Professional Documents
Culture Documents
Tdif 06d Attribute Profile - Release 4.8 - Finance 1
Tdif 06d Attribute Profile - Release 4.8 - Finance 1
OFFICIAL
OFFICIAL
This work is copyright. Apart from any use as permitted under the Copyright Act 1968
and the rights explicitly granted below, all rights are reserved.
Licence
With the exception of the Commonwealth Coat of Arms and where otherwise noted,
this product is provided under a Creative Commons Attribution 4.0 International
Licence. (http://creativecommons.org/licenses/by/4.0/legalcode)
This licence lets you distribute, remix, tweak and build upon this work, even
commercially, as long as they credit Finance for the original creation. Except where
otherwise noted, any reference to, reuse or distribution of part or all of this work must
include the following attribution:
Conventions
References to TDIF documents, abbreviations and key terms (including the words
MUST, MUST NOT, and MAY) are denoted in italics are to be interpreted as
described in the current published version of the TDIF: 01 – Glossary of
Abbreviations and Terms.
Contact us
Document management
1.3 4.6 Mar 2022 AV CRID0029 - Minor text update (Table 30,
Page 12)
1.4 4.8 Feb 2023 MOK Updated specifications for the verified
documents attributes. Updated Annex A
examples for core attributes and verified
documents.
All changes made to the TDIF are published in the TDIF Change Log which is
available at https://www.digitalidentity.gov.au/privacy-and-security/trusted-digital-
identity-framework.
Contents
Introduction ......................................................................................................................... 1
Attribute Sets....................................................................................................................... 2
4.3.1 SAML 2.0 and OpenID Connect 1.0 Attribute Mappings ...................................................... 26
6.2.1 Authorisations........................................................................................................................ 40
Citizenship Certificate..................................................................................................................... 52
ImmiCard ........................................................................................................................................ 57
Visa................................................................................................................................................. 66
List of tables
Table 29: OIDC business authorisations Attribute Profile for RPs. .......................... 33
Table 51: Mapping of Attributes between TDIF 05 - Role Requirements and the TDIF
06D - Attribute Profile ............................................................................................... 71
Introduction
This document defines all Attributes that can be requested by Participants of the
Australian Government Digital Identity System. This document will be updated with
additional Attributes and Federation protocols as the Australian Government Digital
Identity System expands.
To the extent of any conflict between any requirement in the TDIF 05 – Role
Requirements and this document regarding Attributes available in the Australian
Government Digital Identity System, the TDIF 06D – Attribute Profile takes
precedence.
Attribute Sets
The Attributes passed through the Australian Government Digital Identity System are
split into Attribute Sets. Attribute Sets correspond to the logical sets of Attributes that
an RP will typically ask for as a collection, and that a User will provide consent for as
a collection. Some Attribute Sets will contain a single attribute, and some will contain
several Attributes. The presence of Attribute Sets does not preclude Attributes being
requested individually by an RP to support the principle of only releasing the minimum
Attributes required.
Table 1 sets out how the Attributes described in this document are split into Attribute
Sets
Attribute Sharing Policies are applied to all Attributes that are contained in an Attribute
Set. These policies describe the rules that must be applied when sharing these
Attributes with an RP. The key element of these policies relate to the operation of
user consent.
Table 3 sets out the meanings of each Consent type that is prescribed for Attribute
Sets in the TDIF.
1
Relying Parties can apply to the Oversight Authority for permission to receive Restricted Attributes.
• Core
• Validated Email
• Validated Phone
• Verified Other Names
• Verified Documents
• Common
These are the Attributes which both IdPs and Identity Exchanges are required to
support.
The core Attributes of a Person’s identity are their full name and their date of birth.
Core Attributes are populated from the identity documents used by an IdP to verify the
Attributes of the Individual if they have verified a document. A User may also provide
their Preferred Name to an IdP, but it is not a verified attribute. Preferred Name may
accompany the core attributes but should not be relied upon for name matching by a
Relying Party.
2
Section 5.1 of TDIF 06 Federation Onboarding Requirements sets out the implementation requirements for attributes being
listed as either mandatory or optional.
