VERSION 1.1.0 MANDATORY
Contents
1. Introduction
The Commission Implementing Regulation (EU) 2022/1463 sets the following requirements for user authentication, identity and evidence matching in the context of ‘once-only’ technical system as follows but not limited to:
- the Evidence Requesters shall rely on electronic identification means that have been issued under an electronic identification scheme that has been notified in accordance with Regulation (EU) No 910/2014 to authenticate the users,
- the Evidence Providers or intermediary platforms who are responsible for the identity and evidence matching, may require users to reidentify and reauthenticate for this purpose and shall ensure that evidence is only exchanged provided conditions of Article 16(2) are met,
- Each type of evidence registered in the data service directory is accompanied by the level of assurance of the electronic identification means notified by Member States in accordance with Regulation (EU) No 910/2014.
To support the above requirements, the architecture of the OOTS should:
- rely on the reuse of the eIDAS nodes for user authentication,
- foresee that Data Service Directory will include for each type of evidence registered information about the level of assurance of the electronic identification means notified by Member States in accordance with Regulation (EU) No 910/2014,
- enable the transmission in an evidence request of attributes of the user, or the user and the representative, together with the level of assurance of the electronic identification means used by the user.
Because the user would be asked by the Online Procedure Portal or Intermediary Platforms to authenticate with an eID means issued under an eID scheme notified in accordance with Regulation (EU) No 910/2014 (reference Article 11, (EU) 2022/1463), the person identification data retrieved following this authentication enable the identity of natural or legal person, or a natural person representing another natural person or a legal person as defined in Article 3 of Regulation (EU) No 910/2014 .
The degree of confidence in the claimed or asserted identity of a person, the eIDAS attributes included in the notification process in accordance with Regulation (EU) No 910/2014, will be reflected by the level of assurance of the eID means used by the user in eIDAS authentication.
After consulting the Data Service Directory and following the explicit request of the user to use OOTS the evidence request is built containing the attributes of the user, or the user and the representative previously obtained by the Online Procedure Portal or Intermediary Platform.
When processing evidence requests, the Data Service needs to make sure that the user, acting directly or through a representative, has access only to evidences related to that specific user.
Therefore, identity and evidence matching on the Data Service side can be performed:
- by using the attributes of the user received by the Online Procedure Portal or Intermediary Platform following the authentication using eID means issued under an eID scheme notified in accordance with Regulation (EU) No 910/2014 and which are the attributes of the minimum data set as described in the Commission Implementing Regulation (EU) 2015/1501, together with other optional (common attributes) and sector specific attributes if received OR
- may require the user to reauthenticate taking into account the Data Service requirements for identity and evidence matching.
The Data Service must ensure that the user attributes received in the evidence request match the attributes held by them.
2. Evidence requesters - user authentication and use of identity attributes
2.1 Use of eIDAS attributes in OOTS
The Article 11 of Commission Implementing Regulation (EU) 2022/1463 requires that the authentication on the Evidence Requester side is done using an eID means issued under an eID scheme notified under eIDAS Regulation (Regulation (EU) No 910/2014)). Following the authentication on the Evidence Requester side, the eIDAS attributes that can be used are the attributes of natural or legal person, or a natural person representing another natural person or a legal person.
To be noted that if the eID scheme used has been issued by the Member State of the Evidence Requester, in this case there would not be a cross-border eIDAS flow.
The Annex of the Commission Implementing Regulation (EU) 2015/1501 lists the attributes of the eIDAS minimum data set. The list is comprised of mandatory attributes of the minimum data set , attributes which must always be requested and provided, and optional attributes of the minimum data set ("additional attributes") which may be provided if available.
In addition there are other optional attributes, which are not part of the minimum data set but which may be provided. These were known as "common attributes" in eIDAS eID Profile v1.3, and currently merged together with the other optional attributes of the minimum data set in eIDAS eID Profile v1.4. These attributes are defined as attributes that are common to domains in contrast with the sector specific attributes which are specific only to a domain and can be found here. The "sector specific" attributes are mentioned in section 2.7. Sector specific attributes of eIDAS Attribute Profile - Version 1.4, as attributes beyond the minimum data set that may be described by Member State and domain experts and further included in the eIDAS Node metadata.
Figure 1. Person identification data that may be obtained using eIDAS authentication
In addition to the mandatory attributes of the eIDAS minimum data set, the Online Procedure Portal or Intermediary Platforms may request optional attributes of the eIDAS minimum data set and/or sector specific attributes that may be made available via the eID scheme used, if it is allowed by the national law and if the user gives their consent for this purpose. This is usually done in order to increase the success rate of identity and record matching done on the side of the Online Procedure Portal.
