Skip to content

itsme Identity Provider

Itsme is an identity provider that provides digital profile for all adult Belgian citizen. Itsme is built on top of OpenId Connect (OIDC) standard.

OpenId Connect specification defines Relying Party (RP) that is an OAuth 2.0 Client requiring End-User authentication, and OpenID Provider (OP) that is an OAuth 2.0 Authentication Server which performs this authentication. As a result of successful authentication OpenID Provider issues an ID Token which is a JSON Web Token (JWT) compliant JSON containing a set of claims - user identity attributes.

The Onegini IdP can act as an OIDC RP allowing the user to authenticate against external OIDC IdP and by performing regular login, signup or automatic signup.

This chapter will guide you through all steps that are required to fully configure and use an external itsme IdP with Onegini IdP.

Itsme requirements

Itsme requires Relying Party to be running on https.


To successfully complete this topic guide you need to ensure following prerequisites:

  • Onegini IdP instance must be running, for the sake of this guide we assume it's available under address

Configure external itsme IdP in Onegini IdP

To register a new IdP of itsme type please visit the page and login to the Onegini IdP admin console. Select Configuration menu option and navigate to Identity Providers tab.Hit the + button to create a new Identity Provider configuration. Fill in the form as follows:

  1. Type - open the dropdown list and select itsme
  2. Name - name your itsme IdP instance
  3. Authentication Level - choose desired authentication level
  4. Enabled - mark your Identity Provider as enabled
  5. Synchronise Attributes - flag indicating whether the Onegini IdP should synchronize person's profile attributes with the ones retrieved from itsme Idp.
  6. Client ID - the client identifier as configured within itsme IdP
  7. Login Service Code - Login Service that you received from itsme after registering your application
  8. Security Level - Choose security level that should be used when authenticating in itsme
  9. Discovery URL - the location of the discovery endpoint following the well-known semantics as described in the OIDC specification
  10. Metadata Expiration Time - time period in seconds specifying how long metadata fetched from Discovery URL is kept in redis. Value kept in redis is automatically refreshed when idp is updated.
  11. Scopes - list of scopes which should be requested during authorization flow from OIDC IdP, the openid scope is always sent by default
  12. Claims - additional claims that should be requested during the authorization flow from the OIDC IdP, please note that some claims are also represented by standard scopes
  13. Front channel logout - flag indicating whether this Identity Provider will participate in logout process

as described in the OIDC specification

Itsme callback uri

Itsme requires a callback uri to be registered for an application. The value you should register is

Custom attribute mapping

Custom attribute mapping section allows you to map retrieved claim name values returned in user-info to attribute with a custom name. If the requested claim in present in the user-info response its value will be saved as a custom attribute and will be returned in SAML response.

Signing and encryption

The Onegini IdP expects encrypted and signed id-tokens and user-info responses when using itsme. Decryption and signature verification is executed with usage of keys and jwks uri that can be displayed in admin console in Configuration -> System -> JWT Key Configuration.