Skip to main content

Attributes reference

You use itsme® to verify end-user identity and obtain relevant personal details.

This page shows what end-user information you can retrieve for a given authentication protocol.

Note

Use of the Belgian RRN (national identity number) is subject to specific legislation. For certain uses, you must obtain specific authorisation by FOD/SPF IBZ. For more details, refer to the applicable laws (for example, this one or other updated, applicable laws).

Available attributes

Attributes (scopes in OIDC) allow your application to specify the desired set of user data for each identity verification process. The attributes an application should request depend on which user information your application needs.

After the end-user consents to share the requested attributes and completes an identity verification process, you can retrieve their personal details.

itsme® services and attributes

With itsme®, specific attributes map to different scenarios (itsme® services) to verify a person's digital identity.

The scopes/attributes you specify in your authorization request determine which itsme® service you trigger for your end-users. The tables on this page show which scopes/attributes result in an Authentication or an Identification service.

For details about the itsme® services offered by Signicat, see the About itsme® documentation.

OIDC scopes and claims

With OIDC, you specify scopes in the authorization request that triggers an identity verification flow.

After the end-user verifies themselves and the flow is complete, you can retrieve the claims in the ID Token or through the UserInfo endpoint.

OIDC Authentication service

Use any combination of the following OIDC scopes in your request to perform an itsme® Authentication service:

Subject ID for login

The subject ID (returned in the sub claim) uniquely identifies a given user account. The sub claim does not change over time, even if other user attributes (for example, email or phone number) associated with that user account are updated.

Your application server should use the subject ID to log in end-users returning to your application. Learn more about the subject field in Concepts > Subject.

Important

Sending a request containing scopes for Authentication and Identification defaults the process to an Identification service.

For example, a request with name, date-of-birth and nin leads to an Identification service.

OIDC Identification service

Use any combination of the following OIDC scopes in your request to perform an itsme® Identification service:

Data in response

Note that itsme® may not return values for some of the claims. When a claim is not returned, the corresponding data is omitted from the JSON object of the response.

Country coverage

itsme® returns a subset of claims data for documents issued in countries other than Belgium. For details, visit the official documentation of claims at https://belgianmobileid.github.io/doc/claims/.

OIDC response example

ID token:

{
  "iss": "https://<YOUR_SIGNICAT_DOMAIN>/auth/open",
  "nbf": 1712237928,
  "iat": 1712237928,
  "exp": 1712238528,
  "aud": "<OIDC_CLIENT_ID>",
  "amr": [
    "external"
  ],
  "at_hash": "0zAbHkX...IeNDhkFoWlhKg",
  "sid": "8930E9EC6FAF...874DF7BA6FC907383",
  "sub": "tXOq9614vLHkXBkE...ZGQO02Fc98IPaHq6iRwK-ytA=",
  "auth_time": 1712237927,
  "idp": "itsme",
  "email": "test@itsme.be",
  "phone_number": "+32 453519681",
  "name": "Maxence Legrand",
  "family_name": "Legrand",
  "given_name": "Maxence",
  "gender": "female",
  "birthdate": "1981-04-24",
  "address": {
    "formatted": "Rue Royale 82 1000 Bruxelles"
  },
  "nationality": "BEL",
  "idp_issuer": "https://idp.e2e.itsme.services/v2",
  "transaction_id": "355f42c4-a1ec-a...-87af-1eaad9a89435",
  "sandbox": true
}

UserInfo:

{
  "idp_id": "rpx5rrbsn4ktvh...q4uh2iepsdat34i9vf",
  "name": "Maxence Legrand",
  "family_name": "Legrand",
  "given_name": "Maxence",
  "gender": "female",
  "birthdate": "1981-04-24",
  "email": "test@itsme.be",
  "address": {
    "formatted": "Rue Royale 82 1000 Bruxelles",
    "street_address": "Rue Royale 82",
    "locality": "Bruxelles",
    "postal_code": "1000"
  },
  "phone_number": "+32 453519681",
  "nin": "81042419835",
  "nin_type": "PERSON",
  "nationality": "BEL",
  "sub": "tXOq9614vLHkXBkE...ZGQO02Fc98IPaHq6iRwK-ytA=",
  "idp_issuer": "https://idp.e2e.itsme.services/v2"
}

Signicat Authentication REST API attributes

The Signicat Authentication REST API supports the following request attributes for itsme®.

REST API Authentication service

Use any combination of the following attributes in your request to perform an itsme® Authentication service:

Important

Sending a request containing scopes for Authentication and Identification defaults the process to an Identification service.

