Identity Providers
Introduction
The following sub-sections contain information on the BankID Identity Provider (IDP) options supported. See also information about user experience that applies for the various IDP.
Each IDP option is associated with a Name and Level of Assurance (LoA) codified via attributes called amr (Authentication Method Reference) and acr (Authentication Context Class Reference), respectively. These attributes can be included in the request from an OIDC Client to the authorize endpoint at the BankID OIDC Provider to request either a particular IDP (amr) or any IDP at a particular LoA (acr). A standard and designated request parameter exists for the acr attribute (see authorize for details). As there is no corresponding request parameter for the amr attribute, the BankID OIDC Provider supports amr values codified as part of the login_hint parameter (more on this in the section below).
Successful authentication via one of the supported IDPs results in an ID Token being returned to the requesting OIDC Client. Note that an ID Token also contain values for the amr and acr attributes, corresponding to the IDP actually being used. These values may be different from corresponding values provided in the request from the OIDC Client to the authorize endpoint. One example is if more than one IDP option meet the amr/acr criteria of the authorize request. In this case, an IDP selector dialog is presented for the user to resolve which IDP to use.
Remark that some IDPs must be selected by the login_hint parameter.
| IDP | Login Hint | LoA | AMR (from API Version 2) | Security Level | Comment |
|---|---|---|---|---|---|
| BankID Netcentric | BID | urn:bankid:bid;LOA=4 | [ "bid" ] | High | |
| BankID on Mobile | BIM | urn:bankid:bim;LOA=4 | [ "bim" ] | High | |
| BankID Biometric | BIS | urn:bankid:bis;LOA=3 | https://developer.bankid.no/bankid-with-biometrics/flows/code/#token-claims | Substantial | IDP selectable by login_hint only. |
Login hints
The OIDC Provider from BankID supports codification of amr values as part of the login_hint request parameter to the authorize endpoint. Hence, pre-selection of the BankID IDP along with pre-selection of user-ID can be governed by supplying proper values as shown in the following table.
In the case of pre-selecting an end user, remark that the resulting authentication may specify another end user.
login_hint | Description |
|---|---|
| BID | BankID netcentric is pre-selected and shown to the user. The user has to type in his userID in the first dialogue (i.e. national identity number) |
| BID:07025312345 | BankID netcentric is pre-selected along with a pre-selected userID (i.e. national identity number). The userID dialogue is omitted in this case. |
| BIM | BankID on Mobile is pre-selected and shown to the user. The user has to type in his userID in the first dialogue (i.e. mobile number and birth date) |
| BIM:48058567:070253 | BankID on Mobile is pre-selected along with a pre-selected userID (i.e. mobile number and birth date). The userID dialogue is omited in this case. |
| :07025312345 | The end user is presented with a selector dialog to determine of BankID netcentric (BID) og BankID on Mobile (BIM) is used, but the userID is pre-selected. Norwegian national number is used for BID and birth date is used for BIM (first 6 digits). |
| urn:bankid:bid | The acr value is also supported as login hint. |
| BIS | BankID Biometric is pre-selected and shown to the user, the end user will be queried for userID in the first dialogue (i.e. national identity number) |
| BIS:21122112222 | BankID Biometric is pre-selected with a pre-selected userID (i.e. national identity number) |
login_hint containing personal information should be encrypted or placed in an encrypted request parameter. Browser history may contain the login_hint , see jwk.