You decide for yourself which local means of identification you want to issue. A typical solution is to combine a username and password with additional factors on special hardware devices. This can be, for example, apps on mobile devices.
Your users can then use the local means of identification instead of MitID when they log in on behalf of your organisation.
An organization that has been established as a Local IdP can itself register users in MitID Erhverv at the NSIS security level to which the Local IdP is registered. Users can immediately login with their local means of identification without going through a MitID Erhverv activation process. But they don't have the option to sign.
NemLog-in offers a qualified signing service where users can sign with a MitID identification means, e.g. a MitID app (private or business). The signing service in NemLog-in assumes that the underlying identity is registered in accordance with the eIDAS regulation. For qualified signatures, there are thus in eIDAS article 24.1 some additional requirements, which are independent of the user's security level.
This means that users created by an NSIS-registered organization with Local IdP can basically only log in, but not sign in NemLog-in's qualified signing service on behalf of your organization. If your organization needs users to sign on behalf of the organization, there are three different options to activate this:
There is an option to upgrade a user's identity so that the user, in addition to logging in, can also sign with Local IdP. This can be done by adding the private MitID option or a separate MitID to the user's profile. This can either be done in MitID Erhverv or via the IdM API. MitID Erhverv carries out a renewed activation of the identity and sends an e-mail with an activation link to the user. The activation requires the user to login with their private MitID.
If the user activates with his private MitID, and then chooses not to accept using his private MitID in the future, the private MitID will not be added as a means of identification to the user. The activation causes the identity to be marked as approved for qualified signing (also with Local IdP). If you subsequently delete the private MitID as a means of identification, the user will still be able to sign with Lokal IdP.
What you need to know about establishing a Local IdP
Establishing and maintaining a Local IdP requires significant maturity in the organisation. A Local IdP must undergo NSIS review at assurance level Substantial or High, before it can be connected to MitID Erhverv.
A Local IdP must be notified to NSIS at security level Significant or High before it can be connected to the MitID Erhverv solution.
It is necessary that you are connected to MitID Erhverv before you can set up your Local IdP in MitID Erhverv. You choose for yourself whether you want to start by connecting to MitID Erhverv, or do it in parallel with the establishment of your Local IdP. Your organisation just needs to be connected before you send an email to the Agency for Digital Government (step 9).
For example, your Local IdP must go through a NSIS review, and once approved appear on the NSIS trusted list before the Local IdP is set to production.
With a Local IdP, you as an organization have the opportunity to handle your business users decentralized yourself - rather than doing it via MitID Erhverv. You also get the option to issue local identification means to your users.
If you need Local IdP, it is a good idea to clarify your wishes and business needs, including:
After this, you can advantageously establish a project and create management support in your organisation.
It is a prerequisite that all users are also created in MitID Erhverv, if you want to use local business identities to log on to your own systems or public self-service solutions.
For that purpose, you can connect a Local IdM solution. A Local IdM solution can call the IdM API in MitID Erhverv and synchronize the local creation and deletion of your users with MitID Erhverv.
That way, you only need to manage your users in one place - in your local administration system. However, it is also possible for you to manage your users in MitID Erhverv, and these changes will be implemented in your local administration system.
It is a prerequisite that your local IdP must meet the requirements and rules of the game, which are defined in the National Standard for Identity Security Levels (NSIS), if you choose Local IdP combined with Local IdM.
This is because you as an organization become a local identity guarantor if you choose to combine your local IdP with Local IdM.
Implementation of the NSIS standard involves a number of different disciplines – both technical, organizational and security. It is therefore important not to consider the task as a purely technical implementation project:
When connecting the Local IdP in production, the Agency for Digital Government will verify that your Local IdP is approved and appears on the NSIS trusted list.
You have the possibility of setting up a test organisation. You can do that in the MitID Erhverv integration test environment.
There you can test:
You will also be able to read the technical integration guide.
Go to MitID Erhverv test organisation in the integration test environmentOnce you have obtained and prepared the relevant documentation, you must submit the complete review package (including audit statements) to the NSIS supervision at The Danish Agency for Digital Government.
