Adding Feide login to a service

The process for adding Feide login to a service varies greatly between different services. Some services have built-in support for federated login / single sign on that can be used with Feide. Other services may required you to add a custom authentication plugin.

Protocols

Feide supports two protocols for integration with services:

The choice of protocol depends on several factors.

The largest limitation is that not all Feide users can access services that use the OpenID Connect protocol. The OpenID Connect protocol in Feide is only available for users from organizations that are connected to “Nye Feide”. We are in the process of rolling out “Nye Feide” to all organizations connected to Feide, but there are still many organizations that do not have access. For an overview of which organizations have “Nye Feide” enabled, see q.feide.no.

Other factors that may affect your choice of protocol is:

  • Existing support in applications / frameworks: Some applications and web frameworks have built-in support for one of the protocols. In that case, it is usually easiest to use the protocol already supported.
  • Support for logging into mobile applications: The OpenID Connect protocol is simpler to use when logging into mobile applications. Using this protocol allows your mobile application to directly get an OAuth 2.0 access token, that can be used to access APIs.
  • Complexity of the protocol: The OpenID Connect protocol is in general simpler than the SAML 2.0 protocol.

Integration methods

Depending on the software used to implement the service and the architecture of the service, there are several methods that can be used to integrate the service with Feide.

  • Some software or software frameworks may already have support (either directly in the software or through plugins) for SAML 2.0 or OpenID Connect.
  • In some cases, authentication can be handled by a web proxy that runs in front of the software. This proxy can perform the Feide-authentication and pass user data to the application through request headers.
  • You can add support for Feide directly into the software. If you go for this solution, we strongly encourage you to use existing libraries that implement the SAML 2.0 protocol or OpenID Connect protocol. This is because the protocols can be very complicated, especially the SAML 2.0 protocol.

Adding Feide login to the service

Once you have decided on a protocol and itegration method, you can add Feide login to the service. The exact method for performing this depends on the software, frameworks and libraries used. Please refer to the documentation of the relevant software for details about how to configure a SAML 2.0 / OpenID Connect integration.

In general it will be something like the following:

  1. Add any required plugins/components/libraries to the service.

  2. Configure the software to connect to the Feide login system.

    For SAML 2.0 services, this is typically done via SAML 2.0 metadata. For Feide we have to SAML 2.0 metadata available, for the test system and the production system.

    For OpenID Connect, we do not have a separe test system. The OpenID Connect configuration is available in OpenID Connect Discovery format from our login system. If the software supports OpenID Connect Discovery, you can configure the software with the following Issuer, and it should automatically fetch the required configuration: https://auth.dataporten.no

  3. Determine what attributes / scopes your software needs to work.

    In SAML 2.0, user information is transfered to the service as SAML 2.0 attributes in the login response. The software can typically make the attributes available to your service in various ways. For an overview over available attributes, see our attribute list.

    In OpenID Connect, the scopes of your application determines what data the service can receive. See our overview over scopes for details about scopes and what they give access to.

Registering the service in Feide

Once you have decided on a protocol and itegration method, you can register the service in Feide. SAML 2.0 services can be registered in the Feide customer portal. OpenID Connect services must be registered in the Dataporten dashboard. See the relevant documentation for details:

Testing the integration

When the service is registered in Feide, you can test the integration.

For SAML 2.0 services, start login in the service. You should then be sent to the Feide login system. Select “Feide” as the organization, and log in using the username “test” and the password “098asd”. You should then be sent back to your service.

For OpenID Connect, start login in the service. On our login system, select “Feide test users”. You can then log in using test users. For login details for the test users, see the “Test users” list in your application on the Dataporten dashboard <https://dashboard.dataporten.no/>.