The identity attributes of the user received by the Evidence Requester, following the authentication using electronic identification means that have been issued under an electronic identification scheme that has been notified in accordance with Regulation (EU) No 910/2014, will be included in the evidence request, with the exception of the Unique Identifier for natural person in specific cases as described in the section below 2.3. eIDAS Unique Identifier.
The electronic identification means used in the eIDAS authentication has a Level of Assurance which will be linked to the eIDAS assertion. This Level of Assurance will be included in the evidence request.
Identification and authentication performed by the Online Procedure Portal or Intermediary Platforms for the purpose of using OOTS must use electronic identification schemes that have been notified by a Member State in accordance to Regulation (EU) No 910/2014. If the access to the procedure has been granted without the fulfillment of this requirement, the Online Procedure Portal or Intermediary Platforms must ask the user to authenticate taking into account the previously mentioned requirements before using OOTS.
2.2 Mandatory attributes of eIDAS minimal data set for Natural Persons
Mandatory attributes of the eIDAS minimum data set must always be requested and provided during the eIDAS authentication.
Attribute (Friendly) Name | eIDAS MDS Attribute | ISA Core Vocab Equivalent | Notes | Transliteration supported (YES/NO) |
|---|---|---|---|---|
| FamilyName | Current Family Name | cbc:FamilyName | Encoded as xsd:string | YES |
| FirstName | Current First Names | cvb:GivenName | Encoded as xsd:string | YES |
| DateOfBirth | Date of Birth | cvb:BirthDate | Encoded as xsd:date | NO |
| PersonIdentifier | Unique Identifier | cva:Cvidentifier | Encoded as xsd:string | NO |
Mandatory attributes of the eIDAS minimum data set for Natural Persons, eIDAS SAML Attribute Profile V1.4. , 31 October 2023
These attributes will be further included in the evidence request, with the exception of the Unique Identifier if it is derived receiving Member State specific. For more information on the Unique Identifier see the next section.
2.3 eIDAS Unique Identifier for Natural Persons
Identity matching is typically done by looking up and matching the identity received with the identities registered.
For this purpose, the eIDAS Unique Identifier (eIDAS UID) can only be directly used if it is already known by the Evidence Requester. This may be true in cases where the Evidence Requester has already linked the eIDAS UID to a known identifier or has access to such record.
The eIDAS UID is a mandatory attribute, and its definition is defined in the eIDAS SAML Attribute Profile.
Extract from eIDAS SAML Attribute Profile v1.4., 31 October 2023
"The unique identifier consists of:
1. The first part is the Nationality Code of the identifier
- This is one of the ISO 3166-1 alpha-2 codes or "EL" for Greece1, followed by a slash (“/“))
2. The second part is the Nationality Code of the destination country or international organization
- This is one of the ISO 3166-1 alpha-2 codes or "EL" for Greece, followed by a slash (“/“)
3. The third part a combination of readable characters
- This uniquely identifies the identity asserted in the country of origin but does not necessarily reveal any discernible correspondence with the subject's actual identifier (for example, username, fiscal number etc)
Example: ES/AT/02635542Y (Spanish eID Number for an Austrian SP)"
Figure 2. Figure 2 from eIDAS SAML Attribute Profile v1.4., 31 October 2023
-----------
1 In case of Greece, the value of the Nationality Code MUST be "EL" instead of "GR" defined in ISO 3166-1.
Some Member States issue destination specific identifier. This means that the third part of the Unique Identifier, the combination of readable characters, may not have the same value for all requesting Member States. Taking the above example, the identifier for the user authenticating using a Spanish eID in Austria can be "ES/AT/02635542Y", however, when authenticating in Belgium, it would not only have a different Nationality Code of the destination country, but also a different third part, resulting in, for example: "ES/BE/03835542X".
This means that in such cases, the eIDAS UID (PersonIdentifier) was issued for the specific context of the Evidence Requester and it may not be used by the Data Service. Therefore, for Natural Persons, the Evidence Requester should not include the Unique Identifier value obtained through eIDAS if the Member State that issued the identification attributes of the user for national policy reasons issues (MS specific) derived Unique Identifier values that cannot be traced back to the national identifiers of the user and therefore cannot be used for matching evidences to the user.
How these outbound identifiers are generated, is specific to each Member State and/or eID means.
Unless explicitly stated by the relevant eIDAS Member State responsible contact point that the eIDAS Unique Identifier for Natural Persons should not be sent, the received identifier is to be included in the Evidence Request. The list of Member States for which the eIDAS Unique Identifier for Natural Persons should not be included in the Evidence Request is published on the OOTS code repository in the match branch and under tagged releases.
