Enable Verimi in your services
Verimi is a European digital identity and data platform that allows users to aggregate, save and reuse verified digital identities from various regulates sectors such as e-government, financial sector, insurance sector and telecommunication. Verimi is built with security and privacy as the key features giving end-users the full control over their personal data and how it is shared with 3rd parties.
Users can transfer their identity data from existing accounts such as bank account or telecom. Alternatively, this information is captured during the onboarding process on Verimi’s connected partners. Once registered, Verimi allows users to instantly access stored credentials and reuse them making their identification process simpler.
Verimi is currently offering support for Germany.
To enable Verimi eID through the E-Ident service, please
contact our support or your sales representative.
For more information about Verimi:
Information about the end user
The information returned about the end user is listed in this table:
Address
| address
| ADDRESS
| The end user's address. See section "address" for more detail.
|
Authentication Method
| amr
| AMR
| See section below for possible values. |
| Birth date |
birthdate Require scope=profile |
DOB | End user's birth date. |
| Distinguised name | dn | DN | The distinguished name from the end user's certificate. Example: "CN=Test User" |
| E-mail address | email Require scope=email | EMAILADDRESS | The end user's e-mail address. |
| Verified e-mail address | email_verified Require scope=email | EMAIL_VERIFIED | This claim tells if the e-mail address has been verified or not. |
| Family name |
family_name Requires scope=profile | SURNAME | End user's surname. |
| Given name | given_name Require scope=profile | GIVENNAME | End user's first/given name. |
Full name
| name Require scope=profile | FULLNAME | End user's full name. |
Level of Assurance
| acr
| ACR
| Accepts acr_values as urn:eident:acrp:level:substantial or urn:eident:acrp:level:low Always returns- urn:eident:cert:eidas:substantial
|
| Phone number |
phone_number Require scope=phone | PHONE_NUMBER | The end user's phone number. |
Verified phone number
|
phone_number_verified
Require scope=phone |
PHONE_NUMBER_VERIFIED | This claim tells if the phone number has been verified or not. |
Document Number
| document_number
| DOCUMENTNUMBER
| The end user’s document number
|
Document Type
| document_type
| DOCUMENTTYPE
| The end user’s document type
|
Date of Expiry
| date_of_expiry
| DATEOFEXPIRY
| The expiry date of the document held by the end user |
Place of Birth
| place_of_birth | PLACEOFBIRTH
| The end user’s place of birth |
Citizenship
| citizenship
| CITIZENSHIP | The end user’s citizenship
|
Issue Date
| issue_date
| ISSUE_DATE
| The end user’s document issue date |
Issuing Authority
| issuing_authority
| ISSUING_AUTHORITY
| The end user’s document issuing authority
|
Verification Method
| verification_method
| VERIFICATION_METHOD
| The verification method used by the end user while proving their identity with Verimi |
address
If SAML returnaddress=true or OIDC scope contains address and ssn then return complete address in response.
Example 1:
"address" : "{\"formatted\":\"Tempelhofer Ufer 10, 10963 Berlin, Germany\",\"street_address\":\"Tempelhofer Ufer 10\",\"locality\":\"Berlin\",\"region\":\"\",\"postal_code\":\"10963\",\"country\":\"Germany\"}"
If OIDC scope contains address but not ssn then return minimal address.
Example 2:
"address" : "{\"region\":\"\",\"country\":\"Germany\"}"
If SAML returnaddress=false or not provided, then do not return the address in response.
Possible AMR values
The authentication method for a specific identification may be set using the amr_values parameter. The actual used authentication method will be returned in the amr claim/attribute. If the amr_values parameter is not defined, the authentication method will be the default value.
Please note, amr_values in request can contain both forcepkivendor and authentication method in format- “forcepkivendor:amr_values".
Verimi in E-Ident provides support for below AMR values
- verimi
- verimi;loa.dipp.default
- verimi;loa.dipp.2fa
- verimi;loa.dipp.default,loa.dipp.2fa
- verimi:idcard - default, if not provided.
with request parameter containing amr_values = “verimi", user needs to be authenticated with e-mail:password credentials along with 2FA (two factor authentication) if configured in verimi profile or insisted with amr_values=loa.dipp.2fa.
with request parameter containing amr_values = “verimi:idcard" , user needs to be authenticated with e-mail:password credentials and also required to verify identity through one of the modes from Bank Ident, Video Ident, eID ident along with 2FA.
Please be noted that it asks only once to configure verified identity in Verimi profile with passport or idcard if not configured already.
Possible AMR values in id-token could be one of the below.
- ["email"]
- ["email", "loa.dipp.default"]
- ["email", "loa.dipp.2fa"]
- ["idcard"]
User experience (Verimi ID Card Flow)
Step 1: For existing user, it shows login page as below.
![]()
Step 2: If the user is logging in for the first time, below are the steps
a. On click of the Login/Sign button, it redirects the user to the Verimi page.
b. If the user already has a Verimi account, he or she can proceed with "Log in". if not, then the user can create a new account.
It is recommended to create a Verimi account prior to the identification/signing as there are a few steps like mobile app download, profile setting with mobile number, setting up two-factor authentication (2FA), and id-card or passport registration.
![]()
Step 3: As the Identification/Signing transaction is vital so user must have a verified identity registered with Verimi. It required that the user has configured an id card or passport in the Verimi profile. User also has the option to configure an id card or passport during the transaction.
![]()
![]()
Step 5: For testing purposes, users can proceed with Video-Ident.
![]()
Step 6: It asks for user detail to be filled in with a real phone number.
![]()
Step 7: Once filled, the user will be redirected to the video call page.
For a real case scenario, the Verimi agent will call you and ask you to show your id card or passport. The agent will ask you for your personal details. User will receive one SMS code which needs to be entered on the screen. On verification complete, the user's id card is registered in the Verimi profile.
For the testing scenario, the sample TAN number is 123456 for success and 654321 for the failure case.
![]()
Step 8: User can verify the passport or ID card configured in the Verimi profile.
![]()
Step 9: After successful configuration, the process will be marked completed
User experience (Verimi Flow)
Step 1: login with email address & password
![]()
.png)
Step 2: User can choose what information shall be shared as part of identification.
![]()
.png)
Step 3: Depending on whether the user has configured for 2 Factor authentication, this step shall be completed on the mobile device to confirm the transaction, if required.
Preset e-mail address
The e-mail address added in Step 1 as shown here https://www.nets.eu/developer/e-ident/eids/Pages/verimi.aspx#userexperience can be preset by appending the presetid/login_hint parameter to the identification request, only for requests containing amr_values as “verimi".
Presetid/login_hint is not supported for Verimi IDCard flow.
Read more about presetid and login_hint for OIDC and SAML
