Open-Source Security

FoxIDs is the free open-source Identity Services (IDS) build for the cloud.
Designed as a container with multi-tenant support.

on FoxIDs.com SaaS for free

Developed in Denmark / hosted in Netherlands / ownership and data in Europe.

Authentication platform with MFA and support for OAuth 2.0, OpenID Connect and SAML 2.0.

FoxIDs as a SAML 2.0 to OpenID Connect bridge.

Use FoxIDs.com SaaS or deploy FoxIDs in your private cloud on Azure.

Unlimited tenants, tracks, users, up-parties and down-parties. Unlimited scape in Azure

Connect and orchestrate everything!

A FoxIDs tenant is a container, and once you have created your tenant, it's all about tracks. Each track is an Identity Provider (IdP) and it is independent of all the other tracks. You build all your configuration and set up connections in tracks.

FoxIDs track

You orchestrate by connecting tracks to compose elements and connections. Support multiple login scenarios and transform user claims as needed.
Customize the user login in a Login up-party with multi-language support. Authenticate with the user repository in a track and optionally require MFA.

Why did I develop FoxIDs?

An identity service should include all necessary features to make secure applications and APIs and yet be affordable. The full feature set should be free and accessible as open-source. And the identity service should be cloud native and available on FoxIDs.com SaaS with close to full feature set in all plans at a low cost.

FoxIDs is created by ITfoxtec along with other open-source security components. You are welcome to make donations to support future development.

FoxIDs.com

Create a tenant with pre-configured tracks for your test and production environments.

Get started

OR

Private Cloud

You can deploy FoxIDs in your private cloud on Azure and use FoxIDs for free (Apache License 2.0) to manage your entire security infrastructure.

You will probably only want to configure one main tenant next to the master tenant with all environments; test, QA and production configured as tracks inside the tenant.
Depending on the need you can also configure multiple tenants for separation.

Consider to sign op for Enterprise Support.

Using FoxIDs

JO Informatik FlexDanmark ENERGY COOL Septima Applikator Verdo Tangora

Start building for free on FoxIDs.com

Plans on FoxIDs.com SaaS

Free

€0 /month

  • Up to 3 tracks and thus 3 user directories
  • Up to 1,000 users
  • Up to 5,000 logins(1) per month
  • Up to 5,000 token requests(2) per month
  • Token exchange
  • Log retention 30 days
  • Up to 5,000 Control API reads per month
  • Up to 1,000 Control API updates per month
  • Support is invoiced per hour
  • Support hourly rate 250EUR

Pro

€50 /month

Scale unlimited:
  • €0.003 /user/month
  • €0.0006 /login(1)/month
  • €0.0004 /token request(2)/month
  • €1.2 /track/month and thus a user directory
  • €1.5 /Key Vault managed certificate/month
  • €0.0005 /Control API read/month
  • €0.003 /Control API update/month

Enterprise

€200 /month

  • Include Pro plan
  • 10 tracks included and thus 10 user directories
  • 99.9% SLA - Uptime Status
  • Log retention 180 days
  • Prioritized email support
  • Prioritized additional support
    Additional support is invoiced per 15-minute
  • Additional support hourly rate 250EUR
    Save 10% on hour rate
Scale unlimited:
  • €0.004 /user/month
    from 500k users €0.0032 /user/month
  • €0.0007 /login(1)/month
    from 2,500k logins/month €0.00063 /login/month
  • €0.0005 /token request(2)/month
    from 2,500k token requests/month €0.00043 /token request/month
  • €1.5 /track/month and thus a user directory
  • €1.5 /Key Vault managed certificate/month
  • €0.0006 /Control API read/month
  • €0.004 /Control API update/month

If you are in EU outside Denmark, please provide the VAT number to avoid VAT. There is no VAT if you are outside EU. In Denmark the VAT is 25%.

Included in all plans:

Please write to [email protected] to change your plan.

1) Logins is counted for each track and therefore counted multiple times if tracks is connected. Logins is furthermore rated higher if additional logging is enabled.
2) Token requests is counted in each track. Token requests can be counted multiple times if tracks is connected with OpenID Connect. Token requests is furthermore rated higher if additional logging is enabled.

