Local Identity Provider (Local IdP)

With Local IdP, you can locally issue identification means to your users, who can use these to login to your own IT systems and public self-service solutions.

You decide for yourself which local means of identification you want to issue. A typical solution is to combine a username and password with additional factors on special hardware devices. This can be, for example, apps on mobile devices.

Your users can then use the local means of identification instead of MitID when they log in on behalf of your organisation.

A Local IdP solution provides flexibility

  • Your users can use the same means of identification in your organization as well as in public and private self-service solutions – e.g. the same username, password, app and physical device.
  • Local means of identification can, for example, be integrated with physical access cards for your organisation, so that your users experience a simpler and more coherent access in their daily life.
  • Your organization can achieve a simpler administration of its business users by having the users only managed locally and updates being synchronized with MitID Erhverv via the IdM API.

Login and signing with Local IdP

Login with local authenticator

An organisation established as a Local IdP can create and register users in MitID Erhverv at the NSIS security level to which the Local IdP is registered. Users can immediately log in with authenticators determined by the organisation (local authenticator) without going through a MitID Erhverv activation process. However, these users do not have the option to sign.

Qualified signing with authenticators

NemLog-in offers a qualified signing service where users can sign with a MitID authenticator, e.g. a MitID app (private or business). The signing service in NemLog-in is subject to the underlying identity registered in accordance with the eIDAS regulation. Thus, eIDAS article 24.1 provides some additional requirements for qualified signatures regardless of the user's security level.

This means that users created and registered by an NSIS-registered organisation with Local IdP is only able to log in, but not sign in to NemLog-in's qualified signing service on behalf of your organisation. If your organisation needs users to sign on behalf of the organisation, there are three different options to activate the qualified signing service:

  • Users validate themselves with their private MitID in MitID Erhverv.
  • Your organisation submits a supplementary audit statement.
  • Your organisation submits a conformity assessment report.

Validation with private MitID in MitID Erhverv

There is an option to upgrade a user's identity so that the user sign with their Local IdP in addition to logging in.

If the user administrator should assist:

The user administrator must:

  1. log in to MitID Erhverv
  2. find the user who needs to validate
  3. generate an email under "Signature".

The user then receives an email in which the user must validate their identity with their private MitID.

The user can generate an email for validation with their private MitID:

The user must:

  1. log in to MitID Erhverv
  2. generate an email under "Master data".

The user then receives an email in which the user must validate their identity with their private MitID.

Submitting a supplementary audit statement

Your organisation can choose to submit a supplementary audit statement regarding its process of creating and registering users in its Local IdP. You send it to MitID Erhverv, not to the NSIC audit office. The requirements in detail can be found in section 5.4.3.1: submitting an audit statement in Annex 7 MitID Erhverv terms and conditions for the use of Local IdP.

Read Annex 7 MitID terms and conditions for the use of Local IdP (in Danish) (pdf)

Send an email to MitID Erhverv

After submitting, you will receive an email notifying you that users in your organisation can carry out qualified signing using the authenticator determined by your organisation.

Submitting a conformity assessment report

Your organisation can choose to submit a conformity assessment report that proves that your organisation’s process of creating and registering identities comply with the requirements set out in Article 24.1 of the eIDAS regulation. You send the report to the eIDAS supervisory authority with a copy to MitID Erhverv.

The requirements in detail for the conformity assessment report can be found in section 5.4.3.2: Submitting a conformity assessment report in Appendix 7 MitID Erhverv terms and conditions for the use of Local IdP.

Read Annex 7 MitID terms and conditions for the use of Local IdP (in Danish) (pdf)

Send an email to the eIDAS supervisory authority

Send an email to MitID Erhverv

After submitting, you will receive an email notifying you that uses in your organisation can carry out qualified signing using the authenticator determined by your organisation.

What you need to know about establishing a Local IdP

 

Establishing and maintaining a Local IdP requires significant maturity in the organisation. A Local IdP must undergo NSIS review at assurance level Substantial or High, before it can be connected to MitID Erhverv.

Everything you need to know about establishing Local IdP

A Local IdP must be notified to NSIS at security level Significant or High before it can be connected to the MitID Erhverv solution.

Your organisation must be connected to MitID Erhverv

It is necessary that you are connected to MitID Erhverv before you can set up your Local IdP in MitID Erhverv. You choose for yourself whether you want to start by connecting to MitID Erhverv, or do it in parallel with the establishment of your Local IdP. Your organisation just needs to be connected before you send an email to the Agency for Digital Government (step 9).

You follow the steps below for establishing a Local IdP

For example, your Local IdP must go through a NSIS review, and once approved appear on the NSIS trusted list before the Local IdP is set to production.