Table 6 lists the validated contact details Attributes that defined by the TDIF. These
Attributes are sourced from an IdP, which in turn gathers them from the Identity
Proofing process. IdPs are required to validate the mobile phone number and email
address as per the guidance in section 2.5 of the TDIF 05A Role-Specific Guidance.
These Attributes are sourced by an IdP from the Evidence of Identity (EOI)
documents that was used to achieve Identity Proofing Levels according to the TDIF
05 Role Requirements. These Attributes include the variations of the Person’s name
from those recorded in the core Attributes and are only sourced from the following
document types:
• CoI documents.
• Photo ID documents.
• Linking documents.
Table 8 lists the other verified document Attributes that defined by the TDIF. These
Attributes are sourced by an IdP from the Evidence of Identity (EOI) documents listed
in Appendix A of the TDIF 05 Role Requirements. These Attributes are only sourced
from the following document types:
• CoI documents.
• Linking documents.
• UitC documents.
• Photo ID documents.
Verified Documents are Restricted Attributes and will only be returned to a Relying
Party if they are approved to receive these Attributes.
The Verified Documents Attribute is a collection of the verified documents that a user
has used to conduct Identity Proofing. There can be multiple instances of a Verified
Document within the Verified Documents attribute. Table 9: Trust Framework Verified
Documents collection. details the sub-Attributes contained as part of a Verified
Document.
3
For further detail as to the sub-attributes which comprise specific document types, see Annex A and Annex B.
Both the Document Attributes and Document Identifiers sub-Attributes are multi-
valued Attributes comprised of Type-Value Tuples as set out in Table 11.
This section refers to the Identity System Metadata Attributes which are shared by an
Identity System to support its operation. These Attributes are generated by a
Participant. These Attributes are not a part of an Attribute Set.
This section refers to Attributes which the IdPs are required to be able to share if
requested by the Identity Exchange, but the Identity Exchange is not required to
share.
Table 14 lists the additional Attributes that an Identity Exchange may provide to a
Relying Party in response to an Authentication request.
The Attribute sharing policies for a Computed Attribute must be consistent with the
Attribute sharing policies of the Attributes that it is derived from.
Computed Attributes are synonymous with Attribute References defined in the NIST
digital identity standards 4. An Attribute reference is defined by NIST as:
4
https://pages.nist.gov/800-63-3/sp800-63-3.html
Apart from Preferred name(s) the SAML and OIDC mappings for the above Attributes
have not been specified. When they are specified, the mapping will be incorporated
into this profile.
Broadly speaking:
The following tables describe the mapping of the TDIF Attributes to OIDC claims. All
claims are standard OIDC claims except for claims that are prefixed with tdif. For
standard claims a reference to the applicable section of the OpenID Connect 1.0 Core
[OpenIDCore] is provided.
The key design goals for the OIDC Attribute mapping for IdPs are:
• Conform to standards.
• Use custom claims and scopes for TDIF-specific Attributes to avoid conflicts
with any other uses of the Attributes, and limit the data being returned from an
IdP.
• Support extensibility by allowing additional claims and scopes can be easily
added as the Attributes handled by an Identity Exchange is expanded.
The key design goals for the OIDC Attribute mapping for RPs are:
Table 16 sets out the mapping of the Attributes described in section 3 of this
document to the OIDC claims which represent those Attributes. It also outlines the
maximum set of Attributes it is expected that Identity Service Providers and Identity
Exchanges can support provision of via their OIDC interface.
5
This refers to the attributes which a Relying Party can request from an Identity Exchange using OIDC. The Identity Exchange does not store this information but retrieves it from Identity Service
Providers and Attribute Service Providers, as per the requirements for Identity Exchanges outlined in the TDIF 04 – Functional Requirements.
6
This refers to the Attributes that an Identity Exchange can request from an Identity Service Provider.
