Document toolboxDocument toolbox

Identity Providers

Introduction

The following sub-sections contain information on the BankID Identity Provider (IDP) options supported. See also information about user experience that applies for the various IDP.

Each IDP option is associated with a Name and Level of Assurance (LoA) codified via attributes called amr (Authentication Method Reference) and acr (Authentication Context Class Reference), respectively. These attributes can be included in the request from an OIDC Client to the authorize endpoint at the BankID OIDC Provider to request either a particular IDP (amr) or any IDP at a particular LoA (acr). A standard and designated request parameter exists for the acr attribute (see authorize for details). As there is no corresponding request parameter for the amr attribute, the BankID OIDC Provider supports amr values codified as part of the login_hint parameter (more on this in the section below).

Successful authentication via one of the supported IDPs results in an ID Token being returned to the requesting OIDC Client. Note that an ID Token also contain values for the amr and acr attributes, corresponding to the IDP actually being used. These values may be different from corresponding values provided in the request from the OIDC Client to the Authorize endpoint. One example is if more than one IDP option meet the amr/acr criteria of the Authorize request. In this case, an IDP selector dialog is presented for the user to resolve which IDP to use.

Remark that some IDPs must be selected by the login_hint parameter. 


IDPLogin Hint

LoA (acr)

AMR (from API Version 2)

Security LevelComment
BankID Netcentric

BID

urn:bankid:bid;LOA=4[ "bid" ]High
BankID on MobileBIMurn:bankid:bim;LOA=4[ "bim" ]High 
BankID BiometricBISurn:bankid:bis;LOA=3https://developer.bankid.no/bankid-with-biometrics/flows/code/#token-claimsSubstantialIDP selectable by login_hint only.

Login hints

The OIDC Provider from BankID supports codification of amr values as part of the login_hint request parameter to the authorize endpoint. Hence, pre-selection of the BankID IDP along with pre-selection of user-ID can be governed by supplying proper values as shown in the following table.

In the case of pre-selecting an end user, remark that the resulting authentication may specify another end user. 

login_hintDescription
BIDBankID netcentric is pre-selected and shown to the user. The user has to type in his userID in the first dialogue (i.e. national identity number)
BID:07025312345BankID netcentric is pre-selected along with a pre-selected userID (i.e. national identity number). The userID dialogue is omitted in this case. 
BIMBankID on Mobile is pre-selected and shown to the user. The user has to type in his userID in the first dialogue (i.e. mobile number and birth date)
BIM:48058567:070253BankID on Mobile is pre-selected along with a pre-selected userID (i.e. mobile number and birth date). The userID dialogue is omited in this case.
:07025312345The end user is presented with a selector dialog to determine of BankID netcentric (BID) og BankID on Mobile (BIM) is used, but the userID is pre-selected. Norwegian national number is used for BID and birth date is used for BIM (first 6 digits).
urn:bankid:bidThe acr value is also supported as login hint.
BISBankID Biometric is pre-selected and shown to the user, the end user will be queried for userID in the first dialogue (i.e. national identity number)
BIS:21122112222BankID Biometric is pre-selected with a pre-selected userID (i.e. national identity number)


login_hint containing personal information should be encrypted or placed in an encrypted request parameter. Browser history may contain the login_hint , see Jwk.