With a Local IdP, you as an organisation have the opportunity to handle your business users decentralised yourself - rather than doing it via MitID Erhverv. You also get the option to issue local identification means to your users.

If you need Local IdP, it is a good idea to clarify your wishes and business needs, including:

  • The NSIS security level for the services that your users must be able to access: A Local IdP must be reported to NSIS at security level Significant or High before it can be connected to NemLog-in
  • Requirements for uptime, response time and other service levels  for your local IdP
  • How local business identities are created centrally in MitID Erhverv: Do you want an integration between your local IdM system and MitID Erhverv? Or do you want to manage users directly in MitID Erhverv? (See more in step 3).

After this, you can advantageously establish a project and create management support to the project in your organisation.

How local business identities are created in MitID Erhverv

It is a prerequisite that all users are also created in MitID Erhverv, if you want to use local business identities to log on to your own systems or public self-service solutions.

For that purpose, you can connect a Local IdM solution. A Local IdM solution can call the IdM API in MitID Erhverv and synchronise the local creation and deletion of your users with MitID Erhverv.

That way, you only need to manage your users in one place - in your local administration system. However, it is also possible for you to manage your users in MitID Erhverv, and these changes will be implemented in your local administration system.

Read more about Local IdP combined with Local IdM

It is a prerequisite that your local IdP must meet the requirements and rules of the game, which are defined in the National Standard for Identity Security Levels (NSIS), if you choose Local IdP combined with Local IdM.

This is because you as an organisation become a local identity guarantor if you choose to combine your local IdP with Local IdM.

Implementation of the NSIS standard involves a number of different disciplines – both technical, organisational and security. It is therefore important not to consider the task as a purely technical implementation project:

  • Identify the desired process for identity protection: Do your users, for example, have to login for the first time with a private MitID, and does this happen in the local enrollment application or centrally in NemLog-in, or do the users have to show up physically and present a passport/driving license instead?
  • Clarify what type of authenticators you will issue locally and how they are issued and handled: Typically, a username and password are combined with additional factors on special hardware devices from apps on mobile devices.
  • Clarify how the authentication service is established technically (IdP) and how it can support the selected security levels: The Local IdP must exhibit a SAML interface that meets the requirements of the 'OIOSAML Local IdP Profile'.
  • Clarify requirements for operating facilities and technical security: Are your current operating facilities mature enough, or should improvement measures be taken?
  • Uncover the need for training for your user administrator who must work with e.g. identity protection.
  • Establish an information security management system (ISMS) or adapt an existing one to cover identity management processes.
  • Clarify the handling of subcontractors of e.g. software or operation, who deliver parts of the local implementation.
  • Describe processes, safety design and technical systems, and get the design reviewed.
  • Plan how systems and processes can be audited by an external auditor: It is important, for example, that a sufficient audit trail is ensured so that the auditor can ascertain that processes, people and systems carry out the controls that are intended.

When connecting the Local IdP in production, the Agency for Digital Government will verify that your Local IdP is approved and appears on the NSIS trusted list.

  1. Set up environments for Local IdP and corresponding user directory, and establish the necessary components and services.
  2. Acquire the necessary certificates for the Local IdP.
  3. Perform local tests, including functional and security tests.
  4. Conduct test of organisational processes.

You have the possibility of setting up a test organisation. You can do that in the MitID Erhverv integration test environment.

There you can test:

  • IdM
  • certifikat APIs
  • your Local IdP-integration.

You will also be able to read the technical integration guide.

Go to MitID Erhverv test organisation in the integration test environment
It is a requirement than you obtain the necessary audit statements and management statements for the NSIS declaration. 

We recommend having an early dialogue with the auditor.

It does take som work obtaining the required audit statements, including ensuring that the relevant documentation for systems and processes is complete and accessible to the auditor.


Read more abour NSIS (in Danish)

Once you have obtained and prepared the relevant documentation, you must submit the complete review package (including audit statements) to the NSIS supervision at The Danish Agency for Digital Government.

Send the review package to the NSIS supervision in the Agancy of Digital Government

Afterwards, you must await approval or any additional questions from the NSIS supervision before receiving final approval.

Find out what the review package should contain and read about frequently asked question about NSIS (in Danish)

The NSIS supervision handles the NSIS reviews as quickly as possible and typically within 30 days.

The timeframe depends on:

  • the reviews complexity,
  • completeness and quality of the review package,
  • the number of ongoing NSIS reviews,
  • the resources available to the supervision.

Once your NSIS review has been approved and your Local IdP solution is listed in the NSIS trusted list on the website of the Agency for Digital Government, the next step is to contact the MitID Erhverv team.

