Italian Government Identity (SPID, CIE, eIDAS)
Auris provides first-class support for Italy’s national digital identity infrastructure: SPID (Sistema Pubblico di Identità Digitale), CIE 3.0 (Carta d’Identità Elettronica), and eIDAS (the EU cross-border identity regulation). All three are configured in the Auris Console under Authentication → Government Identity and managed via the /api/italian-identity/ API family.
Overview
SPID
SPID is Italy’s public digital identity system, defined and governed by AgID (Agenzia per l’Italia Digitale). It is based on SAML 2.0. Citizens and businesses authenticate via one of 12 accredited Identity Providers (Poste Italiane, Aruba, InfoCert, TIM, Namirial, and others). Service Providers — your application — must register an SP metadata document with AgID and declare their organization type, assurance level requirements, and requested user attributes.
SPID defines three assurance levels (LoA): SpidL1 (username + password), SpidL2 (username + password + OTP — the recommended default), and SpidL3 (username + password + hardware token).
CIE 3.0
CIE is the Italian electronic national identity card. CIE 3.0 uses OIDC (OpenID Connect) against the Ministero dell’Interno’s identity server (idserver.servizicie.interno.gov.it). Three levels mirror SPID: L1 (browser redirect only), L2 (card NFC tap + PIN — the standard use case), L3 (card NFC + fingerprint reader). An optional QR code flow supports mobile NFC authentication without a desktop card reader.
eIDAS
eIDAS is EU Regulation 910/2014 establishing a cross-border digital identity framework. It allows citizens of any EU member state to authenticate on Italian public services using their national eID. Auris models eIDAS support as future-ready: the schema and API are in place and the configuration is preserved, but automated Keycloak synchronisation for eIDAS is scheduled for 2026–2027 when the Italian national eIDAS proxy node completes its certification. Three levels are defined: LOW, SUBSTANTIAL (the default), HIGH.
National IdPs
Beyond the three Italian standards, Auris ships 36 built-in identity provider templates covering EU (France Connect, BankID SE/NO, MitID, Suomi.fi, DigiD, itsme, BundesIdent, ID Austria, and others), Asia-Pacific (Aadhaar, SingPass, myGovID, JPKI), the Americas (Login.gov, Gov.br), and the Middle East (UAE PASS, Nafath). These use standard OIDC or SAML 2.0 connectors with no Italy-specific regulatory constraint.
Required Permission
All /api/italian-identity/* endpoints require the admin:all permission. Tenant is resolved from the x-tenant request header.
SPID Setup
SPID requires AgID accreditation before you can go live. You must register your SP metadata with AgID and receive an official Entity ID. Complete the Console setup first, verify functionality on the AgID Test IdP, then submit accreditation. See Going Live below.
Open the SPID configuration page
In the Auris Console, navigate to Authentication → Government Identity → SPID.
If no configuration exists, click Configure SPID to open the setup dialog.
Set the SP Entity ID
The SP Entity ID is the globally unique identifier for your Service Provider. AgID requires it to be an HTTPS URL matching your production domain, for example:
https://app.yourdomain.com/spid/metadataAuris uses this value as the base for the automatically generated ACS and SLO callback URLs:
- ACS (Assertion Consumer Service):
{entityId}/spid/acs - SLO (Single Logout):
{entityId}/spid/slo
Upload or paste the SP signing certificate and private key
Generate a 2048-bit RSA key pair. The certificate must be self-signed for SPID SP registration. Paste the PEM-encoded certificate in SP Certificate and the PEM-encoded private key in SP Private Key. The private key is encrypted at rest.
