Specifications for the Swedish eID Framework

November 2021

Copyright © The Swedish Agency for Digital Government (DIGG), 2015-2021. All Rights Reserved.

This is the November 2021 version of the Swedish eID Framework. It replaces the previous January 2020 release as the official version for the Swedish eID Framework.

Changes since last version

Below follows a listing of all significant changes since the January 2020 release of the Swedish eID Framework.

• Support for the SAML V2.0 Holder-of-key Web Browser SSO Profile has been added to facilitate delivery of assertions according to Level of Assurance 4. See Deployment Profile for the Swedish eID Framework.
• Changes has been made to the attribute set "Organizational Identity for Natural Persons", see chapter 2.4 of Attribute Specification for the Swedish eID Framework. This change also involves the usage of "scoped attributes" that are defined in section 3.1.3 of Attribute Specification for the Swedish eID Framework and in sections 2.1.3.1 and 6.2.1 of Deployment Profile for the Swedish eID Framework.
• The Swedish eID Framework - Registry for identifiers document has been updated with authentication context URIs (LoA URIs) for uncertified eID providers and for certified eID providers that issue eIDs to Swedish non-residents. The service entity categories defined in Entity Categories for the Swedish eID Framework has also been modified to apply the official LoA URIs and variants of them.
• The attribute mappedPersonalIdentityNumber was introduced and the attribute set "eIDAS Natural Person Attribute Set" was changed to contain this attribute. The reason for this change is that we want to ensure that a service provider consuming an identity assertion received from an eIDAS authentication checks whether the process under which the personal identity number was added to the assertion is acceptable before using it. See sections 2.5 and 3.3.2 of Attribute Specification for the Swedish eID Framework.
• A Swedish coordination number (samordningsnummer) may now be released in the personalIdentityNumber attribute. Since not all service providers consuming assertions can handle, and process, a coordination number we have added an opt-in feature for this feature. Service providers that can handle both Swedish identity numbers (personnummer) and Swedish coordination numbers (samordningsnummer) being delivered in the personalIdentityNumber attribute should declare the entity category http://id.swedenconnect.se/general-ec/1.0/accepts-coordination-number in its metadata. An identity provider MUST only deliver a coordination number in the personalIdentityNumber attribute if the service provider has declared the accepts-coordination-number entity category.
  See section 6.2 of Entity Categories for the Swedish eID Framework.
• In section 3.2.6 of Attribute Specification for the Swedish eID Framework the attribute previousPersonalIdentityNumber was introduced. It is intended to be used in the cases when a user has a Swedish coordination number (samordningsnummer) and later gets a Swedish identity number (personnummer). In these cases the identity provider can delivere both the previous and the current identity in an assertion. This requires that the service provider explicitly declares that it want to receive this attribute in its metadata.
• Section 6.2.1 of Deployment Profile for the Swedish eID Framework was updated with a privacy requirement that tells that an Identity Provider must not release identity attributes not requested by the Service Provider.
• New entity categories for the delivery of organizational identities and identities without a Swedish personal identity number was introduced in Entity Categories for the Swedish eID Framework.
• For signing, Implementation Profile for using OASIS DSS in Central Signing Services has been updated with the following:
  • The Request element is no longer mandatory to include in a response message.
  • It is no longer required to supply the Signer element. This enables use cases where the user is not known at the time of signature initiation.

Each document also contains a "Changes between versions" section where you can see what has been updated for that particular specification.

For a detailed list of changes you can view all changes in GitHub using this link: https://github.com/swedenconnect/technical-framework/compare.

Check out the GitHub project for this release: https://github.com/swedenconnect/technical-framework/projects/4. Here you can see all the GitHub issues describing each change that was made to the specifications.

Introduction

Overview that describes the different parts of the Swedish eID Framework.

Tekniskt ramverk - Introduktion - In Swedish

Introduction to the Swedish eID Framework - In English

Specifications

• 02 - Deployment Profile for the Swedish eID Framework - version 1.7
• 03 - Registry for Identifiers - version 1.7
• 04 - Attribute Specification for the Swedish eID Framework - version 1.7
• 06 - Entity Categories for the Swedish eID Framework - version 1.8
• 07 - Implementation Profile for using DSS in Central Signing Services - version 1.5
• 08 - Certificate Profile for Central Signing Services - version 1.2
• 09 - DSS Extension for Federated Signing Services - version 1.4
• 11 - eIDAS Constructed Attributes Specification for the Swedish eID Framework - version 1.2
• 12 - BankID Profile for the Swedish eID Framework - version 1.3
• 13 - Signature Activation Protocol - version 1.1
• 14 - Principal Selection in SAML Authentication Requests - version 1.0

All specifications are also available in Markdown format on GitHub - https://github.com/swedenconnect/technical-framework. Here you can follow the further development of the Swedish eID Framework.