Identity Providers¶
The OpenID Connect Provider from BankID offers different Identity Providers (IDP) for authenticating end users at different levels of assurance.
Each IDP option is associated with a Level of Assurance (LoA) and ACR (Authentication Context Class Reference) value.
Relaying Parties (RP) can include parameters in the authorization request to request a particular IDP and Level of assurance.
The standard parameter for this is acr_values, but for legacy reasons we also support specifying this in the login_hint parameter.
| IDP | Name (amr) |
LoA (acr) |
AMR | Comment |
|---|---|---|---|---|
| BankID High | BID | urn:bankid:bid;LOA=4 | ["bid"] | Level of Assurance High (LOA 4) |
| BankID Biometric | BIS | urn:bankid:bis;LOA=3 | Info | Level of Assurance Substantial (LOA 3) |
Successful authentication via one of the supported IDPs results in an ID Token
being returned to the requesting OIDC Client that will contain claims for the amr and acr attributes.
Supported acr values¶
The acr_values parameter takes a space separated list of strings and currently supports two values:
urn:bankid:bis- Biometric authentication using WebAuthnurn:bankid:bid- Authentication using BankID High.
Also, refer to the OpenID configuration acr_values_supported
property for the latest list of supported acr_values.
Supported login_hint values¶
Using the login_hint parameter you can pre-fill the User ID (national identity number) for the session.
Any login_hint containing personal information (such as the national identity number) should be encrypted or
placed in an encrypted request parameter as browser history may contain the login_hint,
see encryption.
The identity provider's amr reference can be used to select desired Identity Provider and Level of assurance,
but we recommend to use acr_values for this purpose.
Warning
In the case of pre-filling the User ID for an end user, remark that the resulting authentication may specify another end user.
login_hint |
Description | User ID dialogue |
|---|---|---|
| BID | BankID High is pre-selected and shown to the user. The user has to type in his User ID in the first dialogue (i.e. national identity number) | Yes |
| BID:07025312345 | BankID High is pre-selected along with a pre-filled User ID (i.e. national identity number). The User ID dialogue is omitted in this case. | No |
| :07025312345 | The User ID is pre-selected and the User ID dialogue is omitted in this case. | No |
| urn:bankid:bid | The acr value is also supported as login hint. |
Yes |
| BIS | BankID Biometric is pre-selected and the end users will be asked to provide their User ID (i.e. national identity number) | Yes |
| BIS:21122112222 | BankID Biometric is pre-selected with a pre-filled User ID (i.e. national identity number). The User ID dialogue is omitted in this case. | No |