Local IdP

Setting up and maintaining a Local IdP requires technical maturity and the capacity to meet stringent security requirements, including:

• implementing and being notified for the NSIS standard (National Standard for Identity Assurance Levels) at the required assurance level (substantial or high)
• annual revisions after NSIS notification
• maintaining your organisation’s own authenticators
• understanding that issuing own authenticators is often more resource-intensive and financially burdensome than using MitID authenticators.

Consider:

• the assurance level required for the services your users need to access
• uptime, response time and other performance objectives
• how to create user identities for business purposes, whether integrating Local IdM with MitID Erhverv for user management or managing users directly within MitID Erhverv.

If your organisation intends to establish a Local IdP, it is a prerequisite that your Local IdP meets the requirements set out in the NSIS (National Standard for Identity Assurance Levels).

Your organisation’s Local IdP must be NSIS notified and listed on the NSIS trust list by the time the Local IdP is connected to production.

Implementing the NSIS standard involves various disciplines – technical, organisational, and security related. It is therefore important not to view the task purely as a technical implementation project:

• Identify the desired process for identity assurance:
  • Should users, for instance, log in for the first time using private MitID?
  • Will identity assurance occur in the local enrolment application or centrally in NemLog-in?
  • Should users instead present themselves in person with a passport or driving licence?
• Clarify the type of authenticators your organisation would like issue locally, and how they will be distributed and managed. Typically, a username and password are combined with additional factors on dedicated hardware devices, such as apps on mobile devices.
• Clarify how the authentication service (IdP) will be technically established and how it can support the chosen assuarance levels. The Local IdP must expose a SAML interface that meets the requirements of the "OIOSAML Local IdP Profile".
• Clarify the requirements for operational facilities and technical security: Are your current operational facilities sufficiently advanced, or do improvements need to be made?
• Assess the need for training of your user administrators who will be handling tasks such as identity assurance.
• Establish an Information Security Management System (ISMS) or adopt an existing one to cover identity management processes.
• Clarify how subcontractors, such as those providing software or operational services, who contribute to the local implementation, will be managed and overseen.
• Describe processes, security designs, and technical systems, and ensure the design is obtained.
• Plan how systems and processes can be audited by an external auditor: It is crutial to ensure that an adequate audit trail is in place, allowing the auditor to verify that processes, personnel, and system are executing the intended controls.

Agency for Digital Government’s homepage: National Standard for Identity Assuarance Levels (NSIS) (Only available in Danish)

Users in a Local IdP cannot automatically sign on behalf of the organisation. Additional requirements apply. Learn more here:

Signing on behalf of the organisation when the user is created in a Local IdP

1. Establish environments for a Local IdP and associated user directory, and set up the required components and services.
2. Acquire the necessary certificates for the Local IdP.
3. Perform local testing, including both functional and security testing.
4. Conduct tests of organisational processes.

Your organisation can create a test organisation in the MitID Erhverv integration test environment. Here, you can test features such as:

• IdM
• certificate APIs
• your Local IdP integration.

MitID Erhverv Integration Test Environment: Test MitID Erhverv features

It is a prerequisite to obtain the required audit and management statements for the NSIS (National Standard for Identity Assurance Levels) notification.

We recommend engaging with your auditor at an early stage. Be prepared for a certain amount of effort to gather the required audit statements and ensure that the relevant documentation for systems and processes is comprehensive and readily accessible for the auditor.

Agency for Digital Government’s homepage: National Standard for Identity Assurance Levels (NSIS) (available only in Danish)

Once you have obtained and prepared the necessary documentation, you must send a complete notification package (including audit statements) to the NSIS Supervisory Body at the Agency for Digital Government:

NSIS Supervisory Body at the Agency for Digital Government: Email

After submission, await a response from the NSIS Supervisory Body. You may be asked to provide further information before receiving NSIS notification.

Read more about what the package should include and answers to frequently asked questions about NSIS:

Agency for Digital Government’s homepage: FAQs about NSIS

The NSIS Supervisory Body processes your submissions as swiftly as possible, typically within 30 days. The processing time depends on:

• the complexity of the submission
• the completeness and quality of the documentation
• the number of ongoing notification review processes
• resources available at the NSIS Supervisory Body.

Once your Local IdP is listed on the NSIS trust list on the Agency for Digital Government’s homepage, your organisation must contact MitID Erhverv by email. The email should include the following information:

• Organisation name.
• CVR number.
• EntityID for the Local IdP.
• Whether your organisation uses its own Local IdP or an external FullService Local IdP.
• Whether your organisation allows users to sign on behalf of the organisation (requires meeting specific additional requirements). Further details can be found in the section: “Signing on behalf of the organisation when the user is registered in a Local IdP".
• Name, phone number, and email address of a contact person.

MitID Erhverv will then enable your organisation to set up your Local IdP in production within MitID Erhverv.

MitID Erhverv: Email

Once you receive confirmation via email, you are ready to set up your Local IdP.

Find the NSIS trust list here:

Agency for Digital Government’s website: National Standard for Identity Assurance Levels (NSIS) (available only in Danish)

Your organisation must now set up your Local IdP in the MitID Erhverv production environment. This task is carried out by an organisation administrator within your organisation.

Refer to the guide for setting up your Local IdP:

Manage Local IdP

Users created in your Local IdP can verify their identity using their private MitID, such as the one used to log in to their online banking. This allows them to sign on behalf of the organisation using your local authenticators.