openssl req -x509 -nodes -sha256 -days 3650 \
-newkey rsa:2048 \
-subj "/C=IT/O=YourOrg/CN=app.yourdomain.com" \
-keyout spid-sp.key \
-out spid-sp.crtFill in the organization fields
AgID requires these fields in the SP metadata document:
| Field | Description |
|---|---|
| Organization Name | Legal name of your organization (e.g. Altovar S.r.l.) |
| Organization Display Name | Short name shown in the IdP login UI |
| Organization URL | Public website of the organization |
| Contact Email | Technical or administrative contact |
| Contact Phone | Optional contact phone number |
Select the minimum assurance level
Choose the minimum SPID level required for your service:
| Level | SAML AuthnContextClassRef | Use case |
|---|---|---|
| SpidL1 | https://www.spid.gov.it/SpidL1 | Low-risk services, optional identity check |
| SpidL2 | https://www.spid.gov.it/SpidL2 | Standard services requiring verified identity (recommended) |
| SpidL3 | https://www.spid.gov.it/SpidL3 | High-security services (banking, health records) |
SpidL2 is the default and covers the vast majority of SP use cases.
Enable IdPs
The console shows all 12 production SPID IdPs. By default, Auris enables Poste Italiane, Aruba, InfoCert, and Namirial — the four with the highest user base. Enable additional IdPs as needed. Each enabled IdP is automatically registered in Keycloak as a SAML Identity Provider.
During development or accreditation testing, also enable SPID Validator (AgID Test) — this is the official AgID test IdP at https://validator.spid.gov.it and appears only when Test Mode is on.
Leave Test Mode enabled during development
Test Mode routes to the AgID test infrastructure instead of production IdPs, and includes the SPID Validator IdP in the selector. Disable Test Mode only after AgID accreditation is complete and you are ready for production traffic.
Retrieve the SP metadata URL
After saving, the Console displays your SP Metadata URL:
https://auth.yourdomain.com/api/italian-identity/spid/metadataThis endpoint returns an AgID-compliant SAML SP Metadata XML document. It includes:
AuthnRequestsSigned="true"andWantAssertionsSigned="true"- SP KeyDescriptor for signing
- Single Logout Service (HTTP-POST binding)
- AssertionConsumerService (HTTP-POST binding, index 0)
- NameIDFormat:
transient - Requested attributes (required:
spidCode,name,familyName,fiscalNumber,email; optional:dateOfBirth,gender,mobilePhone,address) - Organization block (Italian language) and ContactPerson with
<spid:Public>extension as required by AgID
Submit this URL to AgID during accreditation.
SPID Attribute Mapping
Auris maps SPID attributes to internal user claims automatically. The default mapping covers 20 SPID attributes:
| SPID Attribute | Internal Claim |
|---|---|
spidCode | spidCode |
name | firstName |
familyName | lastName |
fiscalNumber | fiscalNumber |
email | email |
mobilePhone | phone |
dateOfBirth | dateOfBirth |
gender | gender |
placeOfBirth | placeOfBirth |
address | address |
companyName | companyName |
ivaCode | ivaCode |
idCard | idCard |
Additional attributes (registeredOffice, countyOfBirth, expirationDate, digitalAddress, domicile*) are mapped by default. Override the mapping via PATCH /api/italian-identity/spid by providing an attributeMapping object.
CIE 3.0 Setup
To obtain a CIE 3.0 Client ID and Client Secret, register your application with the Ministero dell’Interno at https://idserver.servizicie.interno.gov.it. The registration process is separate from SPID accreditation.
Open the CIE configuration page
Navigate to Authentication → Government Identity → CIE.
Click Configure CIE if no configuration exists.
Enter the OIDC credentials
| Field | Description |
|---|---|
| Client ID | Assigned by the CIE ID Server upon registration |
| Client Secret | Assigned by the CIE ID Server; encrypted at rest in Auris |
| Redirect URI | Your application’s OIDC callback URL (e.g. https://app.yourdomain.com/auth/callback) |
Select the minimum assurance level
| Level | Description |
|---|---|
| CieL1 | Browser redirect only — no card interaction |
| CieL2 | Card NFC tap + PIN (recommended — covers most public service requirements) |
| CieL3 | Card NFC + qualified electronic signature reader |
CieL2 is the default.
Configure scopes
By default Auris requests openid and profile. Add additional OIDC scopes via PATCH /api/italian-identity/cie with a scopes array if your use case requires additional claims.
