Manage logging into HelseID

HelseID is an identity federation and does not offer a separate login. When a client system asks HelseID for a user login, the user is presented with a list of possible identity providers (IDPs) and must choose the one they wish to use. After logging in, the IDP returns information about the logged-in user back to HelseID where the information is processed and standardized before it is returned to the client system.

HelseID offers integrations with all the major national identity providers that offer identities at high level, as well as ID-porten. In addition, HelseID can transfer identities from Helseplattformen and Helse Midt-Norge RHF so that employees there can reuse their local login. Identities from Helseplattformen are assessed at high security level, Helse Midt-Norge RHF is assessed at significant level.

Which IDPs an application supports can be customized by the owner in HelseID Selvbetjening, but the standard setup offers the following options:

  • Buypass
  • Commfides
  • BankID
  • ID-porten
  • Helse Midt-Norge RHF

A complete list of available IDPs can be found in the HelseID metadata.

Special case when the application only supports one IDP

The owner of the application can set it up to only support one IDP in HelseID Selvbetjening. In this case the user will never see the HelseID login menu, they are redirected directly to the chosen IDP. Should an error situation occur making the IDP unavailable, the user will not be redirected to the IDP. Instead the user will be presented with the standard HelseID IDP list.

Selecting IDP when logging in

At runtime, a client can control which IDPs the user is offered by using the acr_values parameter in the request to the PAR endpoint. The following values ​​can be used:

Value Consequence
Level4 or High Filters the list of IDPs to show only those that offer high-level identities. Note that this parameter is passed on to ID-porten and will affect the list of available IDPs there as well.
idp:buypass-oidc Redirects the user to login via Buypass.
idp:commfides-oidc Redirects the user to login via Commfides.
idp:bankid-oidc Redirects the user to login via BankID.
idp:idporten-oidc Redirects the user to login via ID-Porten.
idp:helse-midt-oidc Redirects the user to login via Helse Midt-Norge RHF, this will normally lead to a Single Sign-On for people who have logged in with a Smart Card on Helse-Midt computers.
idp:helseplattformen-oidc Redirects the user to login via Helseplattformen, this will normally lead to a Single Sign-On for people who are logged into Helseplattformen.

For example, the client can send the user straight to the BankID by appending the following parameter to the request: acr_values=idp:bankid-oidc.

Detailed management of Buypass

The client can add an additional value in acr_values to fine-tune the behavior of Buypass:

Value Consequence
idp:buypass-oidc bp:amr:sc Redirects the user to log in with a smart card in the Buypass portal.
idp:buypass-oidc bp:amr:mobile Redirects the user to log in with a mobile app in the Buypass portal.
idp:buypass-oidc bp:amr:pwd_otp Redirects the user to login with username, password and one-time code via SMS in the Buypass portal.
idp:buypass-oidc bp:idp_hint:<tenantID> Redirects the user to log in with a Fido2 chip in the Buypass portal. You get the correct value for <tenantID> from Buypass.

Detailed management of ID-porten

The client can add an additional value in acr_values to fine-tune the behavior of ID-porten:

Value Consequence
idp:idporten-oidc amr:bankid Redirects the user to log in using BankID via ID-porten.
idp:idporten-oidc amr:buypass Redirects the user to log in using Buypass via ID-porten.
idp:idporten-oidc amr:commfides Redirects the user to log in using Commfides via ID-porten.
idp:idporten-oidc amr:minid Redirects the user to log in using MinID via ID-porten.
idp:idporten-oidc Level4 Filters the list of IDPs in ID-porten to show only those that offer high-level identities.

When should I use ID-porten?

ID-porten gives access to the same identity providers as HelseID. ID-porten is not available on the Health Network, so you may experience problems with accessibility. We therefore recommend the use of Buypass, Commfides or BankID as preferred IDPs. We recommend using ID-porten an alternative login option to improve availibility in cases where there is a problem with the other identity providers.