Attribute OIDC Claim JSON Can be requested Can be requested OIDC Standard
Type from Identity from Identity Reference
Exchanges 5 Service
Providers 6
Validated Email Last tdif_email_updated_at number
Yes Yes
Updated
Validated Mobile phone_number string Section 5.1
Yes Yes
Phone Number
Mobile Phone phone_number_verified boolean Section 5.1
Number Validated The value of this claim must Yes Yes
Indicator always be true
Validated Mobile tdif_phone_number_updated_ number
Yes Yes
Phone Last Updated at
Other Verified Names tdif_other_names complex
Yes Yes
type
Other Verified Names tdif_other_names_updated_at number
Yes Yes
Last Updated
Verified Documents tdif_doc complex
Yes Yes
type
Identity Proofing acr string Section 2
Level and Credential Yes Yes
Level
Authentication Time auth_time number Yes Yes Section 2
RP Audit Id tdif_audit_id string Yes No
TDIF EDI tdif_edi string No Yes
myGov LinkID mygov_link_id string Yes No
Last Updated updated_at number Yes Yes Section 5.1
The acr claim is returned as a string specifying one of the values described in section
4.2.1 of the TDIF 06 – Federation Onboarding Requirements.
The tdif_doc claim is returned as a complex JSON type containing an array of zero or
more occurrences of a tdif_doc, each of which will be comprised of the following sub-
Attributes described in Table 17.
The Document Names sub-Attribute is a complex JSON type that contains the sub-
Attributes listed in Table 18.
The Document identifiers and Document Attributes sub-Attributes are complex JSON
types that contain an array of zero or more occurrences of the type-value tuple
specified in Error! Not a valid bookmark self-reference.. The list of possible types of
identifiers for each document is described in Table 39 in Annex B of this document.
The list of possible types of Attributes can found in Table 39 in Annex B. An example
of a tdif_doc Attribute being returned can be found in Table 38.
The following additional Attributes are defined to support interoperability using the
standard claims defined in the OpenID Connect 1.0 Core specification [OpenIDCore].
A Relying Party can request Attributes from an Identity Exchange as per the Relying
Party to Identity Exchange profile defined in section 2 of the TDIF 06B – OpenID
Connect 1.0 Profile.
Under this profile, a Relying Party using OIDC can obtain Attributes by either
requesting claims as part of a scope, or as individual claims as per section 5.5.1 of
the OpenID Connect Core 1.0 standard using the claims parameter. The claims
available to a Relying Party are defined in Table 16. The Relying Party may also
make requests for scopes and claims provided by Attribute Service Providers as
described in section 5 of this document.
• openid
• profile
• email
• phone
• tdif_doc
Table 21 contains the mapping of these scopes to Attribute Sets and the claims that
will be returned if the scopes are requested.
Claims will generally be available via both endpoints; however some claims are only
available from certain endpoints as described above in Table 21. Additional
parameters may be returned as part of the authorisation response as per the Relying
Party to Identity Exchange profile defined in section 2 of the TDIF 06B – OpenID
Connect 1.0 Profile.
An Identity Exchange can request Attributes from an Identity Service Provider using
the Identity Exchange to Identity Service Provider profile described in section 3 of the
TDIF 06B – OpenID Connect 1.0 Profile.
Under this profile, an Identity Exchange using OIDC can obtain Attributes by either
requesting claims as part of a scope, or as individual claims as per section 5.5.1 of
the OpenID Connect Core 1.0 standard using the claims parameter. The claims
available to an Identity Exchange from Identity Service Providers are defined in Table
16.
The following scopes are available to an Identity Exchange to request from an Identity
Service Provider:
• openid
• tdif_core
• tdif_email
• tdif_phone
• tdif_other_names
• tdif_docs
These scopes are custom scopes as they have a richer set of Attributes than the
standard OIDC scopes. Table 22 contains the mapping of these scopes to Attribute
Sets and the claims that will be returned if the scopes are requested.
Claims will generally be available via both endpoints; however some claims are only
available from certain endpoints as described above in Table 21. Additional
parameters may be returned as part of the authorisation response as per the Identity
Exchange to Identity Service Provider profile defined in section 3 of the TDIF 06B –
OpenID Connect 1.0 Profile.
The Attribute mapping contained in this section can also be found in the TDIF: 06C
SAML 2.0 Profile [TDIF.SAML]. Where there is inconsistency between this document
and [TDIF.SAML] refer to this document for the authority on what the mappings
between Attributes are.
