How does it work?
The eIDAS solution
This high level overview is designed to be understood by persons not involved with the eIDAS delivery. As a result, this description contains some simplifications. Teams implementing the eIDAS Solution must consult appropriate technical specifications and regulations to deliver a compliant eIDAS solution.
The eIDAS solution allows citizens from Member States to prove and verify their identification when accessing on-line services in other Member States. It allows citizens to authenticate themselves by using their eIDs and connecting with their Identity Provider (IdP) from their country. A high level process is as follows:
- A citizen requests an on-line service in a Member State.
- The citizen is requested to authenticate themselves by the on-line service.
- At the authentication stage, it becomes apparent that the citizen has an eID from another Member State.
- Authentication request is sent to the citizen’s country for authentication, through the eIDAS solution, to the citizen’s Identity Provider (IdP) where authentication takes place.
- Authentication result is returned to the service provider.
- Authentication is complete and the citizen can proceed with accessing the service.
The eIDAS Solution makes different eID national protocols interoperable with each other. The solution uses the eIDAS protocol to translate national identification data into a common format that is understood and used by Member States.
This leads to eIDs of Member States being interoperable and accepted in other Member States, opening new possibilities and opportunities to the citizens to use services across-border.
The animation below illustrates how the use of the eIDAS protocol and the implementation of eIDAS-Nodes allow for communication between independent national eID scheme architectures, supporting smooth cross-border authentication.
Introduction to the eIDAS-Node
The eIDAS Network consists of a series of eIDAS-Nodes implemented at the Member State level.
An eIDAS-Node can act either as requester or as provider of cross-border authentication. The Member State requesting authentication is called the Receiving Member State while the Member State providing the authentication is called the Sending Member State.
1. Request a cross-border authentication
When an online service (aka. Service Provider) connected to a national eID scheme encounters a user from another Member State (at the user identification stage), it issues an authentication request to the citizen’s home country. This request is translated into the eIDAS protocol. It is then routed through the eIDAS-Node of the Service Provider's country (the Receiving Member State) to request cross-border authentication via the eIDAS-Node of the user's country (the Sending Member State). The component of the eIDAS-Node used to make requests for cross-border authentications is called the eIDAS-Connector.
2. Provide a cross-border authentication
After a user requests a service in another Member State, the eIDAS-Node in the home country of the user (the Sending Member State) will provide the cross-border authentication through the eIDAS-Service. The eIDAS-Service can be integrated and operated in two ways:
- eIDAS-Proxy-Service: an eIDAS-Service operated by the Sending Member State and providing personal identification data.
- eIDAS-Middleware-Service: an eIDAS-Service running Middleware provided by the Sending MS, operated by the Receiving MS and providing personal identification data. This requires a Middleware-Service to be integrated with the eIDAS-Connector in the premises of the Receiving Member State.
Note: Due to the nature of some eID systems, without a central component, the corresponding eID schemes can be integrated into the eIDAS Network via the middleware integration model.
Provision of common interfaces
Given the need for different parties to be connected to the eIDAS Network, the eIDAS-Node provides several interfaces:
- Interface for National Identity Providers: This Member State-specific interface is used to connect the eIDAS-Node in the user’s Member State to their National Identity Provider.
- Interface for Service Providers in the Member State where the eIDAS-Node is deployed: A Member State’s eIDAS-Node has an interface to communicate with multiple Service Providers in that Member State. Through this interface, the Service Provider sends authentication requests to the eIDAS-Node (potentially via a local Identity Provider, but this depends on individual Member State solution) and receives the authentication responses.
- Interface to other eIDAS-Nodes in Member States: An eIDAS-Node has an interface for communication with eIDAS-Nodes in other Member States. This results in the cross-border interoperability of the eID solution. This interface is established through the eIDAS-Connector, on one side, and the eIDAS-Service, on the other side. These respectively correspond to requesting and to providing identity information.
Moreover, the eIDAS-Connector offers the user a possibility to select their national Member State whose notified eID scheme is to be used for authentication, if the user’s Member State was not already pre-selected by the requesting relying party (Service Provider).
The role of the eIDAS protocol
The eIDAS protocol allows for smooth communication between different the eIDAS-Nodes of the eIDAS Network. The main advantage of this solution is that Member States remain free to keep and develop their own protocols for authentication at the national level. Thus, no change to the national infrastructure (e.g. to communication between local Service Providers and Identity Providers) is required by the eIDAS interoperability solution.
The eIDAS-Node contains a Member State specific part which is to be implemented by Member States in order to translate between their national eID scheme protocols and the eIDAS protocol.
Note: The eIDAS protocol is intended for the purpose of cross-border authentication only. Any use of it in national infrastructure is not recommended or supported.
Overview of key components
The eIDAS solution has been developed to accommodate all Member States’ national eID Schemes to maximise interoperability.
The diagram below illustrates the main actors and components of the eIDAS architecture. The eIDAS-Nodes communicate with each other by translating the national protocols of Member States A and B into the eIDAS protocol.
- Two Member States:
- Sending Member State, whose eID scheme is used in the authentication process, and which sends authenticated ID data to the receiving Member State; and
- Receiving Member State, where the relying party requesting an authentication of a person is based.
- A user (natural or legal person).
- A Service Provider (public administration or private online Service Provider).
- The eIDAS-Nodes of both Member States are involved, each consisting of:
(Note: Member State specific parts need to be implemented by each Member State in order to translate between their national eID scheme protocols and the eIDAS protocol.)
- a Connector, including the Member State specific part;
- a Proxy-Service or Middleware-Service, including the Member State specific part;
- one or more Member State Middleware-Services for communication with Middleware countries.
- A National Identity Provider in the Sending Member State which provides eID information upon successful authentication of the user. Note that the procedure of user authentication takes place between the user and the Identity Provider, thus it is outside the eIDAS Network.
- A National Identity Provider in the Receiving Member State. Depending on individual Member State solution design, the National Identity Provider in the Receiving Member State may be bypassed and in this case the Service Provider interacts directly with the eIDAS-Node (i.e., eIDAS-Connector).
Overview of use cases
Due to the distinction between eIDAS-Proxy-Services and Middleware-Services, there are four different combinations possible in terms of requesting and providing cross-border authentication:
- Proxy to Proxy: A user from a proxy scheme based country accessing a service in another proxy scheme based country.
- Middleware to Proxy: A user from a middleware scheme based country accessing a service in a proxy scheme based country.
- Proxy to Middleware: A user from a proxy scheme based country accessing a service in a middleware scheme based country.
- Middleware to Middleware: A user from a middleware scheme based country accessing a service in another middleware scheme based country.
The following sections illustrate those different use cases in more details. The use cases will feature four hypothetical Member States:
- Member State A (Proxy scheme based country)
- Member State B (Proxy scheme based country)
- Member State C (Middleware scheme based country)
- Member State D (Middleware scheme based country)