Skip to Content
GuidesAuthenticationItalian Government Identity (SPID/CIE)

Italian Government Identity (SPID, CIE, eIDAS)

Auris provides first-class support for Italy’s national digital identity infrastructure: SPID (Sistema Pubblico di Identità Digitale), CIE 3.0 (Carta d’Identità Elettronica), and eIDAS (the EU cross-border identity regulation). All three are configured in the Auris Console under AuthenticationGovernment Identity and managed via the /api/italian-identity/ API family.


Overview

SPID

SPID is Italy’s public digital identity system, defined and governed by AgID (Agenzia per l’Italia Digitale). It is based on SAML 2.0. Citizens and businesses authenticate via one of 12 accredited Identity Providers (Poste Italiane, Aruba, InfoCert, TIM, Namirial, and others). Service Providers — your application — must register an SP metadata document with AgID and declare their organization type, assurance level requirements, and requested user attributes.

SPID defines three assurance levels (LoA): SpidL1 (username + password), SpidL2 (username + password + OTP — the recommended default), and SpidL3 (username + password + hardware token).

CIE 3.0

CIE is the Italian electronic national identity card. CIE 3.0 uses OIDC (OpenID Connect) against the Ministero dell’Interno’s identity server (idserver.servizicie.interno.gov.it). Three levels mirror SPID: L1 (browser redirect only), L2 (card NFC tap + PIN — the standard use case), L3 (card NFC + fingerprint reader). An optional QR code flow supports mobile NFC authentication without a desktop card reader.

eIDAS

eIDAS is EU Regulation 910/2014 establishing a cross-border digital identity framework. It allows citizens of any EU member state to authenticate on Italian public services using their national eID. Auris models eIDAS support as future-ready: the schema and API are in place and the configuration is preserved, but automated Keycloak synchronisation for eIDAS is scheduled for 2026–2027 when the Italian national eIDAS proxy node completes its certification. Three levels are defined: LOW, SUBSTANTIAL (the default), HIGH.

National IdPs

Beyond the three Italian standards, Auris ships 36 built-in identity provider templates covering EU (France Connect, BankID SE/NO, MitID, Suomi.fi, DigiD, itsme, BundesIdent, ID Austria, and others), Asia-Pacific (Aadhaar, SingPass, myGovID, JPKI), the Americas (Login.gov, Gov.br), and the Middle East (UAE PASS, Nafath). These use standard OIDC or SAML 2.0 connectors with no Italy-specific regulatory constraint.


Required Permission

All /api/italian-identity/* endpoints require the admin:all permission. Tenant is resolved from the x-tenant request header.


SPID Setup

SPID requires AgID accreditation before you can go live. You must register your SP metadata with AgID and receive an official Entity ID. Complete the Console setup first, verify functionality on the AgID Test IdP, then submit accreditation. See Going Live below.

Open the SPID configuration page

In the Auris Console, navigate to AuthenticationGovernment IdentitySPID.

If no configuration exists, click Configure SPID to open the setup dialog.

Set the SP Entity ID

The SP Entity ID is the globally unique identifier for your Service Provider. AgID requires it to be an HTTPS URL matching your production domain, for example:

https://app.yourdomain.com/spid/metadata

Auris uses this value as the base for the automatically generated ACS and SLO callback URLs:

  • ACS (Assertion Consumer Service): {entityId}/spid/acs
  • SLO (Single Logout): {entityId}/spid/slo

Upload or paste the SP signing certificate and private key

Generate a 2048-bit RSA key pair. The certificate must be self-signed for SPID SP registration. Paste the PEM-encoded certificate in SP Certificate and the PEM-encoded private key in SP Private Key. The private key is encrypted at rest.

openssl req -x509 -nodes -sha256 -days 3650 \ -newkey rsa:2048 \ -subj "/C=IT/O=YourOrg/CN=app.yourdomain.com" \ -keyout spid-sp.key \ -out spid-sp.crt

Fill in the organization fields

AgID requires these fields in the SP metadata document:

