Identity Providers
- Frode Nilsen (Unlicensed)
- Kristoffer Kristoffer (Unlicensed)
Analytics
The following sub-sections contain information on the Identity Provider (IDP) options supportedby this release of the OpenID Connect Provider from BankID. See general information on user experience that applies for any IDP.
Each IDP option is associated with a Name and Level of Assurance (LoA) codified via attributes called amr (Authentication Method Reference) and acr (Authentication Context Class Reference), respectively. These attributes can be included in the request from an OIDC Client to the Authorize endpoint at the OIDC Provider to request either a particular IDP (amr) or any IDP at a particular LoA (acr). A standard and designated request parameter exists for the acr attribute. Since there is no corresponding request parameter for the amr attribute, the OIDC Provider from BankID supports amr values codified as part of the login_hint parameter.
Successful authentication via one of the supported IDPs results in an ID Token being returned to the requesting OIDC Client.
Note that an ID Token also contain values for the amr and acr attributes, corresponding to the IDP actually being used. These values may be different from corresponding values provided in the request from the OIDC Client to the Authorize endpoint. One example is if more IDP options meet the camr/acr criteria of the Authorize request. In this case an IDP selector dialog is presented for the user to resolve which IDP to use. Another example is if the selected IDP involves step-up to another IDP.
The OIDC Provider also includes a JavaScript Connector supporting all IDPs. The JS Connector is a wrapper for the REST API that simplifies integration for front-end applications and ensures that the REST API is used in the intended way.
| IDP | Name(amr) | LoA |
|---|---|---|
| BankID netcentric | BID | urn:bankid:bid;LOA=4 |
| BankID on mobile | BIM | urn:bankid:bim;LOA=4 |
Login hints
The OIDC Provider from BankID supports codification of amr values as part of the login_hint request parameter to the Authorize endpoint. Hence, pre-selection of the BankID IPD along with pre-selection of user ID can be governed by suppling proper values as shown in the following table.
login_hint | Description |
|---|---|
| BID | BankID netcentric is pre-selected and shown to the user. The user has to type inn his userID in the first dialogue (ie. national identity number) |
| BID:07025312345 | BankID netcentric is pre-selected along with a pre-selected userID (ie. national identity number). The userID dialogue is ommited in this case. |
| BIM | BankID on Mobile is pre-selected and shown to the user. The user has to type inn his userID in the first dialogue (ie. mobile number and birth date) |
| BIM:48058567:070253 | BankID on Mobile is pre-selected along with a pre-selected userID (ie. mobile number and birth date). The userID dialogue is ommited in this case. |
| :07025312345 | The end user is presented with a selector dialog to determine of BankID netcentric (BID) og BankID on Mobile (BIM) is used, but the userID is pre-selected. Norwegian national number is used for BID and birth date is used for BIM (first 6 digits). |
| urn:bankid:bid | The acr value is also supported as login hint. |