Independently of whether the eIDAS Unique Identifier is sent or not, the Evidence Requester or Intermediary Platform should ensure that in the event of an incident, it is able to reconstruct the sequence of eIDAS authentication and the subsequent OOTS Evidence Request.
2.4 eIDAS optional attributes for Natural Persons
Evidence Requester may request identity attribute beyond the mandatory attributes of the eIDAS minimum data for the purpose of identity matching.
By agreeing to the exchange of the optional, users can reduce the ambiguity and therefore increase the likelihood of unambiguous record matches.
Optional attributes of the eIDAS minimum data set may be requested by the Evidence Requester, or Intermediary Platform where applicable, to increase the success rate of identity and record matching.
The decision to request these attributes when available belongs to the Evidence Requester and may be based on the national identity matching requirements.
If these optional attributes are received by the Evidence Requester, and in accordance with the national privacy policy, these attribute may be included in the evidence request that will be sent to the Evidence Provider.
Attribute (Friendly) Name | eIDAS MDS Attribute | ISA Core Vocab Equivalent | Notes | Transliteration supported (YES/NO) |
|---|---|---|---|---|
| BirthName | First Names at Birth | cvb:BirthName | Encoded as xsd:string | YES |
| BirthName | Family Name at Birth | cvb:BirthName | See above re birth names | YES |
| PlaceOfBirth | Place of Birth | cva:BirthPlaceCvlocation | Encoded as xsd:string | NO |
| CurrentAddress | Current Address | cva:Cvaddress | Encoded as multiple xsd:string elements | NO |
| Gender | Gender | cvb:GenderCode | Encoded as xsd:string with a restriction of selection: Male, Female, Unspecified | NO |
Optional attributes of the eIDAS minimum data set for Natural Person, eIDAS SAML Attribute Profile V1.4., 31 October 2023
Additional optional attributes, also formerly known as "common attributes", which are not part of the eIDAS minimum data set may be supplied by a MS if available and acceptable to national law.
Attribute (Friendly) Name | eIDAS Attribute | ISA Core Vocab Equivalent | Notes | Transliteration supported (YES/NO) |
|---|---|---|---|---|
| Nationality | Nationality | cbc:Nationality | Encoded as xsd:string element with restriction of selection: ISO 3166-1 apha-2 country code values | NO |
| CountryOfBirth | CountryOfBirth | cva:BirthCountryCvlocation | Encoded as xsd:string element with restriction of selection: ISO 3166-1 apha-2 country code values | NO |
| TownOfBirth | TownOfBirth | cva:BirthPlaceCvlocation | Encoded as xsd:string element | NO |
| CountryOfResidence | CountryOfResidence | adminUnitL1 | Encoded as xsd:string element with restriction of selection: ISO 3166-1 apha-2 country code values | NO |
| PhoneNumber | PhoneNumber | cbc:Telephone | Encoded as xsd:string element | NO |
| EmailAddress | EmailAddress | cbc:ElectronicEmail | Encoded as xsd:string element | NO |
Optional attributes for Natural Person, eIDAS SAML Attribute Profile V1.4., 31 October 2023
More information on all eIDAS available attributes of pre-notified and notified eID schemes can be found here.
2.5 eIDAS attributes for Legal Persons
Mandatory attributes of the eIDAS minimum data set must always be requested and provided during the eIDAS authentication.
Attribute (Friendly) Name | eIDAS MDS Attribute | ISA Core Vocab Equivalent | Notes | Transliteration supported (YES/NO) |
|---|---|---|---|---|
| LegalName | Current Legal Name | cvb:LegalName | Encoded as xs:string | YES |
| LegalPersonIdentifier | Uniqueness Identifier | cvb:Cvidentifier | Encoded as xs:string | NO |
Mandatory attributes of the eIDAS minimum data set for Legal Person, eIDAS SAML Attribute Profile V1.2., 31 August 2019
In addition to these mandatory attributes, section 2.3.1 of the eIDAS SAML Attribute Profile v1.4 lists eight optional attributes that MAY be supplied by a MS if available and acceptable to national law.
