Local IdM

Local IdM allows your organisation to manage MitID Erhverv users, along with their access and rights to self-services, locally within your own administration system.

When you would like to manage MitID Erhverv users, along with their access and rights to self-services, locally in your own administration system (IdM system), you must integrate your IdM system with MitID Erhverv. This can be achieved in 2 different ways:

Below, you can compare the 2 integration options:

Functions

Local IdM light

Local IdM + IdP

Automatic synchronisation with Nem-Log-in

 X X

Local identity assurance

   X

Certification and annual audit

   X

Local network password and own two-factor authenticator

   X

Local support - e.g. for forgotten passwords

   X

Single sign-on experience for users

   X

Local IdM Light

With Local IdM Light, users and rights are automatically synchronised with MitID Erhverv via the IdM API. This ensures that your users are created in both MitID Erhverv and your Local IdM system, thereby reduceing administrative tasks.

Please note that users in Local IdM Light must:

  • activate themselves as users in MitID Erhverv using private MitID
  • use a MitID authenticator to log in.

Getting Started with Local IdM Light

To implement Local IdM Light, your organisation must have entered into a connection agreement with MitID Erhverv and have accepted MitID Erhverv’s terms and conditions.

Once the agreement is concluded, contact MitID Erhverv via email to request activation of IdM Light. The request should include the following:

  • Subject: IdM Light
  • Content: CVR (Central Business Register) number and contact details.

MitID Erhverv: Email

Local IdM combined with Local IdP

By combining your Local IdP with Local IdM, your organisation gains full control over users, rights, and authenticators. This allows your users to use locally issued authenticators instead of MitID authenticators when accessing self-services.

Local IdM combined with Local IdP offers several advantages:

  • Users do not need to activate themselves as users in MitID Erhverv using private MitID.
  • You can locally manage the authenticators you issue, such as:
    • using a locally managed password as one factor
    • providing local support for forgotten passwords or registering a two-factor device
    • using your own two-factor solutions
    • enabling single sign-on (SSO) across your own IT systems and public services
  • Your users are automatically synchronised across Local IdP, Local IdM, and MitID Erhverv.

NSIS notification required when using Local IdP

Your Local IdP must be NSIS-notified as both an electronic identification scheme and identity broker. This requires high-security standards and incurs additional costs for notification and annual audits.

Read more about Local IdP and NSIS:

Local IdP

Agency for Digital Government’s website: National Standard for Security Levels (NSIS) (available only in Danish)

How to implement integration between an IdM System and MitID Erhverv

First, select the integration option that best meets your organisation’s requirements:

If you have selected Local IdM Light, you can skip this step.

You must complete the NSIS notification process, if you:

  • choose to combine Local IdM with your local IdP,
  • intend to create users at the NSIS assurance levels “significant” and “high”.

Learn more about Local IdP and NSIS:

Local IdP

Agency for Digital Government’s website: National Standard for Security Levels (NSIS) (available only in Danish)

Please use the following documentation package to develop your solution:

Documentation Package (V1.12) for IdM and Certificate API (zip)

To test your solution, create a test organisation in the integration test environment. Find instructions on how to create a test organisation in the integration test environment here:

MitID Erhverv integration test environment: Test MitID Erhverv features

Once the test organisation is created, you can issue a system certificate authorised to call the IdM API. Access the integration test environment here:

MitID Erhverv: Integration test environment

When ordering the system certificate in the test environment, select the following options:

  • Tick "Access to IdM services in MitID Erhverv" under the "System rights" menu.
  • Under the "Certificates" menu, choose the certificate type. We recommend the following settings:
    • Certificate types: Select "OCES system certificate".
    • Identification method: Select "User login".
    • Issuance method: Select "Internet browser".

To gain access to the IdM API, contact MitID Erhverv Administration via email with the following information:

  • CVR (Central Business Register) number
  • A description indicating that the request is for IdM integration in the test environment.

MitID Erhverv Administration will then grant access to the IdM integration in the test environment.

MitID Erhverv Administration: Email

To gain access to the IdM API in MitID Erhverv, email MitID Erhverv Administration. The email must include at least the following 5 details:

  • Subject: IdM Light or Local IdM combined with Local IdP.
  • CVR number.
  • Contact person:
    • Name
    • Email
    • Phone number

MitID Erhverv Administration: Email

Once MitID Erhverv Administration grants access, you will receive an email notification.

After gaining access to the IdM API in production, one of your user administrators must issue a system certificate. When ordering the system certificate, select the following settings:

  • Tick "Access to IdM services in MitID Erhverv" under the "System rights" menu.
  • Under the "Certificates" menu, choose the certificate type. We recommend the following settings:
    • Certificate types: Select "OCES system certificate".
    • Identification method: Select "User login".
    • Issuance method: Select "Internet browser".

If you are unsure how to order a system certificate, refer to the guide here:

Manage organisation certificates

If you enter an email address in the "Email address in certificate" field, email validation will also be required. You will receive an email with a link to verify your email address. Click the link to confirm your email address. The certificate cannot be issued without this validation.

Once the certificate is issued, you can use it for authentication against the IdM API in MitID Erhverv on behalf of your CVR (Central Business Register) number.

Once in production, you can start creating users.

Please be aware of the following:

  • You must enter users’ existing RID numbers when creating them to retain any previously assigned rights in MitID Erhverv.
  • Administrator roles and billing settings are not stored in your IdM system, so they must be recreated and configured.

Related topics

The following topics may also be relevant to your organisation if it uses advanced functionality in MitID Erhverv.