For example, a request with name, dateOfBirth and nin leads to an Identification service.

REST API Identification service

Use any combination of the following attributes in your request to perform an itsme® Identification service:

Data in response

Note that itsme® may not return values for some of the attributes. When an attribute is not returned, the corresponding data is omitted from the JSON object of the response.

Country coverage

itsme® returns a subset of the data for documents issued in countries other than Belgium. For details, visit the official documentation of claims at https://belgianmobileid.github.io/doc/claims/.

Authentication API response example

Here is a section of the response showing the user information attributes:

{
    ...
    "subject": {
        "id": "tXOq9614vLHkXBkENWcZGQO02Fc98IPaHq6iRwK-ytA=",
        "idpId": "rpx5rrbsn4ktvhm3m0q4uh2iepsdat34i9vf",
        "name": "Maxence Legrand",
        "firstName": "Maxence",
        "lastName": "Legrand",
        "dateOfBirth": "1981-04-24",
        "nin": {
            "value": "81042419835",
            "issuingCountry": "BE",
            "type": "PERSON"
        },
        "address": "Rue Royale 82 1000 Bruxelles",
        "placeOfBirth": "Bruxelles",
        "nationality": "BEL",
    },
    ...
}
Subject ID and login

The subject ID (subject.id field in the JSON response) uniquely identifies a given user account. The subject ID does not change over time, even if other user attributes (for example email or phone number) associated with that user account are updated.

Your application server should use the subject ID (id field in the JSON of the response) to log in end-users returning to your application. Learn more about the subject field in Concepts > Subject.

SAML 2.0 attributes

Integrating with SAML 2.0, allows you to use the following request attributes for itsme®:

SAML Authentication service

Use any combination of the following attributes in your request to perform an itsme® Authentication service:

Important

Sending a request containing scopes for Authentication and Identification defaults the process to an Identification service.

For example, a request with name, dateOfBirth and nin leads to an Identification service.

SAML Identification service

Use any combination of the following attributes in your request to perform an itsme® Identification service:

Data in response

Note that itsme® may not return values for some of the attributes. When an attribute is not returned, the corresponding data is omitted from the JSON object of the response.

Country coverage

itsme® returns a subset of the data for documents issued in countries other than Belgium. For details, visit the official documentation of claims at https://belgianmobileid.github.io/doc/claims/.

SAML 2.0 response example

The following SAML response contains the outcome of an Identification service with attributes nin, name, email, nationality, idpId:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://*SP_APP_DOMAIN*/saml/acs" ID="_79c74fabd7a896ee879729c92ca6c231" InResponseTo="_064f5303e14c84a59d7eaa24b6cd3558" IssueInstant="2024-04-04T11:56:12.648Z" Version="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        https://*YOUR_SIGNICAT_DOMAIN*/auth/saml
    </saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        ...
    </ds:Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d9da2112740b886681bf7da6185d986f" IssueInstant="2024-04-04T11:56:12.657Z" Version="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <saml2:Issuer>
            https://*YOUR_SIGNICAT_DOMAIN*/auth/saml
        </saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        XML_SIGNATURE
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="https://idp.e2e.itsme.services/v2">
                tXOq9614vLHkXBkENW...QO02Fc98IPaHq6iRwK-ytA=
            </saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData InResponseTo="_064f5303e14c84a59d7eaa24b6cd3558" NotOnOrAfter="2024-04-04T11:58:12.657Z" Recipient="https://*SP_APP_DOMAIN*/saml/acs"/>
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2024-04-04T11:56:07.657Z" NotOnOrAfter="2024-04-04T11:58:12.657Z">
            <saml2:AudienceRestriction>
                <saml2:Audience>ENTITY_ID</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="name">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
                    Maxence Legrand
                </saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="nin">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
                    81042419835
                </saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="nin.type">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
                    PERSON
                </saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="email">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
                    test@itsme.be
                </saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="idpId">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
                    rpx5rrbsn4ktvhm3m0...uh2iepsdat34i9vf
                </saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="nationality">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
                    BEL
                </saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
        <saml2:AuthnStatement AuthnInstant="2024-04-04T11:56:12.657Z" SessionIndex="fbd7098e-f7bd-4291-820a-70c9c2c0dff0">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>
                    urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI
                </saml2:AuthnContextClassRef>
                <saml2:AuthenticatingAuthority>
                    https://idp.e2e.itsme.services/v2
                </saml2:AuthenticatingAuthority>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>
Last updated:
On this page