Skip to main content

Public System for Digital Identity (SPID)

About SPID

What is SPID?

If you are new to SPID, you can learn more about how SPID works on this page.

The Public System for Digital Identity (SPID; from Italian "Sistema Pubblico di Identità Digitale") is an Italian electronic identity scheme that allows Italian citizens to access the digital services of:

  • The Italian public administration.
  • Private companies or traders that require it as an log-in method.
  • Member states of the European Union part of the Italian eIDAS node.

SPID is a notified eIDAS scheme with three levels of assurance. SPID is regulated and administered by the Agency for Digital Italy (AgID), the technical agency of the Italian Presidency of the Council of Ministers.

Who uses SPID

Italian citizens over 18 years old and with a valid Italian identity document can apply for SPID at one, or more, of the accredited Digital Identity Providers (IdP). These are private companies accredited by AgID to provide digital identities and manage user authentication according to the rules issued by the Agency.

Digital identity providers issue SPID credentials, together with any additional security solutions (OTP via SMS or app) necessary to authenticate with a higher level of assurance.

When identifying online, users select their IdP from a list displayed after pressing the mandatory "Entra con SPID" (“Login with SPID”) button. Users authenticate with their credentials on the portal of the IdP of their choice.

Roles in the SPID scheme

The SPID ecosystem consists of different roles:

  • Digital identity provider (or IdP), private entities authorised by AgID for the creation and management of users' digital identities.
  • Service providers (or SP), public or private organizations, which by enabling access to their online services through digital identity allow fast, safe and secure use of services.
  • Users (citizens and businesses) who have their own digital identity, certified by one or more IdPs, to access the online services of the public administration and private websites.
  • Aggregators are organisations that offer service providers, aggregated by them, the possibility to make their services accessible through SPID without having to integrate to SPID independently.
Signicat as Aggregator

Signicat is a private Aggregator of SPID, and acts as a message broker between the identity provider and the service provider.

Customers, that integrate SPID in their services through Signicat, are referred to as Service Providers in the SPID scheme.

Levels of Assurance (LoA)

Level of Assurance refers to the degree of confidence in the claimed identity of a person. A higher level of assurance reduces the risks and ensures a more secure transaction.

SPID provides three levels of assurance:

  • Level 1 (Low) allows access to online services through the SPID credentials (username and password).
  • Level 2 (Substantial) is necessary for services that require a higher degree of security. Level 2 allows access through SPID level 1 credentials and the generation of a temporary OTP (one-time password) access code or the use of an app that can be used through a device, such as a smartphone or a tablet.
  • Level 3 (High) provides, in addition to the SPID level 1 credentials, the use of additional security solutions and any physical devices, like smart cards, that are supplied by the identity provider.
LoA levels in the eIDAS Regulation

The eIDAS Regulation has established three levels of assurance for electronic identification:

  • Low
  • Substantial
  • High

where "high" is the highest level of assurance. Learn more about the eIDAS definition of LoA in the EU documentation.

SPID Flows

Data categories

The SPID ecosystem distinguishes between two categories of end-user data:

  • Personal data: Includes attributes such as an individual's name, date of birth or national identity number.
  • Extra personal (or secondary) data: Extends access to secondary information such as email, phone number or home address.
Learn more

For an overview of the attributes that belong to each category, see the scopes and claims for OIDC table.

Flows

SPID flows define and restrict access to an individual's personal data by matching specific data categories. You can find what flows are available in the table below:

When identifying online, end-users give their consent to share specific data attributes with third parties. The data they share with you depend on the flow you integrate in your authentication flow.

How to integrate with a specific flow?

You can set up both Authentication and Registration flows when setting up SPID with OIDC.

SAML metadata

The SPID system relies on the SAML 2.0 protocol. You can see an example of metadata used by SPID here.

How SAML works

SAML is an authentication protocol that uses metadata (XML-based documents) to exchange information between entities, like a service provider and an identity provider. A metadata file contains an X509 certificate, endpoints and other information needed to communicate with another entity.

Metadata is hosted and made publicly available on the service provider domain. In the case of SPID, AgID handles the registration of metadata for new service providers that join the SPID federation. Then, AgID is responsible for sharing the metadata with the identity providers.

As a customer, you receive a metadata file with information about your organisation when applying for SPID integration with Signicat.

On this page