FieldDescription
Organization NameLegal name of your organization (e.g. Altovar S.r.l.)
Organization Display NameShort name shown in the IdP login UI
Organization URLPublic website of the organization
Contact EmailTechnical or administrative contact
Contact PhoneOptional contact phone number

Select the minimum assurance level

Choose the minimum SPID level required for your service:

LevelSAML AuthnContextClassRefUse case
SpidL1https://www.spid.gov.it/SpidL1Low-risk services, optional identity check
SpidL2https://www.spid.gov.it/SpidL2Standard services requiring verified identity (recommended)
SpidL3https://www.spid.gov.it/SpidL3High-security services (banking, health records)

SpidL2 is the default and covers the vast majority of SP use cases.

Enable IdPs

The console shows all 12 production SPID IdPs. By default, Auris enables Poste Italiane, Aruba, InfoCert, and Namirial — the four with the highest user base. Enable additional IdPs as needed. Each enabled IdP is automatically registered in Keycloak as a SAML Identity Provider.

During development or accreditation testing, also enable SPID Validator (AgID Test) — this is the official AgID test IdP at https://validator.spid.gov.it and appears only when Test Mode is on.

Leave Test Mode enabled during development

Test Mode routes to the AgID test infrastructure instead of production IdPs, and includes the SPID Validator IdP in the selector. Disable Test Mode only after AgID accreditation is complete and you are ready for production traffic.

Retrieve the SP metadata URL

After saving, the Console displays your SP Metadata URL:

https://auth.yourdomain.com/api/italian-identity/spid/metadata

This endpoint returns an AgID-compliant SAML SP Metadata XML document. It includes:

  • AuthnRequestsSigned="true" and WantAssertionsSigned="true"
  • SP KeyDescriptor for signing
  • Single Logout Service (HTTP-POST binding)
  • AssertionConsumerService (HTTP-POST binding, index 0)
  • NameIDFormat: transient
  • Requested attributes (required: spidCode, name, familyName, fiscalNumber, email; optional: dateOfBirth, gender, mobilePhone, address)
  • Organization block (Italian language) and ContactPerson with <spid:Public> extension as required by AgID

Submit this URL to AgID during accreditation.

SPID Attribute Mapping

Auris maps SPID attributes to internal user claims automatically. The default mapping covers 20 SPID attributes:

SPID AttributeInternal Claim
spidCodespidCode
namefirstName
familyNamelastName
fiscalNumberfiscalNumber
emailemail
mobilePhonephone
dateOfBirthdateOfBirth
gendergender
placeOfBirthplaceOfBirth
addressaddress
companyNamecompanyName
ivaCodeivaCode
idCardidCard

Additional attributes (registeredOffice, countyOfBirth, expirationDate, digitalAddress, domicile*) are mapped by default. Override the mapping via PATCH /api/italian-identity/spid by providing an attributeMapping object.


CIE 3.0 Setup

To obtain a CIE 3.0 Client ID and Client Secret, register your application with the Ministero dell’Interno at https://idserver.servizicie.interno.gov.it. The registration process is separate from SPID accreditation.

Open the CIE configuration page

Navigate to AuthenticationGovernment IdentityCIE.

Click Configure CIE if no configuration exists.

Enter the OIDC credentials

FieldDescription
Client IDAssigned by the CIE ID Server upon registration
Client SecretAssigned by the CIE ID Server; encrypted at rest in Auris
Redirect URIYour application’s OIDC callback URL (e.g. https://app.yourdomain.com/auth/callback)

Select the minimum assurance level

LevelDescription
CieL1Browser redirect only — no card interaction
CieL2Card NFC tap + PIN (recommended — covers most public service requirements)
CieL3Card NFC + qualified electronic signature reader

CieL2 is the default.

Configure scopes

By default Auris requests openid and profile. Add additional OIDC scopes via PATCH /api/italian-identity/cie with a scopes array if your use case requires additional claims.