| Attribute (Friendly) Name | eIDAS MDS Attribute | ISA Core Vocab Equivalent | Notes | Transliteration supported (YES/NO) |
|---|---|---|---|---|
| LegalAddress | Current Address | cva:Cvaddress | Encoded as multiple xsd:string elements | NO |
| VATRegistration | VAT Registration Number | cva:CvbusinessCode | Encoded as xsd:string | NO |
| TaxReference | Tax Reference Number | cva:CvbusinessCode | Encoded as xsd:string | NO |
| BusinessCodes | Directive 2012/17/EU Identifier | cva:CvbusinessCode | Encoded as xsd:string | NO |
| LEI | Legal Entity Identifier (LEI) | cva:CvbusinessCode | Encoded as xsd:string | NO |
| EORI | Economic Operator Registration and Identification (EORI) | cva:CvbusinessCode | Encoded as xsd:string | NO |
| SEED | System for Exchange of Excise Data (SEED) | cva:CvbusinessCode | Encoded as xsd:string | NO |
| SIC | Standard Industrial Classification (SIC) | cva:CvbusinessCode | Encoded as xsd:string | NO |
Optional attributes of the eIDAS minimum data set for Legal Person, eIDAS SAML Attribute Profile V1.4., 31 October 2023
Additional optional attributes, also formerly known as "common attributes", which are not part of the eIDAS minimum data set may be supplied by a MS if available and acceptable to national law.
| Attribute (Friendly) Name | eIDAS Attribute | ISA Core Vocab Equivalent | Notes | Transliteration supported (YES/NO) |
|---|---|---|---|---|
| LegalPhoneNumber | LegalPhoneNumber | cbc:Telephone | Encoded as xsd:string element | NO |
| LegalEmailAddress | LegalEmailAddress | cbc:ElectronicEmail | Encoded as xsd:string element | NO |
The processing of mandatory and optional attributes for legal persons is done analogously to the processing of mandatory and optional attributes for natural persons.
This means that the mandatory attributes of the eIDAS minimum data set are always included in the evidence request (including the Legal Person Unique Identifier in this case). If attributes beyond the mandatory attributes of the eIDAS minimum data set are also received and it is in accordance with the national privacy policy these attribute may be included in the evidence request.
2.6 Natural and Legal Person Representative
Article 3(1) of the Regulation (EU) No 910/2014 allows the case of representation, in particular "natural person representing a legal person”. Because in reality there are more cases of representation, the eIDAS Technical subgroup has been requested by the eIDAS Cooperation Network to amend the technical specifications to include all the cases of representation.
Figure 4. Section 2.8. NATURAL AND LEGAL PERSON REPRESENTATIVE from eIDAS SAML Attribute Profile V1.4., 31 October 2023
Even if the representative attributes MUST not be explicitly requested, the eIDAS response MAY however return one representative attribute set in case of representation.
The representative attributes follow the specifications of natural person (2.2 Mandatory attributes of eIDAS minimal data set for Natural Persons and 2.4 eIDAS optional attributes for Natural Persons) and legal person (2.5 eIDAS attributes for Legal Persons) as described in the eIDAS SAML Attribute Profile V1.4., 31 October 2023 and they need to be pre-fixed with "Representative" to the attribute's FriendlyName element and amend the SAML attribute name by “representative”. The inclusion of the attributes in the evidence request is done analogously to the processing of mandatory and optional attributes for representative (natural or legal person) and for represented (natural or legal person). The inclusion of eIDAS Unique Identifier for Natural Persons (representative) is done analogously to section 2.3 eIDAS Unique Identifier for Natural Persons above.
For more information on using the OOTS for evidences related to legal persons, see 2.3 - Representation (September 2024).
2.7 Sector specific attributes
(eIDAS-provided) Sector specific attributes (non eIDAS minimum data set) that can be provided via eIDAS could similarly be requested in order to increase the success rate of identity and record matching provided that the user has given her/his consent.
The Evidence Requester could request these attributes if available. In the case where these attributes are received and in accordance with national privacy policy and depending on the nature of the attribute, they may be sent further to the Evidence Provider as part of the evidence request.
The sector specific attribute schema must be defined and published in-line with section 2.7. Sector Specific Attributes of eIDAS SAML Attribute Profile, currently at version 1.2.
3. Evidence providers - identity and evidence matching
3.1. Introduction
In the context of the SDG, identification and authentication of the user serve two separate purposes:
- to use the procedure;
- to use the once-only technical system to retrieve a particular piece of evidence.
Identification and authentication performed by the Online Procedure Portal or Intermediary Platforms for the purpose of using OOTS must use electronic identification schemes that have been notified by a Member State in accordance to Regulation (EU) No 910/2014. If the access to the procedure has been granted without the fulfillment of this requirement, the Online Procedure Portal or Intermediary Platforms must ask the user to authenticate taking into account the previously mentioned requirements before using OOTS.
The evidence providers or intermediary, where applicable, may require users to reidentify and reauthenticate (see 3.2. Re-authentication by Evidence Provider) for the purpose of identity and evidence matching, including by providing additional attributes .
