Manage logging into HelseID
HelseID is an identity federation and does not offer a separate login. When a client system asks HelseID for a user login, the user is presented with a list of possible identity providers (IDPs) and must choose the one they wish to use. After logging in, the IDP returns information about the logged-in user back to HelseID where the information is processed and standardized before it is returned to the client system.
HelseID offers integrations with all the major national identity providers that offer identities at high level, as well as ID-porten. In addition, HelseID can transfer identities from Helseplattformen and Helse Midt-Norge RHF so that employees there can reuse their local login. Identities from Helseplattformen are assessed at high security level, Helse Midt-Norge RHF is assessed at significant level.
Which IDPs an application supports can be customized by the owner in HelseID Selvbetjening, but the standard setup offers the following options:
- Buypass
- Commfides
- BankID
- ID-porten
- Helse Midt-Norge RHF
A complete list of available IDPs can be found in the HelseID metadata.
Special case when the application only supports one IDP
The owner of the application can set it up to only support one IDP in HelseID Selvbetjening. In this case the user will never see the HelseID login menu, they are redirected directly to the chosen IDP. Should an error situation occur making the IDP unavailable, the user will not be redirected to the IDP. Instead the user will be presented with the standard HelseID IDP list.
Selecting IDP when logging in
At runtime, a client can control which IDPs the user is offered by using the acr_values parameter in the request to the PAR endpoint. The following values can be used:
| Value | Consequence |
|---|---|
Level4 or High |
Filters the list of IDPs to show only those that offer high-level identities. Note that this parameter is passed on to ID-porten and will affect the list of available IDPs there as well. |
idp:buypass-oidc |
Redirects the user to login via Buypass. |
idp:commfides-oidc |
Redirects the user to login via Commfides. |
idp:bankid-oidc |
Redirects the user to login via BankID. |
idp:idporten-oidc |
Redirects the user to login via ID-Porten. |
idp:helse-midt-oidc |
Redirects the user to login via Helse Midt-Norge RHF, this will normally lead to a Single Sign-On for people who have logged in with a Smart Card on Helse-Midt computers. |
idp:helseplattformen-oidc |
Redirects the user to login via Helseplattformen, this will normally lead to a Single Sign-On for people who are logged into Helseplattformen. |
For example, the client can send the user straight to the BankID by appending the following parameter to the request: acr_values=idp:bankid-oidc.
Detailed management of Buypass
The client can add an additional value in acr_values to fine-tune the behavior of Buypass:
| Value | Consequence |
|---|---|
idp:buypass-oidc bp:amr:sc |
Redirects the user to log in with a smart card in the Buypass portal. |
idp:buypass-oidc bp:amr:mobile |
Redirects the user to log in with a mobile app in the Buypass portal. |
idp:buypass-oidc bp:amr:pwd_otp |
Redirects the user to login with username, password and one-time code via SMS in the Buypass portal. |
idp:buypass-oidc bp:idp_hint:<tenantID> |
Redirects the user to log in with a Fido2 chip in the Buypass portal. You get the correct value for <tenantID> from Buypass. |
Detailed management of ID-porten
The client can add an additional value in acr_values to fine-tune the behavior of ID-porten:
| Value | Consequence |
|---|---|
idp:idporten-oidc amr:bankid |
Redirects the user to log in using BankID via ID-porten. |
idp:idporten-oidc amr:buypass |
Redirects the user to log in using Buypass via ID-porten. |
idp:idporten-oidc amr:commfides |
Redirects the user to log in using Commfides via ID-porten. |
idp:idporten-oidc amr:minid |
Redirects the user to log in using MinID via ID-porten. |
idp:idporten-oidc Level4 |
Filters the list of IDPs in ID-porten to show only those that offer high-level identities. |
When should I use ID-porten?
ID-porten gives access to the same identity providers as HelseID. ID-porten is not available on the Health Network, so you may experience problems with accessibility. We therefore recommend the use of Buypass, Commfides or BankID as preferred IDPs. We recommend using ID-porten an alternative login option to improve availibility in cases where there is a problem with the other identity providers.