European Identity and Access Management

FoxIDs is a Identity Services that easily allows you to implement Identity and Access Management (IAM) on your websites and APIs against a variety of industry standards (OAuth 2.0, OpenID Connect and SAML 2.0) and services like Microsoft, Google and Facebook, etc.

Use FoxIDs cloud or Host it yourself anywhere using Docker or Kubernetes (K8s).

Get started for free

JO Informatik
FlexDanmark
Verdo
Tangora
ENERGY COOL
Septima
Gentofte Kommune
Applikator
Pragmasoft
JO Informatik
FlexDanmark
Verdo
Tangora
ENERGY COOL
Septima
Gentofte Kommune
Applikator
Pragmasoft

The European alternative to

Digital Sovereignty

As a company based in Denmark, we strictly adhere to the regulations imposed by GDPR. FoxIDs is 100% Made in Europa and fully GDPR compliant. Your data is hosted exclusively in EU, so you always retain full control.

Connect and Orchestrate your Identity and Access

Start
Create a tenant on FoxIDs cloud or host FoxIDs yourself.
FoxIDs environment
Environments

Separation
Each environment is a separate configuration with a unique user database. You can use the same configuration names across environments.

Unique identity
Each environment has its own certificate and each environment acts as an Identity Provider (IdP). The environments automatically handle certificate rotation or you can upload your own certificate.

Divide with environments
Split your identity configuration into different environments, such as separating external connections or customers. You can then provide a user database per customer and optionally connect environments.

Authentication methods
Authentication

Customizable login dialog
Customize the login dialog to suit your needs. There is built-in multiple language support, where the text and translations can be adjusted per environment.

OpenID Connect, SAML 2.0 and SSO
Create external connections with OpenID Connect and SAML 2.0 authentication methods. Configure social and corporate logins.

Existing user database
Authenticate users in your existing user database, linked with a simple API.

Multi-factor authentication
Require multi-factor authentication – MFA/2FA at different levels. Require MFA in the applications login request and check it after successful authentication.

Test authentication methods
Each authentication method can be easily tested with one click and a test link is generated that can be copied.

Users
Users and claims

Users
The user database in an environment can contain an infinite number of users.

Internal and external users
Support for both internal users in the environment and optionally external users. Both user types can be provisioned. The external users can be created during login and the user can be asked for e.g. a name.

Claims
All user data is processed as claims. Add information to users as claims. Authorize users with role claims or a more complex claim structure.

Transform claims
Change revived claims and add claims in claim transformations at different levels. Add/replace/remove/concatenate claims stored on a user, received claims or claims defined in a claim transformation step.

Applications
Application

OpenID Connect or SAML 2.0
Add your application with OpenID Connect (OIDC) or SAML 2.0. Adapt the configuration to suit your application. Support for both login, SSO, logout and single-logout.

Authentication methods
The allowed authentication methods are configured for an application. A subset can be selected in the login call from the application. The user can select an authentication method of more then one is active.

OAuth 2.0 - API
Add you API with OAuth 2.0 and define scope to restrict access. You application and API can be configured as one application and a general API can be configured separately.

SAML 2.0 / OpenID Connect bridge
Configure you application with OpenID Connect and add an external SAML 2.0 Identity Provider (IdP) as an authentication method. Then you have a bridge between the two standards.

Token exchange
Exchange tokens from JWT to JWT or from SAML 2.0 tokens to JWT. Use tokens with least privileges an only valid for one API. Perform token exchange to call another API and thereby restrict who can call an API.

One hour free support!

Request free online support where we can help you get started. Talk about security architecture and do some FoxIDs configuration together.

Choose a plan on FoxIDs cloud or a self-hosting license that's right for you

Free

€0 /month

Pro

30 /month

Enterprise

100 /month
Environments and thus a User Stores 2 4
Up to 8, price
10
Unlimited, price
Custom Domain
Applications and APIs
Web Application (OpenID Connect)
Web Application (SAML 2.0)
Single Page Application (OpenID Connect)
Native Application (OpenID Connect)
Backend Service Application (OAuth 2.0 Client)
API (OAuth 2.0 Resource)
Token Exchange (OAuth 2.0)
Client Authentication Methods
Client Secret Basic
Client Secret Post
Private Key JWT
Authentication Methods
User Login UI
OpenID Provider (OpenID Connect)
Identity Provider (SAML 2.0)
External Login
Token Exchange Trust (OpenID Connect)
Token Exchange Trust (SAML 2.0)
Token Exchange Trust (OAuth 2.0)
Environment Link
Customize UI and Language
Claim Transformations
Two-Factor Authentication (2FA/MFA)
Use your existing user database
Users and External users (optional) 100 1,000
Unlimited, price
2,000
Unlimited, price
Authentications(1) per month 1,000 3,000
Unlimited, price
6,000
Unlimited, price
Token Requests(2) per month 1,000 3,000
Unlimited, price
6,000
Unlimited, price
Control API Reads per month 1,000 3,000
Unlimited, price
6,000
Unlimited, price
Control API Updates per month 500 1,000
Unlimited, price
2,000
Unlimited, price
SLA - Status 98% 99.9%
Log Retention 30 days 180 days 180 days
Prioritized Email Support
Consultants Billed per 30 minutes Billed per 30 minutes Billed per 15 minutes
with a 10% discount
Developer Q&A on Stack Overflow with tag 'foxids'

If you are in EU outside Denmark, please provide the VAT number to avoid VAT. There is no VAT if you are outside EU. In Denmark the VAT is 25%. All pricing in Euro.
Consultants are billed per 30 minutes at an hourly rate of €250.

Feel free to contact us at [email protected], and please write us if you want to change plan.

