Connect Nets eID Broker as authentication method
FoxIDs can be connected to Nets eID Broker with OpenID Connect and thereby authenticating end users with MitID and other credentials supported by Nets eID Broker.
How to configure Nets eID Broker in
- test environment using Nets eID Broker demo
- production environment using Nets eID Broker admin portal
You can test the Nets eID Broker demo login with the online web app sample (sample docs) by clicking
Log in
and thenNets eID Broker TEST
.
Take a look at the Nets eID Broker sample configuration in FoxIDs Control: https://control.foxids.com/test-corp
Get read access with the user[email protected]
and passwordTestAccess!
then select theProduction
environment and theAuthentication methods
tab.
Configuring Nets eID Broker demo/test as OpenID Provider (OP)
This guide describes how to connect a FoxIDs authentication method to Nets eID Broker demo in the test environment.
Nets eID Broker has a MitID demo where all clients can connect without prior registration. All redirect URIs are accepted. Her you can find all needed to register a client with Nets eID Broker.
This connection use OpenID Connect Authorization Code flow with PKCE, which is the recommended OpenID Connect flow.
Create an OpenID Connect authentication method in FoxIDs Control Client
- Add the name
- Add the Nets eID Broker demo authority
https://pp.netseidbroker.dk/op
in the Authority field - In the scopes list add
mitid
(to support MitID) and optionallynemid
(to support the old NemID) - Select show advanced
- Optionally add an additionally parameter with the name
idp_values
and e.g. the valuemitid
to show the MitID IdP or e.g. the valuemitid_erhverv
to show the MitID Erhverv IdP. - Add the Nets eID Broker demo secret
rnlguc7CM/wmGSti4KCgCkWBQnfslYr0lMDZeIFsCJweROTROy2ajEigEaPQFl76Py6AVWnhYofl/0oiSAgdtg==
in the Client secret field - Add the Nets eID Broker demo client id
0a775a87-878c-4b83-abe3-ee29c720c3e7
in the Optional customer SP client ID field - Select to read claims from the UserInfo Endpoint instead of the access token or ID token
- Click create
That's it, you are done.
The new authentication method can now be selected as an allowed authentication method in a application registration.
The application registration can read the claims from the authentication method. You can optionally add a*
in the application registration Issue claims list to issue all the claims to your application. Or optionally define a scope to issue claims.
Configuring Nets eID Broker as OpenID Provider (OP)
This guide describes how to connect a FoxIDs authentication method to the Nets eID Broker in the production environment.
You are granted access to the Nets eID Broker admin portal by Nets. The Nets eID Broker documentation.
This connection use OpenID Connect Authorization Code flow with PKCE, which is the recommended OpenID Connect flow.
1 - Start by creating an API client in Nets eID Broker admin portal
- Navigate to Services & Clients
- Select the Service Provider
- Create or select a Service
- Click Add new client
- Add a Client name
- Select Web
- Click Create
- Copy the Client ID
- Click Create new Client Secret
- Select Based on password
- Add a name for the new client secret
- Click Generate on server
- Copy the Secret
- Click the IDP tab
- Select MitID and click
Add to pre-selected login options
, optionally select others - Click the Advanced tab
- Set PKCE to Active
2 - Then create an OpenID Connect authentication method in FoxIDs Control Client
- Add the name
- Add the Nets eID Broker demo authority
https://netseidbroker.dk/op
in the Authority field - Copy the two URLs:
Redirect URL
andPost logout redirect URL
- In the scopes list add
mitid
(to support MitID) and optionally other scopes like e.g,nemid.pid
to request the NemID PID and/orssn
to request the CPR number - Select show advanced
- Optionally add an additionally parameter with the name
idp_values
and e.g. the valuemitid
to show the MitID IdP or e.g. the valuemitid_erhverv
to show the MitID Erhverv IdP. - Add the Nets eID Broker secret in the Client secret field
- Add the Nets eID Broker client id in the Optional customer SP client ID field
- Select to read claims from the UserInfo Endpoint instead of the access token or ID token
- Click create
3 - Go back to Nets eID Broker admin portal
- Click the Endpoints tab
- Add the two URLs from the FoxIDs authentication method client:
Redirect URL
andPost logout redirect URL
in the fieldsLogin redirects
andLogout redirects
.
That's it, you are done.
The new authentication method can now be selected as an allowed authentication method in a application registration.
The application registration can read the claims from the authentication method. You can optionally add a*
in the application registration Issue claims list to issue all the claims to your application. Or optionally define a scope to issue claims.
Scope and claims
You can optionally create a scope on the application registration with the Nets eID Broker claims as voluntary claims. The scope can then be used by a OpenID Connect client or another FoxIDs authentication method acting as a OpenID Connect client.
The name of the scope can e.g, be nets_eid_broker
The most used Nets eID Broker claims:
idp
idp_identity_id
loa
mitid.uuid
mitid.has_cpr
dk.cpr
nemid.pid
nemid.pid_status
mitid.age
mitid.date_of_birth
mitid.identity_name
mitid.transaction_id