Login providers#

Using Feide, you probably want to authenticate people using your service. Through Feide you can enable several login providers. You - as a service provider - decide which login providers your service should accept.

Here you will find more information about the different login providers, how to enable them and when to enable them.

In the customer portal you can enable the following login providers for your service:

Which login providers should you enable?#

You need to make sure all your users are able to log in to your service, but you should probably not enable all login providers. That will just make your users confused.

Guidelines on enabling login providers#

  • When your users are students, researchers, teachers or other employees in Norwegian education: Enable Feide login.

  • If you need to identify and authenticate users outside the education sector (i.e. parents, alumni): Request enabling of ID-porten login for your service.

  • If you need to identify and authenticate users from the Norwegian health sector, request enabling of HelseID login for your service.

  • If you need to identify and authenticate users from “Tjenester for Sensitive Data”, request enabling of TSD login for your service.

  • When your users are international students, researchers or teachers/employees: Enable eduGAIN login.

  • If your users are in the EU but not students, researchers or employees at an institution with eduGAIN, you should request enabling of eIDAS login for your service.

  • If some of your users come from outside of the education sector, and all you need is a way to recognize them and link them to a user account, you should enable Feide guest user login.

  • During development and test phase, you can enable Feide test users. Be sure to disable before moving on to production environment.

How to enable Feide login#

If your users are students, researchers, teachers or other employees in Norwegian education, you probably want to enable Feide login. In the Feide customer portal, you can enable which organizations or individual schools that get access to activate the service when editing the service. Read more here on How to manage access to services through Feide.

How to enable enabling other login providers#

To identify and authenticate those who don’t have Feide accounts, the service can use other login providers through Feide. You - as a service provider - decide which login providers your service should accept. By using other login methods, the service will only receive the information available from the specific login provider and will not necessarily receive all the attributes that are defined in the user information tab for the service in the Feide customer portal, as the information could not be retrieved from the host organization’s directory. What specific information is available you can check under each login method.

You can enable other login providers in addition to Feide login when adding or editing OIDC-configuration for a service in the Feide customer portal,

Some of the login providers can only be enabled by Sikt upon request due to specific requirements for use.

Screenshot of available login providers

Screenshot of available login providers#

If you enable all login providers, this is what your users will see the first time they log in:

Screenshot of available login providers

Screenshot of enabling all login providers in Feide login window#

How to enable ID-porten login#

If your users are people outside of education, i.e. parents or alumni, and you still want a high security level on your logins, request enabling of ID-porten login for your service.

When the user logs in to your service with ID-porten, your service will receive information from ID-porten, e.g. the user’s name and Norwegian national identification number.

To enable ID-porten, the following criteria must be met:

  • The service must be registered by an organization (not a private person).

  • The organization must apply for ID-porten login by sending an email to kontakt@sikt.no. Be sure to put “ID-porten login through Feide” in the subject and with a description of why the service needs ID-porten.

  • Only enterprises in public sector and enterprises carrying out tasks on behalf of, and wholly or partly funded by, the public sector can use ID-porten. More information about ID-porten terms of use (Norwegian only).

Sikt will invoice the service providers and host organizations that use the ID-porten based on their share of the total number of ID-porten logins through Feide.

The invoice will be sent to the service provider when the user logs in with alternative login. If the host organization has enabled ID-porten as an external login method or multi-factor authentication, the host organization is invoiced. The cost per login varies from year to year and is not known before Feide gets invoiced by DigDir/ID-porten because of their payment model.

See the terms of use with ID-porten login.

ID-porten as another login method should not be confused with ID-porten as external login and multi-factor authentication that a host organization can enable for their users. When a host organization has enabled ID-porten, you as a service provider will not see the difference between user login through ID-porten with Feide and direct logins with Feide. Your service will receive the same attributes in each case. Note that only user with a Feide account can use ID-porten with Feide as a login method.