1) Logins is counted for each environment and therefore counted multiple times in connected environments. Logins is furthermore rated higher if additional logging is enabled.
2) Token requests is counted in each environment. Token requests can be counted multiple times in connected environments with OpenID Connect. Token requests is furthermore rated higher if additional logging is enabled.

Free for development / non-production, small companies, including personal projects and non-profit educational institutions.
Please see license.

Pro

500 /year

Enterprise

1000 /year

Redistribution

4000 /year
Self-hosting Deployment
Production tenants 1 4
8, price
10
Unlimited, price
Environments and thus a User Stores 4
8, price
10
Unlimited, price
50
Unlimited, price
Kubernetes (K8s) / Docker / Azure
Database MongoDB, CosmosDB (only Azure hosting) or PostgreSql
Cache Redis or database
Custom Domain
Applications and APIs
Web Application (OpenID Connect)
Web Application (SAML 2.0)
Single Page Application (OpenID Connect)
Native Application (OpenID Connect)
Backend Service Application (OAuth 2.0 Client)
API (OAuth 2.0 Resource)
Token Exchange (OAuth 2.0)
Client Authentication Methods
Client Secret Basic
Client Secret Post
Private Key JWT
Authentication Methods
User Login UI
OpenID Provider (OpenID Connect)
Identity Provider (SAML 2.0)
External Login
Token Exchange Trust (OpenID Connect)
Token Exchange Trust (SAML 2.0)
Token Exchange Trust (OAuth 2.0)
Environment Link
Customize UI and Language
Claim Transformations
Two-Factor Authentication (2FA/MFA)
Use your existing user database
Users and External users (optional) 1,000
Unlimited, price
2,000
Unlimited, price
4,000
Unlimited, price
Authentications(1) per month 3,000
Unlimited, price
6,000
Unlimited, price
10,000
Unlimited, price
Token Requests(2) per month 3,000
Unlimited, price
6,000
Unlimited, price
10,000
Unlimited, price
Control API Reads per month 3,000
Unlimited, price
6,000
Unlimited, price
10,000
Unlimited, price
Control API Updates per month 1,000
Unlimited, price
2,000
Unlimited, price
4,000
Unlimited, price
Log
Prioritized Email Support
Consultants Billed per 30 minutes Billed per 15 minutes
with a 10% discount
Billed per 15 minutes
with a 10% discount
Developer Q&A on Stack Overflow with tag 'foxids'

If you are in EU outside Denmark, please provide the VAT number to avoid VAT. There is no VAT if you are outside EU. In Denmark the VAT is 25%. All pricing in Euro.
Consultants are billed per 30 minutes at an hourly rate of €250.

Feel free to contact us at [email protected].

Why did we develop FoxIDs?

An identity service should include all necessary features to make secure applications and APIs and yet be affordable. The source code for the full feature set should be available.
The identity service should support both cloud and on-premises deployment and be available on FoxIDs cloud with close to full feature set in all plans at a low cost.

Features and functions

A look at what's possible with FoxIDs

One single Identity Provider

You can benefit from having FoxIDs as one single identity provider when building applications. Development becomes simpler and more secure by using the same identity provider and security standards across all applications. Single sign-on is easier to achieve and APIs can be called securely from all applications.

FoxIDs will then handle user authentication with username+password and optionally MFA or transfer user ID's from users authenticated in an external identity provider such as Microsoft Entra ID (Azure AD), AD FS, IdentityServer, Google or Facebook or others supporting OpenID Connect or SAML 2.0.

The application can choose how the user should log in by setting a authentication method as a parameter in the URL.

OpenID Connect and SAML 2.0 applications

It is a common scenario to have OpenID Connect and SAML 2.0 applications in a enterprise architecture. You can connect both OpenID Connect and SAML 2.0 applications to FoxIDs and configure shared or separate login experiences.

Both single sign-on (SSO) and single logout is supported across different types of applications. And if a SAML 2.0 application needs to call an OAuth 2.0 secured API the SAML 2.0 token can be exchanged to an access token for the API.

Token Exchange

Tokens should be issued with lease privileges. If an application needs to call multiple APIs or API groups it is a good and secure approach to issue a separate access token for each API or API group. Use zero trust (never trust, always verify), validate that each API request is authenticated and authorized in context of the calling client and the end-user.

Initially a limited access token is issued which is granted access (with audience and scope) to be exchanged with token exchange to different API / API group access tokens with specific audiences and scopes.
The initial access token can be issued on user authentication in an OpenID Connect application or with client credentials grant in an OAuth 2.0 application. And thereafter be exchanged to other access tokens.

It is recommended to pass the user's identity securely between APIs. With token exchange in an API, it is possible to issue an access token to another API and thereby calling the next API in the context of the end-user.

SAML 2.0 to OpenID Connect bridge

You can use FoxIDs as a SAML 2.0 to OpenID Connect bridge. Where FoxIDs handles the SAML 2.0 traffic to the external Identity Provider (IdP) and your application connects to FoxIDs with OpenID Connect. You basically only need care about OpenID Connect, the SAML 2.0 connection is handled by FoxIDs.

SAML 2.0 is tricky and an old standard with its shortcomings, and therefore it is often a better choice to use OpenID Connect in your application.

NemLog-in or Context Handler to OpenID Connect bridge

You can connect FoxIDs to NemLog-in (Danish IdP) or Context Handler (Danish identity broker, Fælleskommunal Adgangsstyring) without worrying about the complexity. FoxIDs handles everything related to the OIOSAML3 / SAML 2.0 connection and translate to OpenID Connect. The Danish privilege claim with a base64-decoded XML value can also be transfers to a claim with a readable JSON value.

Your application and possible API is then to connect to FoxIDs with OpenID Connect and OAuth 2.0, and the developer doesn't have to worry much about NemLog-in or Context Handler and all the requirements.