Digital Identity Verification

Getting Started

Welcome! If you are new to ID.me, you are in the right place. Here we will cover how to get started using ID.me.

Overview

To get started with an integration you’ll need to do the following.

  1. 1. Sign up for an ID.me developer account. Click here
  2. 2. Register your organization.
  3. 3. Select which groups you would like to enable for verification.
  4. 4. Choose your platform to review the recommended integration options.
  5. 5. Place our Verify with ID.me (Click to download) button on your site to begin testing authentication and verification.
    1. i. Contact partnersupport@id.me to generate test credentials.
  6. 6. Once verification is complete at ID.me, the partner sends a request to ID.me’s API to retrieve user attributes.

By default, your application will be set up for OAuth. Upon registration, you will immediately have access to the application details page which will list the client_id and client_secret for your OAuth client.

Leveraging the ID.me IDP SAML service will vary depending on the product that is used to implement the federation relationship. Currently, we do not support creating SAML SP profiles automatically through the portal, please contact partnersupport@id.me for assistance in the process.

Verification Products

Digital Identity Verification

  • Online identity proofing securely verifies an individual’s identity in minutes using remote verification of physical IDs, mobile network operator (MNO) data, along with fraud and compliance checks.
  • Virtual In-person proofing allows those individuals to complete identity proofing with a trained Trusted Referee via a simple video conference session.
  • In-person proofing with a Trusted Referee ensures that all users can easily create a credential to secure access to high value services online.

Group Affiliation Verification

  • Instantly verify customer eligibility for exclusive discounts
  • Acquire customers and build loyalty in strategic customer segments, while reducing discount fraud.

EPCS and eRX Provider Verification

  • Verify physician identity and medical provider status for EPCS
  • ID.me provides seamless identity verification for Health Care Providers to meet Electronic Prescription of Controlled Substances (EPCS) requirements.

Document Verification

  • Verify the authenticity of ID documents with machine vision and AI
  • Easy Document Verification for REAL ID Applicants.
  • Instantly verify the identity of consumers who submit Subject Rights Requests (SRR) or Data Subject Access Requests (DSAR).

Know Your Customer Account Opening

  • Implement KYC verification to streamline the online account opening process.
  • Improve conversion for account opening with simple remote verification of physical IDs and mobile phone SIM verification.

SCRA Compliance Montioring

  • Instant SCRA Verification for Financial Institutions.
  • Rely on automated SCRA monitoring to ensure compliance for loans and debt collection. Minimize cost and regulatory burden.

Industry standards ID.me supports

Open Authorization (OAuth) 2

  1. An authorization standard that allows a user to grant limited access to their resources on one site, to another site, without having to expose their credentials. You use this standard every time you log in to a site using your Google account and you are asked if you agree with sharing your email address and your contacts list with that site.

OpenID Connect (OIDC)

  1. An identity layer that sits on top of OAuth 2 and allows for easy verification of the user's identity, as well as the ability to get basic profile information from the identity provider.

Security Assertion Markup Language (SAML)

  1. An open-standard, XML-based data format that allows businesses to communicate user authentication and authorization information to partner companies and enterprise applications their employees may use.

Bearer Token Authentication

  1. An HTTP authentication scheme that involves security tokens called bearer tokens.

Keep reading

  1. Begin Digital Identity integration
  2. Begin Group Affiliation integration
  3. Begin EPCS Provider integration
  4. Begin Document Verification integration
  5. Begin KYC integration

SAML Metadata

Once an account is created, SAML metadata (along with keys) must be exchanged to ensure proper configuration of the endpoints.


A copy of the current, full metadata is always available at https://api.id.me/saml/metadata/provider


Sandbox environment metadata can be found at https://api.idmelabs.com/saml/metadata/provider

Note that preserving formatting and whitespace is important when importing any XML metadata.

The metadata document describes the IDP to a SP, including the following elements:

  • The endpoint addresses for communication
  • The X.509 certificates being used to sign and encrypt SAML assertions
  • The SAML bindings supported by the service provider

SAML Bindings

The ID.me IDP SAML service supports HTTP POST and HTTP Redirect bindings.

Name Identifier

The ID.me IDP SAML service supports the following NameID formats:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

Authentication Context

The ID.me IDP SAML service supports invoking different authentication and verification policies on a per-application or per-request basis. The policy name is required to be passed along within the element. For more information about available policies and support for setting these up, please contact partnersupport@id.me

SAML is a secure protocol, which supports encryption and message signing. In addition, the HTTP communication security between the SP and the IDP is ensured by using SSL (TLS v1.1 or higher).

XML Signature

All ID.me SAML messages are digitally signed. This includes all requests, assertions and metadata. The XML signature is contained within the element. The signature serves as proof that only the IDP could have signed the element, and also to guarantee the integrity of the assertion. ID.me signs messages using SHA256, SHA384 and SHA512 algorithms.


<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                ID="_67016ed111db-4bce-b065-45bcd564cd0e"
                Version="2.0"
                IssueInstant="2015-02-04T22:30:48Z"
                Destination="..."
                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                InResponseTo="_6a12a9ef28696226601602f669545e7ebb1c80d19a">
    <saml:Issuer>api.id.me</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>...</ds:SignedInfo>
        <ds:SignatureValue>...</ds:SignatureValue>
        <ds:KeyInfo>...</ds:KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion ID="_d20913189703-4b8b-97f4-c96ef7b1dccd" Version="2.0" IssueInstant="2015-02- 04T22:30:46Z">...</saml:Assertion>
</samlp:Response>

XML Encryption

ID.me requires all SAML assertions to be encrypted. This ensures the privacy of any confidential data contained within the response transmission. The encrypted assertion is contained within the element.

ID.me supports using AES-128, AES-192 and AES-256 as message encryption algorithms.


<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                ID="_46965880a3f0-461b-bc99-5ba262e812b3"
                Version="2.0"
                IssueInstant="2015-02-04T22:46:25Z"
                Destination="..."
                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                InResponseTo="_8bf72df7b4922883b1adad99926a0293c6e135b6da">
  <saml:Issuer>idp-staging.idmeinc.net</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
  <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
  </samlp:Status>
  <saml:EncryptedAssertion>
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_43a44a93ad36-4616-
    b1e6-2a96d4f3134c" Type="http://www.w3.org/2001/04/xmlenc#Element">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <xenc:EncryptedKey Id="_78c2d92d0c46-4820-b8f0-52698580d7c9">
              <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
              <xenc:CipherData>
                  <xenc:CipherValue>...</xenc:CipherValue>
              </xenc:CipherData>
          </xenc:EncryptedKey>
      </ds:KeyInfo>
      <xenc:CipherData>
          <xenc:CipherValue>...</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </saml:EncryptedAssertion>
</samlp:Response>

Web Access Management Software Configurations

CA Siteminder Federation Manager

CA Siteminder’s Federation Manager can be configured to allow the ID.me network to operate as an Identity Provider (IDP). The following links below are to CA documentation related to this process. These product pages may be updated from time to time by the vendor, please access the most current documentation directly through your vendor’s support portal.


Federation Manager Guide CA Siteminder Federation Manager Support Portal

Oracle Access Manager

Oracle 11g can be configured to allow the ID.me network to operate as an Identity Provider (IDP). The following links below are to Oracle documentation related to this process. These product pages may be updated from time to time by the vendor, please access the most current documentation directly through your vendor’s support portal.


Federation Manager SAML 2.0 Configuration Oracle Product Support Page

Tivoli Access Manager

IBM Tivoli can be configured to allow the ID.me network to operate as an Identity Provider (IDP). The following links below are to IBM documentation related to this process. These product pages may be updated from time to time by the vendor, please access the most current documentation directly through your vendor’s support portal.


Configuring SAML 2.0 SP

Forgerock Open Access Manager

Forgerock OpenAM can be configured to allow the ID.me network to operate as an Identity Provider (IDP). The following links below are to Forgerock documentation related to this process. These product pages may be updated from time to time by the vendor, please access the most current documentation directly through your vendor’s support portal.


Forgerock Open Access Manager

SimpleSAML

Simple SAML can be configured to allow the ID.me network to operate as an Identity Provider (IDP). The following links below are to Simple SAML documentation related to this process. These product pages may be updated from time to time by the vendor, please access the most current documentation directly through your vendor’s support portal.


Simple SAML 2.0 SP Quick Start Guide

GluuSAML

Gluu can be configured to allow the ID.me network to operate as an Identity Provider (IDP). The following links below are to Gluu documentation related to this process. These product pages may be updated from time to time by the vendor, please access the most current documentation directly through your vendor’s support portal.


Set up SAML 2.0 Trust Relationships in GLUU
Waves