# SPID
Page contents
# About SPID
This is a high-level description for readers that are unfamiliar with how SPID works.
The Public System for Digital Identity (SPID; from Italian "Sistema Pubblico di Identità Digitale") is an Italian electronic identity scheme that allows Italian citizens to access the digital services of:
- Italian public administration.
- Private companies or traders that have adopted it as an authentication tool to access their services.
- Member states of the European Union that have joined the Italian eIDAS node (opens new window).
SPID is a notified eIDAS (opens new window) scheme with three levels of assurance. SPID is regulated and administered by the Agency for Digital Italy (opens new window) (AgID), the technical agency of the Italian Presidency of the Council of Ministers.
# Who uses SPID
Italian citizens over 18 years old and with a valid Italian identity document can apply for SPID at one, or more, of the accredited Digital Identity Providers (IdP) (opens new window). These are private companies accredited by AgID to provide digital identities and manage user authentication according to the rules issued by the Agency.
Digital identity providers issue SPID credentials, together with any additional security solutions (OTP via SMS or app) necessary to authenticate with a higher level of assurance.
When identifying online, users select their IdP from a list displayed after pressing the mandatory "Entra con SPID" (“Login with SPID”) button. Users authenticate with their credentials on the portal of the IdP of their choice.
# Roles in the SPID scheme
The SPID ecosystem consists of different roles:
Digital identity provider (or IdP), private entities authorised by AgID for the creation and management of users' digital identities.
Service providers (or SP), public or private organizations, which by enabling access to their online services through digital identity allow fast, safe and secure use of services.
Users (citizens and businesses) who have their own digital identity, certified by one or more IdPs, to access the online services of the public administration and private websites.
Aggregators are organisations that offer service providers, aggregated by them, the possibility to make their services accessible through SPID without having to integrate to SPID independently.
Signicat as Aggregator
Signicat is a private Aggregator of SPID, and acts as a broker between the identity provider and the service provider.
Customers, that integrate SPID in their services through Signicat, are referred to as Service Providers in the SPID scheme.
# Levels of Assurance (LoA)
Level of Assurance refers to the degree of confidence in the claimed identity of a person. A higher level of assurance reduces the risks and ensures a more secure transaction.
SPID provides three levels of assurance:
Level 1 (Low) allows access to online services through the SPID credentials (username and password).
Level 2 (Substantial) is necessary for services that require a higher degree of security. Level 2 allows access through SPID level 1 credentials and the generation of a temporary OTP (one-time password) access code or the use of an app that can be used through a device, such as a smartphone or a tablet.
Level 3 (High) provides, in addition to the SPID level 1 credentials, the use of additional security solutions and any physical devices, like smart cards, that are supplied by the identity provider.
LoA
The eIDAS Regulation (opens new window) has established three levels of assurance for electronic identification, namely "low", "substantial" and "high", where "high" is the highest level of assurance.
To learn about eIDAS definition of LoA, consult the EU documentation (opens new window).
# SPID Flows
# Data categories
The SPID ecosystem distinguishes between two categories of end-user data:
- Personal data
- Extra personal (or secondary) data
Personal data includes attributes such as an individual's name, date of birth or national identity number.
Extra personal data refers to secondary information such as email, phone number or home address.
For an overview of the attributes that belong to each category, see the scopes and claims for OIDC table.
# Flows
The SPID data categories correspond to two separate flows:
- Authentication flow returns only Personal data
- Registration flow returns both Personal and Extra personal data
These two SPID flows control and limit access to specific attributes of an individual's data. When identifying online, end-users give their consent to share specific data attributes with third parties.
As a customer, you can choose between Authentication and Registration flows when setting up SPID with OIDC.
# SAML metadata
The SPID system is based on the SAML 2.0 protocol. SAML is an authentication protocol that relies on metadata (XML-based documents) to exchange information between entities, like a service provider and an identity provider. A metadata file contains an X509 certificate, endpoints and other information needed to communicate with another entity. You can see an example of metadata used by SPID here (opens new window).
Metadata is hosted and made publicly available on the service provider domain. AgID manages the registration of metadata for new service providers when they join the SPID federation. AgID is responsible for sharing the metadata with the identity providers.
As a customer, you receive a metadata file with information about your organisation when applying for SPID integration with Signicat.