Local Identity Provider (Local IdP)

Go back to advanced functionalities

With Local IdP, you can locally issue identification means to your users, who can use these to login to your own IT systems and public self-service solutions.

You decide for yourself which local means of identification you want to issue. A typical solution is to combine a username and password with additional factors on special hardware devices. This can be, for example, apps on mobile devices.

Your users can then use the local means of identification instead of MitID when they log in on behalf of your organisation.

A Local IdP solution provides flexibility

Your users can use the same means of identification in your organization as well as in public and private self-service solutions – e.g. the same username, password, app and physical device.
Local means of identification can, for example, be integrated with physical access cards for your organisation, so that your users experience a simpler and more coherent access in their daily life.
Your organization can achieve a simpler administration of its business users by having the users only managed locally and updates being synchronized with MitID Erhverv via the IdM API.

Login and signing with Local IdP

Login with local identifier

An organization that has been established as a Local IdP can itself register users in MitID Erhverv at the NSIS security level to which the Local IdP is registered. Users can immediately login with their local means of identification without going through a MitID Erhverv activation process. But they don't have the option to sign.

Qualified signing with local means of identification

NemLog-in offers a qualified signing service where users can sign with a MitID identification means, e.g. a MitID app (private or business). The signing service in NemLog-in assumes that the underlying identity is registered in accordance with the eIDAS regulation. For qualified signatures, there are thus in eIDAS article 24.1 some additional requirements, which are independent of the user's security level.

This means that users created by an NSIS-registered organization with Local IdP can basically only log in, but not sign in NemLog-in's qualified signing service on behalf of your organization. If your organization needs users to sign on behalf of the organization, there are three different options to activate this:

Submit a supplementary audit statement on registration processes used related to the local IdP. The supplementary audit statement must not be sent to the NSIS inspectorate, but only to MitID Erhverv.
Submit a conformity assessment report confirming that the local registration processes comply with the requirements set out in Article 24.1 of the eIDAS regulation. The conformity assessment report must be forwarded to both the eIDAS supervisory authority with a copy to MitID Erhverv.
Activation in MitID Business with private MitID.

Activation in MitID Business with private MitID

There is an option to upgrade a user's identity so that the user, in addition to logging in, can also sign with Local IdP. This can be done by adding the private MitID option or a separate MitID to the user's profile. This can either be done in MitID Erhverv or via the IdM API. MitID Erhverv carries out a renewed activation of the identity and sends an e-mail with an activation link to the user. The activation requires the user to login with their private MitID.

If the user activates with his private MitID, and then chooses not to accept using his private MitID in the future, the private MitID will not be added as a means of identification to the user. The activation causes the identity to be marked as approved for qualified signing (also with Local IdP). If you subsequently delete the private MitID as a means of identification, the user will still be able to sign with Lokal IdP.

What you need to know about establishing a Local IdP

Establishing and maintaining a Local IdP requires significant maturity in the organisation. A Local IdP must undergo NSIS review at assurance level Substantial or High, before it can be connected to MitID Erhverv.

Everything you need to know about establishing Local IdP

It requires a great deal of maturity to establish and maintain a Local IdP

A Local IdP must be notified to NSIS at security level Significant or High before it can be connected to the MitID Erhverv solution.

Step 1 - Prerequisites for establishing Local IdP

Your organisation must be connected to MitID Erhverv

It is necessary that you are connected to MitID Erhverv before you can set up your Local IdP in MitID Erhverv. You choose for yourself whether you want to start by connecting to MitID Erhverv, or do it in parallel with the establishment of your Local IdP. Your organisation just needs to be connected before you send an email to the Agency for Digital Government (step 9).

You follow the steps below for establishing a Local IdP

For example, your Local IdP must go through a NSIS review, and once approved appear on the NSIS trusted list before the Local IdP is set to production.

Step 2 - Assess your wishes and requirements for Local IdP

With a Local IdP, you as an organization have the opportunity to handle your business users decentralized yourself - rather than doing it via MitID Erhverv. You also get the option to issue local identification means to your users.

If you need Local IdP, it is a good idea to clarify your wishes and business needs, including:

The NSIS security level for the services that your users must be able to access: A Local IdP must be reported to NSIS at security level Significant or High before it can be connected to NemLog-in
Requirements for uptime, response time and other service mail for your local IdP
How local business identities are created centrally in MitID Erhverv: Do you want an integration between your local IdM system and MitID Erhverv? Or do you want to manage users directly in MitID Erhverv? (See more in step 3).

After this, you can advantageously establish a project and create management support in your organisation.

