Want to manage ID4me identities?

Check out what needs to be done to become an ID4me Identity Agent.


Identity Agent

The Identity-Agent is in direct contact with the End-User. It provides a service to manage identities and identity data. This identity data is provided to Login Partners upon requests with valid access rights. It is also responsible for ID4me registrations and setting/changing the ID4me password, which is securely realized by redirecting to the Identity Authority.

Useful Documents

Reference Implementations

LanguageNameRepository & DocumentationDemoComments
Pythonidentity-agent-prototypeID4me GitLabhttps://identityagent.de/Reference implementation

Additional Informations

Identity Agent in general interacts with 2 Parties:


  • Provisioning, deprovisioning and management of IDs. In this process also domain ownership verification and DNS record setup needs to be assured by the Identity Agent. For this interaction AIM API is the right reference.
  • (optional) Receive login notifications – as described in 2.2.3 of ID4me Technical Specification

Login Partners

Identity-Agent also must expose a limited openid-configuration, which allows Identity-Authorities and Relying Partners discover the capabilities and technical properties of Identity Agent, such as supported claims or encryption schemas. More in 2.1.1 of ID4me Technical Specification.

Identity Agent may also implement a role of Login-Partner in order to allow its End-Users to log in into own identities. For this part please refer to Login Partner Developer Zone.

Implementation tips and hints

Identity-Agent implements only a small portion of OpenID Connect (Distributed Claims Provider), therefore most likely none of the off-shelf libraries would support this use case. It is however especially advised to use a well-established and tested library for JOSE and JWT, implementing all necessary checks and free of known security vulnerabilities. A handy repository of options is available at https://jwt.io/ together with a very useful debugger. The library must JWS (signed) tokens, optionally also support JWE (encrypted) tokens as well as offer handling for JWK and JWKSets.

Tools and testing end-points

Authority-Agent Interface

Full flow can be tested against Denic’s test instance of Identity Authority at https://id.test.denic.de/

Authorization Flow

For debugging purposes there is a Relaying Party instance at https://rp.test.denic.de which allows full flow through the login process and displays relevant tokens, as well as verbose view on requests and responses to/from Agent in the Authorization flow.

Contact us

Let us know if you work on an open source project with ID4me. We will be glad to list a reference to your work on this page.

We are available for any questions you might have during your integration: support@id4me.org.

Meet the ID4me team at industry events!

Stay In Touch With ID4me!

Subscribe to always stay in touch with us and get the latest news about our company and all of your activities!