Send the review package to the NSIS supervision in the Agancy of Digital Government
Afterwards, you must await approval or any additional questions from the NSIS supervision before receiving final approval.
The NSIS supervision handles the NSIS reviews as quickly as possible and typically within 30 days.
The timeframe depends on:
Once your NSIS review has been approved and your Local IdP solution is listed in the NSIS trusted list on the website of the Agency for Digital Government, the next step is to contact the MitID Erhverv team.
You must send an email to mitiderhverv@digst.dk
The email should include the following information:
The MitID Erhverv team will then allow for you to set up your Local IdP in production in MitID Erhverv.
When you have received confirmation by email, you are ready to set up the Local IdP.
Now you are ready for the final step in the setup process and can configure your Local IdP in the production environment of MitID Erhverv.
It is the organisation administrator within your organisation who can set up the Local IdP.
Once you have set up your Local IdP, you can designate one of your user administrators in MitID Erhverv to assign local authenticators to your users going forward.
See instructions on how to specify assurance level for administrators
You can either assign your local authenticators in your local AD and synchronise the users into MitID Erhverv (if you have a Local IdM solution as mentioned in step 3).
Alternatively, you can assign your local authenticators directly through MitID Erhverv.
Users are assigned rights in MitID Erhverv in the same manner, regardless of whether they use MitID authenticators or local authenticators (from a Local IdP).
Thus, rights are associated with the identity independent of the chosen authenticator. Rights can be assigned through the IdM API or through MitID Erhverv.
For Local IdP, there is also the option of including information about groups in the locally issued token, which can be expanded to rights in MitID Erhverv.
See figure of Local IdP establishment process (PNG)
Read detailed instructions for establishing Local IdP in Danish (PDF)
If your organisation has established Local IdP in MitID Erhverv, you have the option of making your Local IdP available to other organisations. In this way, it functions as a so called full-service Local IdP.
An organisation which establishes a Local IdP, can provide the opportunity for other organisations to utelise it.
Thus, organisations which uses a full-service local IdP does not need to undergo a NSIS review in the process of establishing a Local IdP.
The organistion offering a full-service Local IdP takes care of all the technical and procedural aspects regulated by NSIS, including registration and identity verification of users, as well as issuing local authenticators.
The full-service Local IdP undergoes the required NSIS revision, as perscribes by the standard. Therefore, the organisation establishing the full-service Local IdP, will appear on the NSIS trusted list.
To learn more about NSIS, refer to steps 3-8 in the guide above for establishing a Local IdP.
If you wish to make your Local IdP available to other organisations, you should follow the guidelines for establishing a Local IdP.
Please note that as a local identity provider, you are responsible for:
Read more in the guidelines for establishing a Local IdP.
If you provide a full-service Local IdP, you determine your own agreements with the organisation that use the service.
As a provider of a full-service Local IdP, you need to sign a joint management declaration with the organisations that want to use your Local IdP.
The joint management declaration is submitted to The Danish Agency for Digital Government by each organisation using your full-service Local IdP. Therefore, as a provider of a full-service Local IdP, you do not need to document the contractual arrangements to The Danish Agency for Digital Government.
Fill out the joint management declaration for a full-service Local IdP
If you wish to use a full-service Local IdP, you need to enter into an agreement with a provider of a full-service Local IdP.
The Agency for Digital Government cannot provide information on which full-service Local IdP providers are available. You can consult the NSIS trusted list and/or research the market for possible IdP providers in Denmark.
Once you have entered into an agreement with a provider of a full-service Local IdP, you need to submit a signed management declaration to The Agency for Digital Government.
In addition, you need to submit a joint management declaration where both the provider of the Local IdP and yourselves as users have signed the agreement.
Find the management declaration Find the joint management declaration for signing in Danish
Once you have entered into an agreement with a full-service Local IdP and need to connect to it in MitID Erhverv, you need to send an email to MitID Erhverv.
The email should contain the following information: