Use of ID-porten
ID-porten is a national authentication service supporting national e-services.
⚠️ In order to use ID-porten in your application, your organization must have accepted their terms of use.
| Terms | |
|---|---|
| IDP (identity provider) | An identity provider (IdP) is a service that stores and manages digital identities. Examples: ID-porten, BankID, Azure Entra, Google Identities. |
| OBO (On Behalf Of) | The software for an organization can log on a user on behalf of the organization. |
Redirecting the user directly to ID-porten
You can bypass the available identityproviders in HelseID, and redirect the user directly to ID-porten. This can be accomplished by using the acr_values mechanism in OpenIdConnect for preselecting an IDP.
An example
❗ These examples implies the use of Pushed Authorization Requests, which is a requirement for the use of HelseID. Older clients may make use of the
GET /connect/authorizeendpoint, by use of a web browser.
POST /connect/par HTTP/1.1
Host: helseid-sts.nhn.no
Content-Type: application/x-www-form-urlencoded
client_id=b452b42f-d21e-4ec9-b307-986d49fe2fcf&
scope=openid profile&
...
acr_values=idp:idporten-oidc
(URL encoding removed, and line breaks added for readability)
Preselecting one of the available IDPs in ID-porten
To preselect any IDP that ID-porten provides, you can add one of the following values to acr_values in the request to the PAR endpoint.
amr:bankid: Preselect BankID
amr:buypass: Preselect Buypass
amr:commfides: Preselect Commfides
amr:minid: Preselect MinID
POST /connect/par HTTP/1.1
Host: helseid-sts.nhn.no
Content-Type: application/x-www-form-urlencoded
client_id=b452b42f-d21e-4ec9-b307-986d49fe2fcf&
scope=openid profile&
...
acr_values=idp:idporten-oidc amr:minid
On Behalf Of
Use of ID-porten requires that the organization using their services have accepted the terms of use (’bruksvilkår’). As part of this, an organization should identity itself during an user authentication. The term for this mechanism is «On Behalf Of» (OBO from now on).
A client in HelseID which uses ID-porten may be configured with one or more OBOs. A single OBO configuration in HelseID consists the following information:
- On Behalf Of ID: Internal ID used between HelseID and ID-porten
- The organization number used when accepting the terms of use of ID-porten (required)
- Name: The name displayed for the organization or client application in ID-porten (required)
- Description: Detailed information
- Client URL: The link which should be used for the «Back» button in ID-porten (required)
At authentication time an on_behalf_of parameter with value set to the organization number configured in the OBO entry should be passed to the PAR endpoint of HelseID.
If an on-behalf-of value is passed on to ID-porten, this will be reflected in tokens from HelseID in the claim helseid://claims/client/on_behalf_of which will contain the organization number which the user was authenticated on behalf of.
Example – redirect directly to ID-porten and authenticate the user on behalf of an organization (in this case, Norsk Helsenett SF)
POST /connect/par HTTP/1.1
Host: helseid-sts.nhn.no
Content-Type: application/x-www-form-urlencoded
client_id=b452b42f-d21e-4ec9-b307-986d49fe2fcf&
scope=openid profile&
...
acr_values=idp:idporten-oidc&
on_behalf_of=994598759