How local business identities are created in MitID Erhverv

It is a prerequisite that all users are also created in MitID Erhverv, if you want to use local business identities to log on to your own systems or public self-service solutions.

For that purpose, you can connect a Local IdM solution. A Local IdM solution can call the IdM API in MitID Erhverv and synchronize the local creation and deletion of your users with MitID Erhverv.

That way, you only need to manage your users in one place - in your local administration system. However, it is also possible for you to manage your users in MitID Erhverv, and these changes will be implemented in your local administration system.

Step 3 - Ensure implementation of the NSIS standard

It is a prerequisite that your local IdP must meet the requirements and rules of the game, which are defined in the National Standard for Identity Security Levels (NSIS), if you choose Local IdP combined with Local IdM.

This is because you as an organization become a local identity guarantor if you choose to combine your local IdP with Local IdM.

Implementation of the NSIS standard involves a number of different disciplines – both technical, organizational and security. It is therefore important not to consider the task as a purely technical implementation project:

Identify the desired process for identity protection: Do your users, for example, have to login for the first time with a private MitID, and does this happen in the local enrollment application or centrally in NemLog-in, or do the users have to show up physically and present a passport/driving license instead?
Clarify what type of authenticators you will issue locally and how they are issued and handled: Typically, a username and password are combined with additional factors on special hardware devices from apps on mobile devices.
Clarify how the authentication service is established technically (IdP) and how it can support the selected security levels: The Local IdP must exhibit a SAML interface that meets the requirements of the 'OIOSAML Local IdP Profile'.
Clarify requirements for operating facilities and technical security: Are your current operating facilities mature enough, or should improvement measures be taken?
Uncover the need for training for your user administrator who must work with e.g. identity protection.
Establish an information security management system (ISMS) or adapt an existing one to cover identity management processes.
Clarify the handling of subcontractors of e.g. software or operation, who deliver parts of the local implementation.
Describe processes, safety design and technical systems, and get the design reviewed.
Plan how systems and processes can be audited by an external auditor: It is important, for example, that a sufficient audit trail is ensured so that the auditor can ascertain that processes, people and systems carry out the controls that are intended.

When connecting the Local IdP in production, the Agency for Digital Government will verify that your Local IdP is approved and appears on the NSIS trusted list.

Step 4 - Implement necessary systems and processes

Set up environments for Local IdP and corresponding user directory, and establish the necessary components and services.
Acquire the necessary certificates for the Local IdP.
Perform local tests, including functional and security tests.
Conduct test of organisational processes.

Step 5 - Perform test to NemLog-in connection and test your Local IdP

You have the possibility of setting up a test organisation. You can do that in the MitID Erhverv integration test environment.

There you can test:

IdM
certifikat APIs
your Local IdP-integration.

You will also be able to read the technical integration guide.

Go to MitID Erhverv test organisation in the integration test environment

Step 6 - Obtain audit and management statements for the NSIS review

It is a requirement than you obtain the necessary audit statements and management statements for the NSIS declaration.

We recommend having an early dialogue with the auditor.

It does take som work obtaining the required audit statements, including ensuring that the relevant documentation for systems and processes is complete and accessible to the auditor.

Read more abour NSIS (in Danish)

Step 7 - Submit review package to the NSIS supervision

Once you have obtained and prepared the relevant documentation, you must submit the complete review package (including audit statements) to the NSIS supervision at The Danish Agency for Digital Government.

Send the review package to the NSIS supervision in the Agancy of Digital Government

Afterwards, you must await approval or any additional questions from the NSIS supervision before receiving final approval.

Find out what the review package should contain and read about frequently asked question about NSIS (in Danish)

The NSIS supervision handles the NSIS reviews as quickly as possible and typically within 30 days.

The timeframe depends on:

the reviews complexity,
completeness and quality of the review package,
the number of ongoing NSIS reviews,
the resources available to the supervision.

Step 8 - Contact MitID Erhverv

Once your NSIS review has been approved and your Local IdP solution is listed in the NSIS trusted list on the website of the Agency for Digital Government, the next step is to contact the MitID Erhverv team.

You must send an email to mitiderhverv@digst.dk

The email should include the following information:

The organisation's name.
CVR-number.
EntityID for the Local IdP.
Enabling the option of qualified signing. Presupposes that the organisation meets requirements and documents with either a supplementary audit statement or conformity assessment report.
Name, phone number and email address of the contact person.

The MitID Erhverv team will then allow for you to set up your Local IdP in production in MitID Erhverv.