Enable the QR code flow (optional)

Toggle QR Code Flow to enable mobile NFC authentication. When enabled, the CIE login screen displays a QR code that the user scans with the CIE app on their smartphone, which then performs the NFC card tap and PIN entry independently of the desktop browser session.

Leave Test Mode enabled during development

When Test Mode is on, Auris automatically switches to the CIE pre-production server:

https://preproduzione.idserver.servizicie.interno.gov.it

This lets you test the full OIDC flow without using real identity cards.

CIE Attribute Mapping

The default CIE attribute mapping covers 11 fields:

CIE ClaimInternal Claim
givenNamefirstName
familyNamelastName
fiscalNumberfiscalNumber
dateOfBirthdateOfBirth
emailemail
phoneNumberphone
addressaddress
gendergender
placeOfBirthplaceOfBirth
documentNumberdocumentNumber
documentExpiryDatedocumentExpiryDate

eIDAS Setup

eIDAS Keycloak synchronisation is scheduled for 2026–2027. The configuration is stored and the API is available, but the IdP is not automatically registered in the Auris authentication pipeline until the feature is complete. Configuring eIDAS now preserves your settings for when the integration ships.

Open the eIDAS configuration page

Navigate to AuthenticationGovernment IdentityeIDAS.

Enter the national connector URL

The nodeUrl is the HTTPS endpoint of the national eIDAS proxy node connector for Italy. This value is provided by AgID or your eIDAS middleware vendor.

Set the SP country code

Leave this as IT for Italian service providers.

Select the minimum assurance level

LevelDescription
LOWBasic authentication — equivalent to username/password
SUBSTANTIALMulti-factor authentication — the default and the level required by most Italian PAs
HIGHQualified electronic signature or hardware-backed authentication

Specify supported countries

Provide an array of ISO 3166-1 alpha-2 country codes for the EU member states whose eIDs you accept. Leave empty to accept all connected countries. Example: ["DE", "FR", "ES", "AT", "NL"].

Set the metadata URL (optional)

If your eIDAS proxy node publishes SAML metadata, enter the URL in Metadata URL. This is used for SP metadata exchange during proxy node registration.


National IdPs

National IdPs are generic OIDC or SAML 2.0 connectors for government and public identity providers outside of the Italy-specific SPID/CIE standards. Auris ships 36 built-in provider templates. Use them for EU cross-border access and international deployments.

Adding a national IdP

Go to AuthenticationGovernment IdentityNational IdPsAdd Provider.

Select a provider template

Choose from the built-in templates. Each template pre-populates the protocol, display name, and standard endpoint fields for that provider. Available regions and templates include:

Europe: France Connect (FR), BankID Sweden (SE), BankID Norway (NO), MitID (DK), Suomi.fi (FI), iDIN (NL), DigiD (NL), eHerkenning (NL), itsme (BE), GouvID (LU), Verimi (DE), BundesIdent (DE), ID Austria (AT), Swiss ID (CH), Chave Movel (PT), Cl@ve (ES), eIdentita (CZ), e-Dowod (PL), Smart-ID (EE/LV/LT), Mobile-ID Estonia (EE), GOV.UK One Login (GB)

Asia-Pacific: Aadhaar (IN), SingPass (SG), MyInfo (SG), RealMe (NZ), myGovID (AU), JPKI (JP)

Americas: Login.gov (US), Gov.br (BR), Clave Unica (CL), Gob.mx (MX)

Middle East / Africa: UAE PASS (AE), Nafath (SA)

You can also add a Generic Custom Provider (OIDC) to connect any compliant provider not listed above.

Configure protocol-specific fields

For OIDC providers:

FieldDescription
Client IDOAuth2 client ID from the provider
Client SecretOAuth2 client secret — encrypted at rest
Issuer URLProvider’s OIDC discovery URL (.well-known/openid-configuration)
Authorization URLOverride if not available via discovery
Token URLOverride if not available via discovery
Userinfo URLOverride if not available via discovery
ScopesSpace-separated list (default: openid profile)

For SAML providers:

FieldDescription
Entity IDIdP Entity ID from the provider’s metadata
SSO URLHTTP-Redirect or HTTP-POST binding for authentication
SLO URLSingle Logout URL (optional)
CertificateIdP signing certificate in PEM format
Metadata URLIf provided, Auris fetches entity ID, SSO URL, and certificate from this URL

Test the connection

After saving, click Test Connection. Auris performs a live connectivity check:

  • For OIDC providers: fetches the .well-known/openid-configuration discovery document
  • For SAML providers: pings the metadata URL or SSO URL

The test applies a 10-second timeout and blocks requests to private IP ranges (SSRF guard). A green status confirms the provider endpoint is reachable.


Aggregated Status

The /api/italian-identity/status endpoint returns a single JSON object with the configuration and enabled state of all four systems:

{ "success": true, "data": { "spid": { "configured": true, "enabled": true, "testMode": true, "enabledIdpCount": 5 }, "cie": { "configured": true, "enabled": true, "testMode": true }, "eidas": { "configured": false, "enabled": false }, "nationalIdps": { "total": 3, "enabled": 2 } } }

The Console overview page uses this endpoint to render the status dashboard.


Testing

SPID

Use the AgID SPID Validator at https://validator.spid.gov.it. This is the official AgID test IdP and accepts test users without a real SPID account.

  1. Ensure Test Mode is on in your SPID configuration.
  2. Enable the SPID Validator (AgID Test) IdP in the Console.
  3. Navigate to your application’s login page — the SPID Validator button appears alongside production IdPs.
  4. The validator lets you select a test identity level (SpidL1, SpidL2, SpidL3) and returns a synthetic SAML assertion with test attribute values.

The AgID SPID Validator also verifies the conformance of your SP metadata XML. Submit your metadata URL to https://validator.spid.gov.it/demo.html to run the full AgID conformance test suite before applying for accreditation.

CIE

Use the CIE pre-production environment (preproduzione.idserver.servizicie.interno.gov.it), which is active automatically when Test Mode is on. The Ministero dell’Interno provides test credentials for registered developers — request them during CIE application registration.

eIDAS

Contact AgID or your eIDAS middleware vendor for access to the eIDAS test node. The Italian national test node is available to registered service providers.

National IdPs

Use each provider’s official sandbox environment. The Test Mode toggle on each national IdP configuration is a convention marker — switch provider endpoints manually to the sandbox values when testing, then switch back to production endpoints before go-live.


Going Live

SPID Accreditation

SPID accreditation is managed by AgID. The process for private-sector service providers (Soggetti Privati) is:

  1. Register your organization on the AgID SPID onboarding portal .
  2. Submit your SP metadata URL. AgID validates the XML structure against the SPID Technical Rules (Regole Tecniche SPID).
  3. Run the AgID conformance test suite against your pre-production environment using the SPID Validator.
  4. Agree to the SPID Usage Agreement (Convenzione d’uso SPID) for private-sector SPs.
  5. Await AgID approval and your official Entity ID confirmation.
  6. Disable Test Mode in the Console once approval is received and production IdPs are tested.

Your SP Entity ID, ACS URL, and SLO URL cannot be changed after AgID accreditation without re-submitting. Set them to your final production domain before submitting.

CIE Go-Live

CIE service provider registration is handled by the Ministero dell’Interno via the CIE developer portal . After production Client ID approval, disable Test Mode in the Console to switch to idserver.servizicie.interno.gov.it.

Checklist

Before switching off Test Mode for any identity system:

  • SP metadata URL is reachable publicly over HTTPS (SPID)
  • SP certificate is valid (not expired, 2048-bit RSA minimum)
  • ACS URL responds and handles SAML POST assertions (SPID)
  • OIDC redirect URI is registered with the provider (CIE, National IdPs)
  • Attribute mapping is correct and tested end-to-end
  • AgID or provider accreditation approval received (SPID, CIE)
  • Audit logs reviewed for any errors during test sessions