You must send an email to mitiderhverv@digst.dk

The email should include the following information:

  • The organisation's name.
  • CVR-number.
  • EntityID for the Local IdP.
  • Your organisation use own Local IdP or an external full-service Local IdP.
  • Enabling the option of qualified signing. Presupposes that the organisation meets requirements and documents with either a supplementary audit statement or conformity assessment report.
  • Name, phone number and email address of the contact person.

The MitID Erhverv team will then allow for you to set up your Local IdP in production in MitID Erhverv.

When you have received confirmation by email, you are ready to set up the Local IdP.

Now you are ready for the final step in the setup process and can configure your Local IdP in the production environment of MitID Erhverv.

It is the organisation administrator within your organisation who can set up the Local IdP.

Find guides on how to set up your Local IdP

Once you have set up your Local IdP, you can designate one of your user administrators in MitID Erhverv to assign local authenticators to your users going forward.

See instructions on how to specify assurance level for administrators

You can either assign your local authenticators in your local AD and synchronise the users into MitID Erhverv (if you have a Local IdM solution as mentioned in step 3).

Alternatively, you can assign your local authenticators directly through MitID Erhverv.

Assign rights in MitID Erhverv through Local IdP

Users are assigned rights in MitID Erhverv in the same manner, regardless of whether they use MitID authenticators or local authenticators (from a Local IdP).

Thus, rights are associated with the identity independent of the chosen authenticator. Rights can be assigned through the IdM API or through MitID Erhverv.

For Local IdP, there is also the option of including information about groups in the locally issued token, which can be expanded to rights in MitID Erhverv.

Establishing a full-service Local IdP

If your organisation has established Local IdP in MitID Erhverv, you have the option of making your Local IdP available to other organisations. In this way, it functions as a so called full-service Local IdP.

An organisation which establishes a Local IdP, can provide the opportunity for other organisations to utelise it.

Thus, organisations which uses a full-service local IdP does not need to undergo a NSIS review in the process of establishing a Local IdP.

The organistion offering a full-service Local IdP takes care of all the technical and procedural aspects regulated by NSIS, including registration and identity verification of users, as well as issuing local authenticators.

The full-service Local IdP undergoes the required NSIS revision, as perscribes by the standard. Therefore, the organisation establishing the full-service Local IdP, will appear on the NSIS trusted list.

To learn more about NSIS, refer to steps 3-8 in the guide above for establishing a Local IdP.

If you wish to make your Local IdP available to other organisations, you should follow the guidelines for establishing a Local IdP.

Please note that as a local identity provider, you are responsible for:

  • Issuing local authenticators to users
  • Requirements for operational facilities and technical sequrity
  • Processes, security design, and technical systems
  • External auditing of your processes and systems.

Read more in the guidelines for establishing a Local IdP.

Agreement with organisations that want to use your Local IdP

If you provide a full-service Local IdP, you determine your own agreements with the organisation that use the service.

As a provider of a full-service Local IdP, you need to sign a joint management declaration with the organisations that want to use your Local IdP.

The joint management declaration is submitted to The Danish Agency for Digital Government by each organisation using your full-service Local IdP. Therefore, as a provider of a full-service Local IdP, you do not need to document the contractual arrangements to The Danish Agency for Digital Government.

Fill out the joint management declaration for a full-service Local IdP

If you wish to use a full-service Local IdP, you need to enter into an agreement with a provider of a full-service Local IdP.

MitID Erhverv cannot provide information on which full-service Local IdP providers are available. You can consult the NSIS trusted list and/or research the market for possible IdP providers in Denmark.

Go to the NSIS positive list

Agreement with a full-service local IdP provider

Once you have entered into an agreement with a provider of a full-service Local IdP, you need to submit a signed management declaration to MitID Erhverv.

In addition, you need to submit a joint management declaration where both the provider of the Local IdP and yourselves as users have signed the agreement.

Find the management declaration and joint management declaration (in Danish) (pdf)

Contact MitID Erhverv

Once you have entered into an agreement with a full-service Local IdP and need to connect to it in MitID Erhverv, you need to send an email to MitID Erhverv.

The email should contain the following information:

  • Email subject: Use of Full-service Local IdP
  • Email:
    • Your CVR-number
    • Contact information: Name, email, and telephone number of the contact person
    • Attachments: Signed management declaration and joint management declaration.

Send an email to the MitID Erhverv team

In need of help?

You can find information on how to administrate a Local IdP in the support section.

Go to instructions

You can also find information on how to test Local IdP functionality in the integration test environment.

Go to MitID Erhverv test organisation in the integration test environment