3.2. Re-authentication by the Evidence Provider
This section is mainly concerning the Article 16(1) of Commission Implementing Regulation (EU) 2022/1463 which states that evidence providers or intermediary platforms, where applicable, may require users to reidentify and reauthenticate for the purpose of identity and evidence matching, including by providing additional attributes.
This version of the OOTS provides a 4.9 - Evidence Preview (Draft) feature in which the user interacts, using redirection, with a service provided by, or on behalf of, the Data Service, and therefore a service offered from the Member State of the Evidence Provider. The component offering the service is called Preview Space. As the operation of the Preview Space is coordinated with the operation of the Data Service, the Preview Space has access to all identity attributes provided by the user that are included in the evidence request. At this stage, the Preview Space and Data Service need to determine if the personal identification data provided is sufficient for the purposes of identity matching or if there is the need to re-authenticate. To be noted that the requirement for re-authentication is defined by the Data Service and it may include criteria beyond the identity attributes exchanged in the evidence request. When re-authentication is required, the principles set by article 6 of Regulation (EU) No 910/2014, where applicable, shall be taken into account. This means that the user would be asked to re-authenticate using one of the below options:
- eID schemes from the Member State of the Evidence Provider, which are deemed adequate for the access to the Evidence Providers' services. This includes both notified and non-notified eID schemes.
- eID schemes notified by other Member States in accordance to Regulation (EU) No 910/2014.
When re-authentication occurs, the Data Service must ensure that the person identification data received match the attributes held by them as follows:
| Type of person | Checks performed |
|---|---|
| Natural person | The natural person attributes received match the ones held by Data Service following the national policy on identity matching. |
| Legal person | The legal person attributes received match the ones held by Data Service following the national policy on identity matching. |
| Natural person representing legal person | The natural person (representative)attributes received match the ones held by Data Service following the national policy on identity matching. |
| The legal person (represented) attributes received match the ones held by Data Service following the national policy on identity matching. | |
Natural person representing another natural person | The natural person (representative) attributes received match the ones held by Data Service following the national policy on identity matching. |
| The natural person (represented) attributes received match the ones held by Data Service following the national policy on identity matching. |
If the process of identity and evidence matching does not result in a match or the identity matching generates two or more results:
- an error message MUST be generated and an error report is sent back to the Evidence Requester,
- the user MUST receive an automated message explaining that the evidence cannot be provided.
To be noted that for purposes of identity and evidence matching, the user may be requested additional information as long as that is strictly necessary for the purpose of discovering the right user’s evidence required for a given procedure that the user wish to preview.
4. Sample attribute collection and evidence exchange flow
The following diagram shows the ways in which the eIDAS attributes are collected. It covers all steps that prepare to collect attributes on the side of MS A. These attributes are made available for further processing steps (not shown in this diagram) by the Data Service and Preview Space.
The following table describes the various steps.
| Step | Description |
|---|---|
| 1-2 | User chooses to authenticate with eIDAS in order to get access to the Online Procedure Portal. |
| 3-4 | The user is requested to select the Member States who issued the electronic identification means he/she would like to use for authentication. The user makes a choice. NOTE: The Member States selection is for the case when the electronic identification means is issued by another Member State, a Member State other than the one of the Online Procedure Portal. This is the case presented in this example. |
| 5 | Based on the requested attributes and LoA, the user is presented the option(s) for electronic identification schemes and/or electronic identification means. |
| 6-8 | The user is asked to consent the exchange of requested (eIDAS) attributes and the user confirms. The user selects one of the electronic identification means issued by an eID scheme notified in accordance with Regulation (EU) 910/2014. The Online Procedure Portal requests user attributes that can be made available by the elD scheme that issued the eID means that the user selected following national privacy and identity matching policy and provided that the user has given her/his consent. The available attributes are listed in the Proxy-Service metadata. |
| 9-10 | The user is requested by the eID scheme to authenticate. The authentication process depends on the eID means selected. |
| 11-13 | The user is successfully authenticated using electronic identification means notified in accordance with Regulation (EU) 910/2014 and the Online Procedure Portal receives (natural, legal or natural representing legal) person identification data. This MUST include the mandatory attributes of the eIDAS minimum data set and, if available and approved by the user for exchange, optional and/or sector specific attributes. Depending on the national implementation of the eIDAS node and identity matching service, the Online Procedure Portal may receive additional national specific person identification data, e.g. a national registration number. |
| 14 | Lookup Data Service Directory for evidence type. |
| 15 | Ask user to approve evidence request with provided attributes. |
| 16-17 | With the user's input and consent, the Online Procedure Portal adds all the person identification data to the evidence request and sends this request to the Data Service. |