The design goals for the SAML 2.0 Attribute mapping are summarised below:
The following section describes the mapping of Attributes described in this document
to SAML claims. There is no concept of a scope in SAML 2.0.
• A value of the XML Attribute FriendlyName is provided for each of the SAML
2.0 Attributes in this profile. This is only defined for the purposes of readability,
it is optional, and it plays no role in processing.
• The XML schema type of the contents of the <AttributeValue> must be
drawn from one of the types defined Section 3 of [Schema2]. The xsi:type must
be present and given the appropriate value.
see
Section
3.1.3
Other Verified urn:id.gov.au:tdif:verified_other_ verified_other_nam dateTime
Names Last names_updated_at es_updated_at
Updated
Verified urn:id.gov.au:tdif:verified_docum verified_documents complex
Documents ents see
Section
3.1.4
Authentication AuthnInstant dateTime
Time
TDIF EDI urn:id.gov.au:tdif:tdif_edi tdif_edi string
myGov LinkID urn:id.gov.au:tdif:mygov_link_id mygov_link_id string
Table 24 details the equivalent Attributes in SAML 2.0 and OpenID 1.0 Connect for
the TDIF Attributes.
Table 25 lists the Attribute Service Providers that are currently accredited under the
TDIF to provide Attributes.
Broadly speaking, in the TDIF authorisation refers to the ability for an authenticated
Person to act on behalf of another entity. For guidance on this Attribute class, refer to
section 5.1 of the TDIF: 05A – Role-specific Guidance.
Table 26 describes the standard Attribute profile for authorisations. This lists the
Attributes which comprise an authorisation in the system. When there is a reference
to an entity, this is the Person, company, or group that an individual is being
authorised to act on behalf of,
registered with the Australian Business Register (ABR) and issued with an Australian
Business Number (ABN). A Business Owner is an Authorised Person for the business
entity that is registered on the ABR. A Business Owner may appoint additional
Authorised Persons. An Authorised Person may appoint additional Business
Representatives to act on behalf of the business entity.
Table 29 and Table 30 describe the claims and scopes which can be used by a
Relying Party to request a Business authorisation as part of an OIDC authentication
request.
Claims will generally be available via both endpoints, future iterations of this Attribute
profile may restrict the availability of these claims if required. Additional sub-Attributes
may be added in future.
Business authorisations are returned to a Relying Party using a single complex JSON
Object or String that contains all the business authorisation Attributes. These
Attributes are retrieved from the Attribute Service Provider.
The Attributes sub-Attribute is an array of tuples, with each being a name-value tuple,
as described in Table 31.
6.2.1 Authorisations
Core Attributes
given_name
Valid:
Given Name • “given_name”: “Trentino”
middle_name • “given_name”: “”
Middle Name
preferred_username Invalid
Preferred Name • “given_name”: <string longer than 100 characters>
• “given_name”: null
Invalid:
• “birthdate”: 1984
• “birthdate”: “84-04-01”
• “birthdate”: “1984-30-04”
Invalid:
• “email”: “malformed email address”
Invalid:
• “phone_number”: 61412345678
• “phone_number”: “712345678” /* Missing country code */
“tdif_other_names”: [{
"family_name": "Vass",
"middle_name": "Steven",
"given_name": "Ahgan"
}]
Invalid:
“tdif_other_names”: [
{"family_name": "", "given_name": "Ahgan"},
]
“tdif_other_names”: [
{"family_name": "Vass","given_name": null}
]
Invalid 8:
• “tdif_core_updated_at”: “1674539150”
7
updated_at and the TDIF *_updated_at fields should follow the idioms outlined in the OpenID Connect Core 1.0 profile.
8
Applicable to all *_updated_at claims.
Verified Documents
For each document type currently shared on the TDIF, the following tables set out the
expected fields for that document type, and provide examples for the JSON
representation of that claim. The required column notes fields that must be presented
in the payload for the described document type. As more documents are made
available on the TDIF, more example specifications will be provided.
Common to all documents the JSON representation is required to have these fields:
• type_code
• verification_method
• verification_date
• birthdate
• identifiers
• attributes
The fields for each document type have been determined based off the fields on a
given document which can be verified using the Document Verification Service.