Enable the QR code flow (optional)
Toggle QR Code Flow to enable mobile NFC authentication. When enabled, the CIE login screen displays a QR code that the user scans with the CIE app on their smartphone, which then performs the NFC card tap and PIN entry independently of the desktop browser session.
Leave Test Mode enabled during development
When Test Mode is on, Auris automatically switches to the CIE pre-production server:
https://preproduzione.idserver.servizicie.interno.gov.itThis lets you test the full OIDC flow without using real identity cards.
CIE Attribute Mapping
The default CIE attribute mapping covers 11 fields:
| CIE Claim | Internal Claim |
|---|---|
givenName | firstName |
familyName | lastName |
fiscalNumber | fiscalNumber |
dateOfBirth | dateOfBirth |
email | email |
phoneNumber | phone |
address | address |
gender | gender |
placeOfBirth | placeOfBirth |
documentNumber | documentNumber |
documentExpiryDate | documentExpiryDate |
eIDAS Setup
eIDAS Keycloak synchronisation is scheduled for 2026–2027. The configuration is stored and the API is available, but the IdP is not automatically registered in the Auris authentication pipeline until the feature is complete. Configuring eIDAS now preserves your settings for when the integration ships.
Open the eIDAS configuration page
Navigate to Authentication → Government Identity → eIDAS.
Enter the national connector URL
The nodeUrl is the HTTPS endpoint of the national eIDAS proxy node connector for Italy. This value is provided by AgID or your eIDAS middleware vendor.
Set the SP country code
Leave this as IT for Italian service providers.
Select the minimum assurance level
| Level | Description |
|---|---|
| LOW | Basic authentication — equivalent to username/password |
| SUBSTANTIAL | Multi-factor authentication — the default and the level required by most Italian PAs |
| HIGH | Qualified electronic signature or hardware-backed authentication |
Specify supported countries
Provide an array of ISO 3166-1 alpha-2 country codes for the EU member states whose eIDs you accept. Leave empty to accept all connected countries. Example: ["DE", "FR", "ES", "AT", "NL"].
Set the metadata URL (optional)
If your eIDAS proxy node publishes SAML metadata, enter the URL in Metadata URL. This is used for SP metadata exchange during proxy node registration.
National IdPs
National IdPs are generic OIDC or SAML 2.0 connectors for government and public identity providers outside of the Italy-specific SPID/CIE standards. Auris ships 36 built-in provider templates. Use them for EU cross-border access and international deployments.
Adding a national IdP
Navigate to the national IdPs page
Go to Authentication → Government Identity → National IdPs → Add Provider.
Select a provider template
Choose from the built-in templates. Each template pre-populates the protocol, display name, and standard endpoint fields for that provider. Available regions and templates include:
Europe: France Connect (FR), BankID Sweden (SE), BankID Norway (NO), MitID (DK), Suomi.fi (FI), iDIN (NL), DigiD (NL), eHerkenning (NL), itsme (BE), GouvID (LU), Verimi (DE), BundesIdent (DE), ID Austria (AT), Swiss ID (CH), Chave Movel (PT), Cl@ve (ES), eIdentita (CZ), e-Dowod (PL), Smart-ID (EE/LV/LT), Mobile-ID Estonia (EE), GOV.UK One Login (GB)
Asia-Pacific: Aadhaar (IN), SingPass (SG), MyInfo (SG), RealMe (NZ), myGovID (AU), JPKI (JP)
Americas: Login.gov (US), Gov.br (BR), Clave Unica (CL), Gob.mx (MX)
Middle East / Africa: UAE PASS (AE), Nafath (SA)
You can also add a Generic Custom Provider (OIDC) to connect any compliant provider not listed above.
