Signicat Identity Broker
eHerkenning Broker
OwnIdP
Signicat Adapters
Broker Features
The Signicat Identity Broker provides secure and easy access to your online services. Here are the main features and specifications.
Overview
This page provides an overview of the features and specifications of the Signicat Identity Broker. We optimise and improve current features and develop new ones on a daily basis.
Account linking
The Signicat Identity Broker’s account linking functionality allows the user to link two or more identity providers. For example, an iDIN log-in can be linked to a Facebook log-in, so that subsequent use of the Facebook log-in will provide a higher assurance level and can also return iDIN attributes. That lowers the log-in threshold and reduces the cost.
Adaptable templates
You can provide your own styling to the screens that your user sees while logging in. Every screen that the Signicat Identity Broker shows to a user following log-in can be customised to reflect your corporate style. This way the user has a sense of continuity and knows they are still doing business with you while we are managing the functionalities.
Attribute decryption
The Signicat Identity Broker provides attribute decryption. It can can decrypt attributes for you so you don't have to implement your own decryption. The feature works with both SAML encryption and the polymorphic encryption used in eHerkenning and eIDAS.
Attribute mapping
Attribute mapping helps translate different attribute names into one consistent name. As a service provider who supports multiple eIDs, you want consistent log-in information from the supported systems. That can be tricky, because not every system uses the same name for a given attribute: one may refer to ’email’ and another to ’emailaddress’, for example.
The Signicat Identity Broker’s attribute mapping functionality solves that problem by translating the information into a single ‘language’. You, the service provider, decide what each attribute will be called in the Identity Broker response messages you receive.
Configurable cancel flow
Configurable cancel flow allows you to determine what happens if a user chooses to cancel an identity provider while logging in. You might want the user prompted to choose an alternative identity provider or you might want them returned to the page within your application where the authentication process started. You, the service provider, can decide what happens when a user opts to cancel part-way through logging in.
IdP-filtering
The Signicat Identity Broker only shows the appropriate identity providers (IdP) that provide the desired reliability level and attributes. The Identity Broker's IdP-filtering capability means that users are offered only those identity providers that meet the appropriate assurance level and can supply the required attributes.
IdP-scoping
You can direct the user from your application to a desired identity provider with IdP-scoping so the user will not be offered multiple identity providers to choose from within the Signicat Identity Broker. This enables you to let the user make a choice within your application, or to enforce the use of a given identity provider for a given service.
LoA mapping
Different eID systems use different names for their assurance levels. For example, the SAML standard refers to ‘Smartcard’ where eIDAS uses ‘Substantial’ and eHerkenning uses ‘LoA300’. Signicat Identity Broker’s LoA mapping translates Level of Assurance (LoA) names from different identity providers into one consistent answer. The LoA mapping functionality solves the problem by translating the information into a single ‘language’. You, the service provider, decide what each assurance level will be called in the Identity Broker response messages you receive.
Multi-factor authentication
Multi-factor authentication can be used for extra security. Often, a traditional username and password combination will not provide enough assurance. If this is the case, multi-factor authentication, and an additional layer of security, is added. Via this authentication method, multiple factors are used in combination to confirm a user's identity.
Signicat supports time-based one-time password (TOTPs). This involves using an authentication app that generates TOTPs with an algorithm. Popular authentication apps include Google Authenticator, Authy and OTP, but others can be used if preferred.
Multi-factor authentication features:
- Safer than the use of SMS codes as a second factor.
- Length code and validity are fixed (six digits and half a minute).
- The login codes are generated for free.
- The user must have a smartphone with an authentication app.
Registry attribute enrichment
Registry attribute enrichment allows you to provide additional attributes from external sources. During the authentication process, the Signicat Identity Broker can consult external data sources to obtain and communicate additional user attributes. For some external data sources, the service provider needs to be authorised to access them. Besides external data sources, Signicat also offers a solution to enrich a login with data you already have.
Universal IdP support
The Signicat Identity Broker can interface with any identity provider/eID system. Interfacing with an eID system involves uploading the metadata, then configuring the identity provider and protocol options in the Signicat Identity Broker.
The only condition is that the Identity Broker supports the protocol used by the system in question. Any system that adheres to the basic SAML or OIDC protocol presents no problem. If a system departs from the protocol, it’s necessary to find out whether the non-standard aspects are already supported, or whether adaptation is required.
Further reading:
For more information, check out our frequently asked questions page on Polymorphic Decryption and Pseudonyms.
​