To verify identity with private MitID:

• the user administrator or the user can generate an email containing a link for verification.

If a user administrator generates the email, they should:

• log in to MitID Erhverv
• locate the user under "Users"
• generate an email under "Signature".

The user will receive an email with a link for identity verification using private MitID.

If a user generates the email, they should:

• log in to MitID Erhverv
• generate an email under "Master data".

The user will receive an email with a link for identity verification using private MitID.

MitID Erhverv: Login

Users in your organisation will be able to sign on behalf of the organisation using your organisation’s local authenticators if a supplementary audit statement, detailing the registration processes applied to your Local IdP, is submitted.

You only need to send the supplementary audit statement to MitID Erhverv, not to the NSIS Supervisory Body.

Further requirements for the supplementary audit statement can be found in section 5.4.3.1: “Issuing an audit statement” in Annex 7: “MitID Erhverv Terms and conditions for the use of Local IdP”:

Annex 7 MitID Erhverv Terms and conditions for the use of Local IdP (pdf) (Only available in Danish)

MitID Erhverv: Email

Once the supplementary audit statement has been submitted, you will receive an email from MitID Erhverv confirming that users in your organisation can now sign on behalf of the organisation using your local authenticators.

Users in your organisation will be able to sign on behalf of the organisation using your organisation’s local authenticators if a conformity assessment report, confirming that the local registration processes comply with the requirements set out in Article 24.1 of the eIDAS Regulation, is submitted. The report must be sent to the eIDAS Supervisory Body in the Agency for Digital Government, with a copy forwarded to MitID Erhverv.

Further requirements for the conformity assessment report can be found in section 5.4.3.2: “Issuing a conformity assessment report” in Annex 7: “MitID Erhverv Terms for the use of Local IdP:

Annex 7 MitID Erhverv Terms and conditions for the use of Local IdP (pdf) (available only in Danish)

MitID Erhverv: Email

eIDAS Supervisory Body in Agency for Digital Government: Email

Once you have submitted your conformity assessment report, you will receive an email from MitID Erhverv confirming that users registered in your Local IdP can now sign on behalf of the organisation using your local authenticators.

An organisation that has established a Local IdP can offer it to other organisations. The benefit of this is that the organisations choosing to use the established Local IdP do not need to complete an NSIS notification.

Organisations providing a FullService Local IdP are responsible for all technical and procedural aspects outlined by NSIS, including the user registration, identity assurance, and the issuance of local authenticators.

A FullService Local IdP is subject to audits as required by the NSIS standard. Therefore, the organisation offering the FullService Local IdP will appear on the NSIS trust list.

Learn more about NSIS:

Agency for Digital Government’s homepage: National Standard for Identity Assurance Levels (NSIS)

If you offer your own FullService Local IdP, you are responsible for defining the terms and agreements with the organisations that choose to use your Local IdP.

As the provider of a FullService Local IdP, you are required to sign a joint management statement with each organisation that opts to use your service.

It is the responsibility of the organisation using your FullService Local IdP to submit the joint management statement to MitID Erhverv. Consequently, as the provider of the FullService Local IdP, you are not required to document these agreements to MitID Erhverv.

Management statement and joint management statement

MitID Erhverv: Email

If you would like to use a FullService Local IdP offered by another organisation, you must enter into an agreement with the provider of the FullService Local IdP.

MitID Erhverv cannot inform available FullService Local IdPs in Denmark. However, you can refer to the NSIS trust list and explore the market to identify potential FullService Local IdPs:

Agency for Digital Government’s homepage: Overview of the National Standard for Identity Assurance Levels (NSIS)

Once you have concluded an agreement with a FullService Local IdP provider, you must send the following 2 documents to MitID Erhverv:

• A signed management statement.
• A joint management statement, signed by both your organisation and the provider of the full-service local IdP.

Management statement and joint management statement

Once you have entered into an agreement with a FullService Local IdP and are ready to integrate with MitID Erhverv, you must send an email to MitID Erhverv.

The email should include following 7 details:

• Subject: Use FullService Local IdP.
• Your organisation’s CVR (Central Business Register) number.
• Contact person's details:
  • Name
  • Email
  • Phone number
• Attach:
  • signed management statement
  • joint management statement

MitID Erhverv: Email

The NSIS Supervisory Body typically has a processing time of 30 days. However, they endeavour to handle sumitted NSIS notifications as swiftly as possible, so the process may take less than 30 days. The actual processing time depends on factors such as:

• The submitted materials'
  • complexity
  • completenesss
  • quality
• The number of ongoing notification review processes
• the resource availability within the NSIS Supervisory Body.

A right in MitID Erhverv refers to access or the right to perform a specific task in a self-service. Users are assigned rights in MitID Erhverv in the same manner, regardless of whether they use MitID authenticators or local authenticators from a Local IdP. In other words, rights are linked to the user independently of the authenticator they use.

Rights can be assigned:

• via integration with the IdM API
• in MitID Erhverv.

If you choose to assign rights in MitID Erhverv, the rights administrator or user administrator within your organisation must carry out this task. The guides for administrators can be found here:

Assign or delete rights

For Local IdPs, it is also possible to include information about groups in the locally issued token, which can be expanded into rights in MitID Erhverv. This is described in more detail in section 8 of the technical integration guide for Local IdPs:

NemLog-in.dk: Integration with NemLog-in – Local IdP (pdf)

Use of the API is free, but a fee applies for organisations with more than 3 users.