Where sub-fields for identifiers and attributes are listed as not required,
none or a combination of them may be required for a complete and valid
representation of a given verified document. If no identifiers or attributes are available
an empty array is permissible.
Any disclosure of this information is subject to the availability of the information at the
provider. Furthermore, the specifications here don’t preclude requests for specific
sub-attributes rather than the whole verified docs field.
Birth Certificate
Please note that each state and territory birth certificate has different information on the birth certificates they issue, and the
information will vary further depending on the year the certificate was issued. Providers are expected to supply the available
information that satisfied the initial document verification if a birth certificate document has been requested by a relying party.
Required
Field Sub-field(s) Example
type_code Y {
"type_code": "urn:id.gov.au:tdif:doc:type_code:BC",
verification_method Y
"verification_method": "S",
verification_date Y "verification_date": "2022-12-06T23:21:19.0231031Z",
names
9
family_name Y "names": {
"family_name": "Maximus",
given_name Y
"given_name": "Michael"
birthdate Y },
identifiers
10
Registration Number N "birthdate": "1989-01-03",
9
On birth certificates issued by the NSW, VIC, WA BDM, given name may be left blank if family name has a value, and family name may be left blank if given name has a value.
10
The identifiers used for birth certificates will vary significantly depending on the state and territory which issued the birth certificate.
Required
Field Sub-field(s) Example
Certificate Number N "identifiers": [
{
attributes Registration Date N
"type": "Registration Number",
Registration State Y "value": "1234567890"
Registration Year N }
],
"attributes": [
{
"type": "Registration State",
"value": "ACT"
}
]
}
Required
Field Sub-field(s) Example
type_code Y {
"type_code": "urn:id.gov.au:tdif:doc:type_code:CO",
verification_method Y
"verification_method": "S",
verification_date Y "verification_date": "2022-12-06T23:21:19.0231031Z",
Required
Field Sub-field(s) Example
"value": "2024-03"
}, {
“type”: “CardType”,
“value”: ”PCH”,
}
]
}
Required
Field Sub-field(s) Example
type_code Y {
"type_code": "urn:id.gov.au:tdif:doc:type_code:NC",
verification_method Y
"verification_method": "S",
verification_date Y "verification_date": "2022-12-07T00:52:48.2Z",
Certificate N {
Number "type": "Registration Number",
attributes Registration Date N "value": "1563160"
}
Registration State Y
11
For Change of Name Certificates issued by the NSW, VIC or WA BDM, given name may be left blank if family name has a value, and family name may be left blank if given name has a value.
Required
Field Sub-field(s) Example
Registration Year N ],
attributes": [
{
"type": "Registration State",
"value": "ACT"
}
]
}
Citizenship Certificate
Required
Field Sub-field(s) Example
names family_name Y "names": {
"family_name": "Doe",
given_name N
"given_name": "John"
birthdate Y },
12
Please note that the Acquisition Date field, while supported by the DVS, is not currently available on the AGDIS.
Required
Field Sub-field(s) Example
type_code Y {
"type_code": "urn:id.gov.au:tdif:doc:type_code:RD",
verification_method Y
"verification_method": "S",
verification_date Y "verification_date": "2022-12-06T23:22:01.6116772Z",
13
Please note that the Acquisition Date field, while supported by the DVS, is not currently available on the AGDIS.
Required
Field Sub-field(s) Example
"attributes": [
{
“type”: “Acquisition Date”,
“value”: “2013-04-20”
],
}
Required
Field Sub-field(s) Example
names family_name Y "names": {
"family_name": “Kallisto",
given_name Y
"given_name": "Yasmine"
middle_name N },
14
Card Number is required for a NSW, NT, SA, WA, Tas and ACT drivers licence verified after the 1st of September 2022. If it is recorded by an IDP, it is expected to be passed as part of a driver
licence tdif_doc.
