will be returned in the response, by default.
Response examples from the redirect flow
Below, you can find some examples of response data you receive when submitting requests to the Signicat Authentication REST API for iDIN.
iDIN with all attributes
"requestedAttributes" : "idpId", "gender", "lastName", "preferredLastName", "legalLastName", "partnerLastName", "legalLastNamePrefix", "preferredLastNamePrefix", "partnerLastNamePrefix", "initials", "dateOfBirth", "address", "phoneNumber", "email"
The subject field of the response:
{
"id": "VsQFCIOdsM-brFXDGQhMyMfnlkQyeb8pNfkxq6VFppY=",
"idpId": "NLRABOtestdata8de3695d048d9da76b7c09d5a800b51897441e8ae3210731a058e",
"name": "VJ de Vries",
"lastName": "de Vries",
"dateOfBirth": "19750725",
"legalLastNamePrefix": "de",
"preferredLastName": "Vries-Jansen",
"partnerLastName": "Jansen",
"initials": "VJ",
"partnerLastNamePrefix": "de",
"legalLastName": "Vries",
"preferredLastNamePrefix": "de",
"phoneNumber": "+31203051900",
"gender": "1",
"address": "Pascalstreet 19, 0000AA, Maastricht, NL",
"email": "info@equensworldline.nl"
}
iDIN with age verification
"requestedAttributes" : "idpId", "lastName", "18OrOlder"
The subject field of the response:
{
"id": "VsQFCIOdsM-brFXDGQhMyMfnlkQyeb8pNfkxq6VFppY=",
"idpId": "NLRABOtestdata8de3695d048d9da76b7c09d5a800b51897441e8ae3210731a058e",
"name": "VJ de Vries",
"18OrOlder": "true"
}
Supported attributes
| SAML 2.0 Protocol Attribute | Example | Description |
|---|---|---|
idpId | NLRABOtestdata8de... | The Bank Identification Number (BIN). BIN is service provider-specific persistent identifier of a user and can be used to re-authenticate the user. BIN consists of two parts:
|
gender | 1 | Biological sex of user. Allowed values:
|
fullName | VJ de Vries | Concatenated full name of the user. Custom format: <initials> <lastName>. |
lastName | de Vries | Last name of user with prefixes. |
preferredLastName | Vries-Jansen | Last name as preferred by user without prefixes. |
legalLastName | Vries | Legal last name of user without prefixes. Maximum of 200 characters without numbers. |
partnerLastName | Jansen | Last name of user's registered partner. |
legalLastNamePrefix | de | Prefix of user's legal last name (i.e. "Tussenvoegsel" in Dutch). |
preferredLastNamePrefix | de | Prefix of user's preferred last name. |
partnerLastNamePrefix | de | Prefix of partner's last name. |
initials | VJ | Initials, defined as the first letter of each of the user's first names. Maximum of 24 capitalized letters. |
dateOfBirth | 19750725 | Date of birth. Format is YYYYMMDD in NEN-ISO 8601. |
18OrOlder | true | Boolean field to determine whether user is 18 years old or older. |
address | Pascalstreet 19, 0000AA, Maastricht, NL | Residential address of user. Returned value is is a field obtained concatenating multiple attributes. See the same field in the Authentication REST API tab for details. |
phoneNumber | +31203051900 | Phone number (mobile or landline) of user. |
email | info@equensworldline.nl | Email address of user. |
tip
iDIN does not have a firstName attribute.
Age verification
The attributes dateOfBirth and 18OrOlder are mutually exclusive. Choose either of them when sending a request.
Response example
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="..." ID="..." InResponseTo="..." IssueInstant="2023-07-18T13:21:19.716Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://YOUR_DOMAIN.com/auth/saml</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" ID="_59c600d2f1f8695fd2b837c6f0be0faf" IssueInstant="2023-07-18T13:21:19.736Z" Version="2.0">
<saml2:Issuer>https://YOUR_DOMAIN.com/auth/saml</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_59c600d2f1f8695fd2b837c6f0be0faf">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xsd"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SIGNATURE_VALUE</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>X509_CERTIFICATE</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="idin">OZWWk8DKdFYf1JzLU8zJtku0uXkPaLvnItPAHXsO29g=</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_2d3e23bb30673b750e73e1f4e5b89f8e" NotOnOrAfter="2023-07-18T13:23:19.736Z" Recipient="RECIPIENT"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2023-07-18T13:21:14.737Z" NotOnOrAfter="2023-07-18T13:23:19.737Z">
<saml2:AudienceRestriction>
<saml2:Audience>...</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AttributeStatement>
<saml2:Attribute Name="legalLastNamePrefix">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">de</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="preferredLastName">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Vries-Jansen</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="partnerLastName">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Jansen</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="initials">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">VJ</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="partnerLastNamePrefix">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">de</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="legalLastName">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Vries</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="preferredLastNamePrefix">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">de</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="fullName">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">VJ de Vries</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="lastName">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">de Vries</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="dateOfBirth">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">19750725</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="email">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">info@equensworldline.nl</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="gender">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">1</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="address.fullAddress">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Pascalstreet 19, 0000AA, Maastricht, NL</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="address.street">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Pascalstreet</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="address.houseNumber">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">19</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="address.city">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Maastricht</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="address.postalCode">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">0000AA</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="address.country">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">NL</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="phoneNumber">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">+31203051900</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
<saml2:AuthnStatement AuthnInstant="2023-07-18T13:21:19.737Z" SessionIndex="2dbfc164-fdff-47c9-b65f-49d64a0e46f9">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>substantial</saml2:AuthnContextClassRef>
<saml2:AuthenticatingAuthority>idin</saml2:AuthenticatingAuthority>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
IdP discovery
When authenticating end-users with iDIN, you can restrict which providers/banks to include in the authentication process. You can achieve this with additional parameters that vary depending on the authentication protocol of your integration.
You can view the list of iDIN issuers active in your Signicat account at https://<YOUR_ACCOUNT_DOMAIN>.com/broker/authn/idin/issuers, where <YOUR_ACCOUNT_DOMAIN> is the domain you registered in the Dashboard Domain management.
Example with OIDC
With OIDC, you specify which iDIN issuer to show with the idin_idp parameter in the ACR values. For example, to only display Currence Issuer, pass the following query parameter in your authorization request:
acr_values=idin_idp:CURRNL2A
Learn more about IdP discovery (provider) functionality in the respective protocol documentation: