Support for AusweisIDent and eID Service

AusweisIDent Online and the D-Trust eID service for online service providers can be used with the following ID documents:  

Customers with an ID card with an activated online ID function, an electronic German residence permit or a Union citizen card can identify themselves via an online ID for your service.

The online ID card function has been automatically activated on all new ID cards since 2017. The online ID function is always activated for electronic German residence permits and Union citizen cards. This means that the function is activated on most ID cards in circulation.

AusweisIDent On-Site and the D-Trust eID service for on-site service providers can be used with the following ID documents:  

Data from customers with an ID card, an electronic German residence permit or a Union citizen card can identify themselves via an online ID for your service. The online identification feature does not have to be activated.

The electronic storage medium in the ID card provides all data necessary for electronic proof of identity according to Sec. 18 (3) PAuswG [Personal ID Act].

1. Surname
2. Birth name
3. First name(s)
4. Doctorate
5. Date of birth
6. Location of birth
7. Address
8. Citizenship
9. Document type
10. Last date of validity period
11. Service and card-specific identifier
12. Abbreviation “D” for the Federal Republic of Germany
13. Indication as to whether a certain age is exceeded or not
14. Indication as to whether a place of residence corresponds to the queried place of residence
15. Religious name, artist’s name

Reading Out the ID Card Data Electronically 

The required electronic data can be read from the chip of the ID card, electronic residence permit or Union citizen card using an NFC-enabled smartphone or a card reader. By entering the 6-digit ID PIN, the customer agrees to the transmission of his/her data. 

Providing the Identification Data 

The electronic data read out is provided to your service by the ID card or eID service via a standardised web interface.

Pairing and “Smartphone as Card Reader” function:  

The “Smartphone as Card Reader” function of the AusweisApp allows a suitable smartphone to be paired with a PC/laptop (Windows or Mac), an iPad or a non-NFC-capable Android device. This function is relevant for service providers who offer a service that is typically used on laptops, iPads or other non-NFC-enabled end devices.

There are two ways to use the smartphone as a card reader and pair the devices:

1. Pairing by connecting both devices with the same Wi-Fi network
   (Note: You must allow all devices on your network to communicate with each other, including your smartphone. You can usually set this up in the router or in the network settings.)
2. Pairing via a mobile hotspot: One of the devices opens a hotspot and the other connects to it.

Requirements for suitable smartphones:

1. A smartphone or tablet with Android version 5.0 or higher or an iPhone 7 with version 13.1 or higher.
2. The smartphone must support the NFC function. For a stable connection during data transmission, the NFC chip installed in the smartphone must have a sufficient field strength.
3. The device’s firmware / operating system must support extended length communication. Extended length enables the transmission of data packets longer than 261 bytes to and from the online ID and allows the data to be encrypted.

This is how it works – step-by-step:

1. Connect both devices to the same Wi-Fi or mobile hotspot.
   (Note: You must allow all devices on your network to communicate with each other, including your smartphone. You can usually set this up in the router or in the network settings.)
2. If necessary, switch on NFC on the smartphone that is to be connected as a card reader.
3. Initiate remote access in the AusweisApp on the smartphone that is to be connected as a card reader.
4. Start pairing and connect the devices by entering the pairing code.

Detailed instructions on pairing the AusweisApp with a smartphone can be found here.

Connecting to the AusweisIDent test system:

The AusweisIDent test system is available to you free of charge. Connecting to it requires a signed confidentiality agreement with D-Trust. You can obtain this from us by sending a request to vertrieb@d-trust.net. Once this has been done, we will send you the interface documentation and the order form for access to the test system. After successfully implementating the interface, you can try out the AusweisIDent system with test ID cards. The reference system is functionally equivalent to the live system, but only works with test ID cards or the PersoSim simulator. More information on test cards and the PersoSim simulator can be found on the BSI website.

Connecting to the AusweisIDent live system:

After a successful test, we will provide you with a service contract describing services and obligations and specifying the data fields that are to be read out. The current price list is included at the end. Merely concluding the contract will not trigger any services or payments. It is not until you commission us and send us our order form for access to the functional system that will we set up access for you – after we have validated your organisation as stipulated by regulations. Once this has been done, we will charge you the annual fee and, in the following months, the fees for the monthly transactions. AusweisIDent is integrated via an OpenID Connect web interface – an open web standard based on OAuth2.0. To learn more, click here.

In addition, AusweisApp must be integrated as well. You have two options for this:

1. Fully integrating AusweisApp into your application
2. Redirecting the user to AusweisApp from your application

You can find more information on AusweisApp on the AusweisApp website. The open source code is also available to you for downloading.

The developer’s manual, which you will receive from us after you have sent us the confidentiality agreement, contains code fragments that describe how to integrate AusweisIDent.

You can find more information on AusweisApp on the AusweisApp website. The open source code is also available to you for downloading.

Connecting to the eID service reference environment:

The reference environment of the D-Trust eID service is available for you to test. Connecting to it requires a signed service contract with D-Trust. You can obtain the contract from us by sending a request to vertrieb@d-trust.net. Once this has been done, we will send you the interface documentation and the technical order form for access to the test system. In addition, you can also purchase the required authorisation certificate for the eID reference environment from D-Trust.

After successfully implementating the interface, you can test the eID service reference environment with test ID cards. The reference system is functionally equivalent to the live system, but only works with test ID cards or the PersoSim simulator. More details on both can be found on the BSI website here.

Connecting to the eID service productive environment:

To access the productive environment, you must conclude a service contract with D-Trust, which describes services and obligations and specifies the data fields that are to be read out. The current price list is included at the end. Along with the service contract, you can also purchase the technical authorisation certificate from us. To do this, you will need a notice from the Federal Office of Administration. You can apply for the authorisation at the Issuing Office for Authorisation Certificates (VfB) of the Federal Office of Administration (BVA). You can also do this online.

Merely concluding the contract will not trigger any services or payments. It is not until you commission us and send us our technical order form for access to the functional system that will we set up access for you. Once this has been done, we will charge you the annual fee and, in the following months, the fees for the monthly transactions. The D-Trust eID service is integrated via a SOAP or SAML interface. You can find out more about this in the Integration Manual.

In addition, AusweisApp must be integrated as well. You have two options for this:

1. Fully integrating AusweisApp into your application
2. Redirecting the user to AusweisApp from your application

You can find out more about AusweisApp and the source code here.

Your web service is connected to the D-Trust eID service via an interface according to the SOAP or SAML standard.  D-Trust uses Governikus software (Autent or Panstar) for the eID service. You will be given access to the SDK via our service portal after concluding the contract. 

The device used for online identification must have AusweisApp installed (Windows, Android, iOS) or an app of yours that has the AusweisApp SDK (Android, iOS) integrated.  The AusweisApp is available to you open-source: https://www.ausweisapp.bund.de/home/

The manual and the SDK, which you will receive from us after you have sent us the NDA, contains code fragments that describe how to integrate the D-Trust eID Service.

You will find the source code for integrating AusweisApp here.