Private Cloud with peace of mind

Support for Private Cloud

Free

€0 /month

  • Support is invoiced per hour
  • Support hourly rate 250EUR

Enterprise Support

€200 /month

  • Prioritized email support
  • Prioritized additional support
    Additional support is invoiced per 15-minute
  • Additional support hourly rate 250EUR
    Save 10% on hour rate
Scale unlimited:(1)
  • €0.004 /user/month
    from 500k users €0.0032 /user/month
  • €0.0007 /login(2)/month
    from 2,500k logins/month €0.00063 /login/month
  • €0.0005 /token request(3)/month
    from 2,500k token requests/month €0.00043 /token request/month
  • €1.5 /track/month and thus a user directory
  • €1.5 /Key Vault managed certificate/month
  • €0.0006 /Control API read/month
  • €0.004 /Control API update/month

If you are in EU outside Denmark, please provide the VAT number to avoid VAT. There is no VAT if you are outside EU. In Denmark the VAT is 25%.

Included in all tenants combined:

  • 10 tracks
  • 5 Key Vault managed certificates
  • 1,000 users
  • 5,000 logins(2) per month
  • 5,000 token requests(3) per month
  • 5,000 Control API reads per month
  • 1,000 Control API updates per month

1) You are expected to inform us when your consumption grows.
2) Logins is counted for each track and therefore counted multiple times if tracks is connected. Logins is furthermore rated higher if additional logging is enabled.
3) Token requests is counted in each track. Token requests can be counted multiple times if tracks is connected with OpenID Connect. Token requests is furthermore rated higher if additional logging is enabled.

Use cases

A look at what's possible with FoxIDs

FoxIDs as one single Identity Provider

You can benefit from having FoxIDs as one single identity provider when building applications. Development becomes simpler and more secure by using the same identity provider and security standards across all applications. Single sign-on is easier to achieve and APIs can be called securely from all applications.

FoxIDs will then handle user authentication with username+password and optionally MFA or transfer user ID's from users authenticated in an external identity provider such as Microsoft Entra ID (Azure AD), AD FS, IdentityServer, Google or Facebook or others supporting OpenID Connect or SAML 2.0.

The application can choose how the user should log in by setting a up-party a parameter.

OpenID Connect and SAML 2.0 applications

It is a common scenario to have OpenID Connect and SAML 2.0 applications in a enterprise architecture. You can connect both OpenID Connect and SAML 2.0 applications to FoxIDs and configure shared or separate login experiences.

Both single sign-on (SSO) and single logout is supported across different types of applications. And if a SAML 2.0 application needs to call an OAuth 2.0 secured API the SAML 2.0 token can be exchanged to an access token for the API.

Token Exchange

Tokens should be issued with lease privileges. If an application needs to call multiple APIs or API groups it is a good and secure approach to issue a separate access token for each API or API group. Use zero trust (never trust, always verify), validate that each API request is authenticated and authorized in context of the calling client and the end-user.

Initially a limited access token is issued which is granted access (with audience and scope) to be exchanged with token exchange to different API / API group access tokens with specific audiences and scopes.
The initial access token can be issued on user authentication in an OpenID Connect application or with client credentials grant in an OAuth 2.0 application. And thereafter be exchanged to other access tokens.

It is recommended to pass the user's identity securely between APIs. With token exchange in an API, it is possible to issue an access token to another API and thereby calling the next API in the context of the end-user.

SAML 2.0 to OpenID Connect bridge

You can use FoxIDs as a SAML 2.0 to OpenID Connect bridge. Where FoxIDs handles the SAML 2.0 traffic to the external Identity Provider (IdP) and your application connects to FoxIDs with OpenID Connect. You basically only need care about OpenID Connect, the SAML 2.0 connection is handled by FoxIDs.

SAML 2.0 is tricky and an old standard with its shortcomings, and therefore it is often a better choice to use OpenID Connect in your application.

NemLog-in or Context Handler to OpenID Connect bridge

You can connect FoxIDs to NemLog-in (Danish IdP) or Context Handler (Danish identity broker, Fælleskommunal Adgangsstyring) without worrying about the complexity. FoxIDs handles everything related to the OIOSAML3 / SAML 2.0 connection and translate to OpenID Connect. The Danish privilege claim with a base64-decoded XML value can also be transfers to a claim with a readable JSON value.

Your application and possible API is then to connect to FoxIDs with OpenID Connect and OAuth 2.0, and the developer doesn't have to worry much about NemLog-in or Context Handler and all the requirements.