Configure protocol-specific fields
For OIDC providers:
| Field | Description |
|---|---|
| Client ID | OAuth2 client ID from the provider |
| Client Secret | OAuth2 client secret — encrypted at rest |
| Issuer URL | Provider’s OIDC discovery URL (.well-known/openid-configuration) |
| Authorization URL | Override if not available via discovery |
| Token URL | Override if not available via discovery |
| Userinfo URL | Override if not available via discovery |
| Scopes | Space-separated list (default: openid profile) |
For SAML providers:
| Field | Description |
|---|---|
| Entity ID | IdP Entity ID from the provider’s metadata |
| SSO URL | HTTP-Redirect or HTTP-POST binding for authentication |
| SLO URL | Single Logout URL (optional) |
| Certificate | IdP signing certificate in PEM format |
| Metadata URL | If provided, Auris fetches entity ID, SSO URL, and certificate from this URL |
Test the connection
After saving, click Test Connection. Auris performs a live connectivity check:
- For OIDC providers: fetches the
.well-known/openid-configurationdiscovery document - For SAML providers: pings the metadata URL or SSO URL
The test applies a 10-second timeout and blocks requests to private IP ranges (SSRF guard). A green status confirms the provider endpoint is reachable.
Aggregated Status
The /api/italian-identity/status endpoint returns a single JSON object with the configuration and enabled state of all four systems:
{
"success": true,
"data": {
"spid": {
"configured": true,
"enabled": true,
"testMode": true,
"enabledIdpCount": 5
},
"cie": {
"configured": true,
"enabled": true,
"testMode": true
},
"eidas": {
"configured": false,
"enabled": false
},
"nationalIdps": {
"total": 3,
"enabled": 2
}
}
}The Console overview page uses this endpoint to render the status dashboard.
Testing
SPID
Use the AgID SPID Validator at https://validator.spid.gov.it. This is the official AgID test IdP and accepts test users without a real SPID account.
- Ensure Test Mode is on in your SPID configuration.
- Enable the SPID Validator (AgID Test) IdP in the Console.
- Navigate to your application’s login page — the SPID Validator button appears alongside production IdPs.
- The validator lets you select a test identity level (SpidL1, SpidL2, SpidL3) and returns a synthetic SAML assertion with test attribute values.
The AgID SPID Validator also verifies the conformance of your SP metadata XML. Submit your metadata URL to https://validator.spid.gov.it/demo.html to run the full AgID conformance test suite before applying for accreditation.
CIE
Use the CIE pre-production environment (preproduzione.idserver.servizicie.interno.gov.it), which is active automatically when Test Mode is on. The Ministero dell’Interno provides test credentials for registered developers — request them during CIE application registration.
eIDAS
Contact AgID or your eIDAS middleware vendor for access to the eIDAS test node. The Italian national test node is available to registered service providers.
National IdPs
Use each provider’s official sandbox environment. The Test Mode toggle on each national IdP configuration is a convention marker — switch provider endpoints manually to the sandbox values when testing, then switch back to production endpoints before go-live.
Going Live
SPID Accreditation
SPID accreditation is managed by AgID. The process for private-sector service providers (Soggetti Privati) is:
- Register your organization on the AgID SPID onboarding portal .
- Submit your SP metadata URL. AgID validates the XML structure against the SPID Technical Rules (Regole Tecniche SPID).
- Run the AgID conformance test suite against your pre-production environment using the SPID Validator.
- Agree to the SPID Usage Agreement (Convenzione d’uso SPID) for private-sector SPs.
- Await AgID approval and your official Entity ID confirmation.
- Disable Test Mode in the Console once approval is received and production IdPs are tested.
Your SP Entity ID, ACS URL, and SLO URL cannot be changed after AgID accreditation without re-submitting. Set them to your final production domain before submitting.
CIE Go-Live
CIE service provider registration is handled by the Ministero dell’Interno via the CIE developer portal . After production Client ID approval, disable Test Mode in the Console to switch to idserver.servizicie.interno.gov.it.
Checklist
Before switching off Test Mode for any identity system:
- SP metadata URL is reachable publicly over HTTPS (SPID)
- SP certificate is valid (not expired, 2048-bit RSA minimum)
- ACS URL responds and handles SAML POST assertions (SPID)
- OIDC redirect URI is registered with the provider (CIE, National IdPs)
- Attribute mapping is correct and tested end-to-end
- AgID or provider accreditation approval received (SPID, CIE)
- Audit logs reviewed for any errors during test sessions