Required
Field Sub-field(s) Example
}
ImmiCard
Required
Required
Field Sub-field(s) Example
identifiers ImmiCard Number Y "birthdate": "1986-04-18",
"identifiers": [
attributes empty Y
{
"type": "ImmiCard Number",
"value": "PRE123456"
}
],
"attributes": []
}
Marriage Certificate
Required
Field Sub-field(s) Example
verification_method Y "type_code": "urn:id.gov.au:tdif:doc:type_code:MC",
"verification_method": "S",
verification_date Y
"verification_date": "2022-12-06T23:21:19.0231031Z",
names family_name Y "names": {
birthdate Y },
"birthdate": "1989-01-03",
identifiers Registration N
Number "identifiers": [
{
Certificate N
Number "type": "Registration Number",
Required
Field Sub-field(s) Example
}
]
}
Medicare Card
Required
Field Sub-field(s) Example
type_code Y {
"type_code": "urn:id.gov.au:tdif:doc:type_code:MD",
verification_method Y
"verification_method": "S",
verification_date Y "verification_date": "2022-12-06T23:21:19.0231031Z",
Card Expiry Y {
"type": "Individual Ref Number",
Full Name 1 Y
"value": "1"
Full Name 2 Y },
Full Name 3 Y ],
"attributes": [
Full Name 4 Y
Required
Field Sub-field(s) Example
{
"type": "Card Type",
"value": "G"
},
{
"type": "Card Expiry",
"value": "2022-12"
},
{
"type": "Full Name 1",
"value": "Lachlan Murramarang"
},
{
"type": "Full Name 2",
"value": null
},
{
"type": "Full Name 3",
"value": null
},
Required
Field Sub-field(s) Example
{
"type": "Full Name 4",
"value": null
},
]
}
Required
Field Sub-field(s) Example
type_code Y {
"type_code": "urn:id.gov.au:tdif:doc:type_code:PP",
"verification_method": "S",
"verification_date": "2022-12-06T23:22:01.6116772Z",
"names": {
"family_name": "Citizen",
"given_name": "Jane"
verification_method Y
},
verification_date Y "birthdate": "1930-04-18",
15
The Australian Travel Document includes
Required
Field Sub-field(s) Example
attributes Gender N ],
"attributes": [
{
“type”: “Gender”,
“value”: “Female”
}
]
}
Visa
Required
Field Sub-field(s) Example
{
type_code Y
"type_code": "urn:id.gov.au:tdif:doc:type_code:VI",
"verification_method": "S",
verification_method Y
"verification_date": "2022-12-06T23:22:01.6116772Z",
"names": {
verification_date Y
"family_name": "Vino",
"given_name": "Trentino"
Names family_name Y },
"birthdate": "1962-08-10",
given_name Y "identifiers": [
{
birthdate Y "type": "Passport Number",
"value": "NN123456"
identifiers Passport Y }
Number ],
Required
Field Sub-field(s) Example
"attributes": []
attributes 16
}
16
Please note that the country of issue field, while supported by the DVS, is not currently available on the AGDIS.
Table 39 Mapping to DVS Field Names. provides a mapping of the DVS fields values
defined in the DVS Match Specifications to the TDIF verified document Attributes.
Table 51: Mapping of Attributes between TDIF 05 - Role Requirements and the TDIF
06D - Attribute Profile
Corresponding Attribute(s) Location in section 3
Attribute in tables 2 & 3 of the
in the TDIF 06D – Attribute of the TDIF 06D –
TDIF 05 – Role Requirements
Profile Attribute Profile
Full Name 3.1.1
Family Name 3.1.1
Given Names 3.1.1
All verified names
Middle Names 3.1.1
Other Verified Names 3.1.3
Document Names 3.1.4
Verified date of birth as Date of Birth 3.1.1
recorded on the EoI Document Document Date of Birth 3.1.4
Validated Mobile Phone 3.1.2
Mobile Phone number
Number
Email address Validated Email 3.1.2
No current attribute
EoI Document type name
mapped.
EoI Document type code Document Type Code 3.1.4
No current attribute
EoI Document issuer
mapped.
EoI Document issuer state Document Issuer State 3.1.4
EoI Document identifiers Document Identifiers 3.1.4
Other EoI Document Attributes Document Attributes 3.1.4
Last Updated 3.1.5