The following sub-sections contain information on the Identity Provider (IDP) options supported by this release of the OpenID Connect Provider from BankID. See general information on user experience that applies for the various IDP.
Each IDP option is associated with a Name and Level of Assurance (LoA) codified via attributes called
amr (Authentication Method Reference) and
acr (Authentication Context Class Reference), respectively. These attributes can be included in the request from an OIDC Client to the authorize endpoint at the BankID OIDC Provider to request either a particular IDP (
amr) or any IDP at a particular LoA (
acr). A standard and designated request parameter exists for the
acr attribute (see authorize for details). As there is no corresponding request parameter for the
amr attribute, the BankID OIDC Provider supports
amr values codified as part of the
login_hint parameter (more on this in the section below).
Successful authentication via one of the supported IDPs results in an ID Token being returned to the requesting OIDC Client. Note that an ID Token also contain values for the
acr attributes, corresponding to the IDP actually being used. These values may be different from corresponding values provided in the request from the OIDC Client to the authorize endpoint. One example is if more than one IDP option meet the
acr criteria of the authorize request. In this case, an IDP selector dialog is presented for the user to resolve which IDP to use.
Remark that some IDPs must be selected by the
|BankID on Mobile||BIM||urn:bankid:bim;LOA=4||Securitylevel High;|
|BankID Biometric||BIS||urn:bankid:bis;LOA=3||Securitylevel Substantial; IDP selectable by login_hint only.|
The OIDC Provider from BankID supports codification of
amr values as part of the
login_hint request parameter to the authorize endpoint. Hence, pre-selection of the BankID IDP along with pre-selection of user-ID can be governed by supplying proper values as shown in the following table.
In the case of pre-selecting an end user, remark that the resulting authentication may specify another end user.
|BID||BankID netcentric is pre-selected and shown to the user. The user has to type in his userID in the first dialogue (i.e. national identity number)|
|BID:07025312345||BankID netcentric is pre-selected along with a pre-selected userID (i.e. national identity number). The userID dialogue is omitted in this case.|
|BIM||BankID on Mobile is pre-selected and shown to the user. The user has to type in his userID in the first dialogue (i.e. mobile number and birth date)|
|BIM:48058567:070253||BankID on Mobile is pre-selected along with a pre-selected userID (i.e. mobile number and birth date). The userID dialogue is omited in this case.|
|:07025312345||The end user is presented with a selector dialog to determine of BankID netcentric (BID) og BankID on Mobile (BIM) is used, but the userID is pre-selected. Norwegian national number is used for BID and birth date is used for BIM (first 6 digits).|
|BIS||BankID Biometric is pre-selected and shown to the user, the end user will be queried for userID in the first dialogue (i.e. national identity number)|
|BIS:21122112222||BankID Biometric is pre-selected with a pre-selected userID (i.e. national identity number)|
login_hint containing personal information should be encrypted or placed in an encrypted request parameter. Browser history may contain the
login_hint , see jwk.