1. Designing the service

You define which data from the identity card or the electronic residence permit are necessary for the electronic identification based on the requirements of your clients, such as first name, last name and date of birth. The list of data stored on the chip can be found in Section 18 (3) of the Act on Identity Cards and Electronic Identification.

2. Setting up your own eID server or choosing an eID service provider

You can either operate your own eID server or choose an eID service provider. This decision is relevant for the necessary certification by the Federal Office for Information Security (see under 4.)

3. Connecting your service with the eID server

You can use the eID interface or the SAML connection to link up your service with the eID server. This depends on the relevant eID server. Service providers should ask their eID service provider which technical procedures are used for the eID connection and which software support is provided for which platforms.

4. Certification

As an identification service provider, you must prove compliance with the requirements of Section 29 (2) of the Personalausweisverordnung (PAuswV) by means of a certificate issued by the Federal Office for Information Security (BSI). In concrete terms, this means that you must undergo certification in accordance with the BSI's Technical Guideline TR-03128-2 (available in German). In the course of this certification, a conformity test based on the requirements defined in TR-03128-2 is carried out by a neutral body. These conformity tests can be performed by "Certified ISO 27001 auditors for audits based on IT-Grundschutz (audit team leader)".

Since the certification according to TR-03128-2 includes the self-operated or commissioned eID server, you should coordinate this with your eID service provider at an early stage in the latter case.

Important to know

You must have completed certification with the BSI before submitting your application to the VfB.
About the topic

• List of certified ISO 27001 auditors for audits based on IT-Grundschutz (audit team leader) (available in German)
• Website of the Certification Body of the Federal Office for Information Security (available in German)
  

5. Applying for an authorization

After successful completion of the certification according to TR-03128-2, you can apply for an authorization certificate at the VfB.

Pursuant to Section 21 (2) of the Act on Identity Cards you will be issued an authorization certificate if:

1. you inform and prove the identity of the identification service provider to this authority,
2. you briefly explain your organization’s interest in the use of the eID function,
3. you have successfully completed the certification process according to TR-03128-2 (see above) and present an appropriate certificate,
4. compliance with corporate data protection is ensured, and
5. the authority has no indications that data will be misused.

You can submit your application for an authorization certificate by this issuing authority in writing. The forms of the VfB can be found in the download area on this page.

As soon as the VfB has issued the certificate, this information will be published in the list of all valid authorization certificates (available in German).

6. Choosing the provider of authorization certificates

Following the positive response by the VfB, you choose an authorization certificates provider to get the technical authorization certificate and make a contract with this provider.

Your eID server or eID service provider needs to support the connection with the chosen authorization certificates provider, since new authorization certificates and revocation lists are regularly updated online.

7. Operating your service

You have to ensure that authentication with the eID function works with the application “AusweisApp2”. Additional information on mutual authentication procedures between service providers and users can be obtained at “The electronic identfication technique”.