European Identity Service

FoxIDs makes it easy to implement authentication and authorization into your websites and APIs. Seamlessly connect with industry security standards like OAuth 2.0, OpenID Connect and SAML 2.0, and integrate identity providers such as Microsoft Entra ID, Google and Facebook etc.

Use FoxIDs Cloud or Host it yourself anywhere using Docker or Kubernetes (K8s) or IIS.

Start building for free

JO Informatik
IGEL
Verdo
Tangora
Gentofte Kommune
Septima
GOALS
ENERGY COOL
FlexDanmark
Applikator
Pragmasoft
JO Informatik
IGEL
Verdo
Tangora
Gentofte Kommune
Septima
GOALS
ENERGY COOL
FlexDanmark
Applikator
Pragmasoft

The European alternative to
Auth0
Okta
Microsoft Entra ID
PingIdentity

Identity and Access build for Developers

Built by developers, for developers. Connect to FoxIDs no matter what language you code in or platform you build on.

Start

Sign up with a free tenant on FoxIDs Cloud.

OR

Deploy and host FoxIDs yourself.

All development and test is free.

FoxIDs environment
Environments

Separation
Each environment is a separate configuration with a unique user store. You can use the same application names across environments.

Unique identity
Each environment is an Identity Provider (IdP) with its own certificate. Support for automatic certificate rotation or you can upload your own certificate.

Divide with environments
Split your identity configuration into different environments, for example to separate external connections or customers. You can have many user stores and optionally connect environments.

Authentication methods
Authentication

Customisable login experience
Customise the login UI to suit your needs. Multi-language support is built in. Texts and translations can be adjusted per environment.

OpenID Connect, SAML 2.0 and SSO
Create external connections with OpenID Connect and SAML 2.0 authentication methods. Configure social and corporate logins.

Existing user database
Authenticate users in your existing user database, linked with a simple API.

Multi-factor authentication
Require multi-factor authentication - MFA/2FA at different levels. Require MFA in the applications login request and check it after successful authentication.

Test authentication methods
Each authentication method can be easily tested with a single click and a test link is generated that can be copied.

Users
Users and claims

Users
The user store in an environment can contain an infinite number of users. A user can have one or more of the three user identifiers; email, phone number and username.

Two-factor
Two-factor authentication with SMS, email and authenticator app.

Internal and external users
Support for both internal users stored in the environment's user store and optionally external users. Both user types can be provisioned. The external users can be created or redeemed (e.g. by email) during login and the user can be asked to enter additional properties.

Claims
All user data is processed as claims. Add information to users as claims. Authorize users with role claims or a more complex claim structure.

Transform claims
Change revived claims and add claims in claim transformations at different levels. Add/replace/remove/concatenate claims stored on a user, received claims or claims defined in a claim transformation step.

Claim tasks
Use claim tasks (in claim transformations) to query internal and external users, return an error or start a new authentication flow based on claims.

Applications
Application

OpenID Connect or SAML 2.0
Add your application with OpenID Connect (OIDC) or SAML 2.0. Adapt the configuration to suit your application. Support for both login, SSO, logout and single-logout.

Authentication methods
The allowed authentication methods are configured for an application. A subset can be selected in the login call from the application. The user can choose how to authenticate if more then one is active.

OAuth 2.0 - API
Add you API with OAuth 2.0 and define scope to restrict access. You application and API can be configured as one application, and a general API can be configured separately.

SAML 2.0 / OpenID Connect bridge
Configure you application with OpenID Connect and add an external SAML 2.0 Identity Provider (IdP) as an authentication method. Then you have a bridge between the two standards.

Exchange of tokens
Exchange tokens from JWT to JWT or from SAML 2.0 tokens to JWT. Use tokens with least privileges and only valid for one API. Perform token exchange to call another API and thereby restrict who can call an API.

Digital Sovereignty

As a company based in Denmark, we strictly adhere to the regulations imposed by GDPR. FoxIDs is 100% Made in Europa and fully GDPR compliant. Your data is hosted exclusively in the EU, so you always retain full control.

Why did we develop FoxIDs?

We believe an identity service should include all the features needed to build secure applications and APIs - without breaking the budget.

The source code for the full feature set should be available online.

The identity service should support both cloud and on-premises deployment and be available in Europa on FoxIDs Cloud at a low cost.

Anders Revsgaard
Founder, Application security expert

Features and functions

A look at what's possible with FoxIDs

One single Identity Provider

You can benefit from having FoxIDs as one single identity provider (IdP) when building applications. Development becomes simpler and more secure by using the same identity provider and security standards across all applications. Single sign-on is easier to achieve and APIs can be called securely from all applications.

FoxIDs will then handle user authentication with username+password and optionally MFA or transfer user ID's from users authenticated in an external identity provider such as Microsoft Entra ID, AD FS, IdentityServer, Google, Facebook or others supporting OpenID Connect or SAML 2.0.

The application can choose how the user should log in by setting an authentication method as a parameter in the URL and configure a custom identity and access management (IAM) sign-up experience.

SAML 2.0 to OpenID Connect bridge

You can use FoxIDs as a SAML 2.0 to OpenID Connect bridge. Where FoxIDs handles the SAML 2.0 traffic to the external Identity Provider (IdP) and your application connects to FoxIDs with OpenID Connect. You basically only need care about OpenID Connect, the SAML 2.0 connection is handled by FoxIDs.

SAML 2.0 is tricky and an old standard with its shortcomings, and therefore it is often a better choice to use OpenID Connect in your application.

OpenID Connect and SAML 2.0 applications

It is a common scenario to have OpenID Connect and SAML 2.0 applications in a enterprise architecture. You can connect both OpenID Connect and SAML 2.0 applications to FoxIDs and configure the same or different login experiences.

Both single sign-on (SSO) and single logout is supported across different types of applications. And if a SAML 2.0 application needs to call an OAuth 2.0 secured API the SAML 2.0 token can be exchanged to an access token for the API.

Token Exchange

Tokens should be issued with lease privileges. If an application needs to call multiple APIs or API groups it is a good and secure approach to issue a separate access token for each API or API group. Use zero trust (never trust, always verify), validate that each API request is authenticated and authorized in context of the calling client and the end-user.

Initially a limited access token is issued which is granted access (with audience and scope) to be exchanged with token exchange to different API / API group access tokens with specific audiences and scopes.
The initial access token can be issued on user authentication in an OpenID Connect application or with client credentials grant in an OAuth 2.0 application. And thereafter be exchanged to other access tokens.

It is recommended to pass the user's identity securely between APIs. With token exchange in an API, it is possible to issue an access token to another API and thereby calling the next API in the context of the end-user.