Security Profile for Identity Federations
This document defines the standards required for identity federations used by HelseID to accept external logins. If you intend to use HelseID with a client or an API, please refer to this document.
| Terms | |
|---|---|
| IDP | An authorization server, as described in RFC 6749. |
| HelseID | A client as defined in RFC 6749. |
| Claims | A name and value representing an informational element. |
| Keywords | The keywords must, must not, shall, shall not, should, and may in this document are to be interpreted as defined in RFC2119. |
Security Requirements for IDPs
SI1: IDPs shall require the Authorization Code Flow as specified in the OpenID Connect specification.
SI2: IDPs shall require Proof Key for Code Exchange (PKCE), as described in RFC 7636.
SI3: IDPs shall require the Pushed Authorization Requests (PAR) mechanism, as described in RFC 9126.
SI4: IDPs shall allow connections only to servers—including HelseID—using TLS. All TLS connections shall be established using TLS 1.2 or higher, and the IDP must comply with RFC 9325.
SI5: IDPs shall require client authentication using private_key_jwt.
SI6: IDPs shall be up to date with mitigation measures addressing the most common security risks in accordance with the OWASP Top Ten.
Functional Requirements for IDPs
FI1: IDPs must issue an ID token that includes the following claims:
- The national identification number of the authenticated user.
- The security level of the user authentication.
FI2: IDPs must issue an ID token signed with an algorithm approved by HelseID.