SPID and CIE: differences and integration with Keycloak
SPID and CIE compared: how Digital Identities work
Both SPID (Public Digital Identity System) and CIE (Electronic Identity Card) are digital identity tools that allow access to services provided by the Public Administration and affiliated private entities. The main difference between the two lies in their form and the issuing authority. The CIE is a physical card issued by the Ministry of the Interior through the local municipality, equipped with a microchip, and is designed to replace traditional paper identity cards.
SPID, on the other hand, consists of a set of credentials (username and password) provided by various Identity Providers (IdPs), public or private, accredited by AgID. It is therefore a fully online digital access system, without any physical component. While SPID is generally quicker and easier to use, the CIE provides a higher level of security.
SPID and CIE Security Levels
Each digital identity, such as SPID and CIE, is associated with different security levels, also recognized at the European level as Levels of Assurance. These levels indicate the strength of the authentication process.
- Level 1 requires only a username and password.
- Level 2 adds an extra verification step, such as an OTP code sent via SMS or generated by an app.
- Level 3 for SPID involves more advanced security methods or the use of physical devices, such as smart cards, although not all SPID providers support them.
Although intrinsically considered more secure, CIE also follows three authentication levels: Level 1 (low), Level 2 (significant), which requires two-factor authentication, and Level 3 (high), based on the physical use of the card along with an additional authentication factor.
Ready-Made Templates
Are you looking for an IAM System?Visit the Yookey website to discover the available solutions
Enabling SPID and CIE authentication through Keycloak
Keycloak is an Identity and Access Management (IAM) platform that can be configured to support authentication via SPID and CIE , integrating these systems into applications and websites.
Using Keycloak simplifies the implementation of Single Sign-On (SSO), a feature highly requested by both the Public Administration and private companies, allowing users to access multiple online services with a single authentication. Adopting Keycloak also means relying on a solution that automatically manages infrastructure and updates, reducing the technical burden for service providers.
From a technical perspective, SPID and CIE differ in their OpenID Connect profiles, particularly in the management of metadata, authorization endpoints and refresh tokens. An IAM system like Keycloak must be configured to handle these differences correctly, ensuring proper interpretation and management of user attributes.
May 2026 Update: SPID as the Authentication Standard for Digital Work
Starting from May 1, 2026, with the entry into force of the new labor decree, gig workers and platform-based workers will be required to use SPID, or alternatively CIE (Electronic Identity Card) or CNS (National Services Card), to access work platforms and related services.
The measure introduces a unique and verified digital identity model, linked to the worker’s tax code, ensuring exclusive ownership of credentials and a higher level of security.
The main goal is to combat digital caporalato (labor exploitation) and the unauthorized sharing of accounts, while strengthening the traceability of activities carried out on digital platforms.
Overall, this development confirms the shift toward an ecosystem based on standardized digital identities, increasingly central in IAM authentication and integration models, also in view of the progressive rollout of the IT Wallet as the future unified digital identity wallet.
Yookey ID: SPID and CIE Gateway
Yookey ID is a Keycloak-based SaaS (Software as a Service) solution offered in the cloud and accredited by ACN, serving as a SPID and CIE gateway for the Public Administration and private companies. The platform is specifically designed to handle authentication via SPID and the Electronic Identity Card, providing a ready-to-use solution for integrating these systems into applications and websites.
With Yookey ID, it is easy to implement Single Sign-On (SSO) for access to online services, simplifying the user experience. The service is fully managed, including infrastructure maintenance and continuous platform updates, ensuring a simple and secure management of digital authentication.
Speak directly with our team for more information.