When you have received confirmation by email, you are ready to set up the Local IdP.

Step 9 - Connect your Local IdP in MitID Erhverv

Now you are ready for the final step in the setup process and can configure your Local IdP in the production environment of MitID Erhverv.

It is the organisation administrator within your organisation who can set up the Local IdP.

Find guides on how to set up your Local IdP

Step 10 - Designate administrator and assing local authenticators

Once you have set up your Local IdP, you can designate one of your user administrators in MitID Erhverv to assign local authenticators to your users going forward.

See instructions on how to specify assurance level for administrators

You can either assign your local authenticators in your local AD and synchronise the users into MitID Erhverv (if you have a Local IdM solution as mentioned in step 3).

Alternatively, you can assign your local authenticators directly through MitID Erhverv.

Assign rights in MitID Erhverv through Local IdP

Users are assigned rights in MitID Erhverv in the same manner, regardless of whether they use MitID authenticators or local authenticators (from a Local IdP).

Thus, rights are associated with the identity independent of the chosen authenticator. Rights can be assigned through the IdM API or through MitID Erhverv.

For Local IdP, there is also the option of including information about groups in the locally issued token, which can be expanded to rights in MitID Erhverv.

See figure of Local IdP establishment process (PNG)

Read detailed instructions for establishing Local IdP in Danish (PDF)

See illustration of process for establishing Local IdP in Danish

Read detailed guide on how to establishing Local IdP in Danish

Establishing a full-service Local IdP

What is full-service Local IdP?

If your organisation has established Local IdP in MitID Erhverv, you have the option of making your Local IdP available to other organisations. In this way, it functions as a so called full-service Local IdP.

Benefits of using a full-service Local IdP

An organisation which establishes a Local IdP, can provide the opportunity for other organisations to utelise it.

Thus, organisations which uses a full-service local IdP does not need to undergo a NSIS review in the process of establishing a Local IdP.

The organistion offering a full-service Local IdP takes care of all the technical and procedural aspects regulated by NSIS, including registration and identity verification of users, as well as issuing local authenticators.

The full-service Local IdP undergoes the required NSIS revision, as perscribes by the standard. Therefore, the organisation establishing the full-service Local IdP, will appear on the NSIS trusted list.

To learn more about NSIS, refer to steps 3-8 in the guide above for establishing a Local IdP.

For those who wish to provide a full-service Local IdP to others

If you wish to make your Local IdP available to other organisations, you should follow the guidelines for establishing a Local IdP.

Please note that as a local identity provider, you are responsible for:

Issuing local authenticators to users
Requirements for operational facilities and technical sequrity
Processes, security design, and technical systems
External auditing of your processes and systems.

Read more in the guidelines for establishing a Local IdP.

Agreement with organisations that want to use your Local IdP

If you provide a full-service Local IdP, you determine your own agreements with the organisation that use the service.

As a provider of a full-service Local IdP, you need to sign a joint management declaration with the organisations that want to use your Local IdP.

The joint management declaration is submitted to The Danish Agency for Digital Government by each organisation using your full-service Local IdP. Therefore, as a provider of a full-service Local IdP, you do not need to document the contractual arrangements to The Danish Agency for Digital Government.

Fill out the joint management declaration for a full-service Local IdP

For those who wish to use of a full-service Local IdP

If you wish to use a full-service Local IdP, you need to enter into an agreement with a provider of a full-service Local IdP.

The Agency for Digital Government cannot provide information on which full-service Local IdP providers are available. You can consult the NSIS trusted list and/or research the market for possible IdP providers in Denmark.

Go to the NSIS positive list

Agreement with a full-service local IdP provider

Once you have entered into an agreement with a provider of a full-service Local IdP, you need to submit a signed management declaration to The Agency for Digital Government.

In addition, you need to submit a joint management declaration where both the provider of the Local IdP and yourselves as users have signed the agreement.

Find the management declaration Find the joint management declaration for signing in Danish

Contact The Agency for Digital Government

Once you have entered into an agreement with a full-service Local IdP and need to connect to it in MitID Erhverv, you need to send an email to MitID Erhverv.

The email should contain the following information:

Email subject: Use of Full-service Local IdP
Email:
- Your CVR-number
- Contact information: Name, email, and telephone number of the contact person
- Attachments: Signed management declaration and joint management declaration.

Send an email to the MitID Erhverv team

In need of help?

You can find information on how to administrate a Local IdP in the support section.

Go to instructions

You can also find information on how to test Local IdP functionality in the pre preductions environment.

Go to pre production environment in Danish

Go to advanced support