How to enable international login through eduGAIN#

If your users are international students, researchers, teachers or other employees, you should enable eduGAIN login.

eduGAIN is an international trust exchange between Identity federations mostly in Europe, but also US, Brazil, Japan and more. It allows users abroad to login to Feide services with their local accounts, with trusted identity information through eduGAIN.

The global scope of eduGAIN adds some complexity when it comes to technical compatibility, semantics of attribute release and more. Feide tries to offload these challenges from applications and adopt a flexible attribute policy that works with many providers.

There are some limitations to using eduGAIN with OIDC. Not all information you can get about the user through eduGAIN with SAML-integration is available for OIDC services. The information that can be retrieved is name, e-mail and user identifier. We do not support affiliation information through eduGAIN for OIDC services. It is not straight forward for Feide to facilitate and it requires some work on our part, and since there are only a few Feide services that offer login through eduGAIN, this is not something that can be prioritized working on right now. Hopefully information about affiliation is something that will be available in the near future.

You can enable eduGAIN when adding or editing OIDC-configuration for a service in the Feide customer portal under “Allow other login methods”. For services that are integrated through Feide with OIDC, the international universities need to first activate the service Dataporten provided by Sikt before activating your service.

To enable eduGAIN login on Feide, you MUST follow these eduGAIN policies:

How to enable international login through eIDAS#

If your users are in the EU but not students, researchers or employees at an institution with eduGAIN, you could request enabling of eIDAS login for your service.

eIDAS is the European federation of citizen login and trust services and is connected to ID-porten. eIDAS gives individuals in the EU and the EEA access with one electronic id, and at the overall European level means that different countries approve each other’s solutions for authentication and user access. Norway participates in eIDAS, and this is administered via the ID-porten. As of February 2020, the following countries are connected in the production environment: Belgium, Croatia, Estonia, Italy, Luxembourg and Spain.

When the user logs in to your service with eIDAS your service will get information available from the country’s electronic ID provider.

Mandatory attributes with eIDAS are personal identifier, first name, last name and date of birth. More information about eIDAS and available attributes you find on Norwegian Digitalisation Agency technical documentation web site: https://docs.digdir.no/oidc_func_eidas.html.

Follow the same procedure as when enabling ID-porten above. Use the subject “eIDAS login through Feide”.

eIDAS can only be enable by Sikt and you need to request it to be enabled for you service. This is done by sending an email to kontakt@sikt.no. Be sure to send the name of your service and client ID or name of the configuration so it easier for us to activate it.

How to enable login through HelseID#

Warning

This is a proof of concept implementation. It may be changed or discontinued at short notice.

For users that don’t have a Feide account but have access to a valid HelseID account, you can request enabling of login through the “HelseID” solution.

HelseID can only be enabled by Sikt and you need to request it to be enabled for you service. This is done by sending an email to kontakt@sikt.no. Be sure to send the name of your service and client ID or name of the configuration.

HelseID is a login solution for healthcare personnel. HelseID provides an easy and secure way of login for personnel working within this sector. More information about HelseID can be found here.

When the user logs in to your service with HelseID, your service will today get information about the user’s Norwegian personal number that is available from HelseID.

How to enable login through TSD#

Warning

This is a proof of concept implementation. It may be changed or discontinued at short notice.

For users that have a TSD account, you can request enabling of login through the “TSD” solution.

TSD can only be enabled by Sikt and you need to request it to be enabled for you service. This is done by sending an email to kontakt@sikt.no. Be sure to send the name of your service and client ID or name of the configuration.

TSD is a login solution for “Tjenester for sensitive data”. More information about TSD can be found here.

When the user logs in to your service with TSD, your service will get information about the user’s TSD project and username that is available from TSD.

How to enable login for Feide guest users#

For users that don’t have a Feide account, you can enable login through the “Feide guest users” solution, also known as OpenIdP. If you enable and the users will log in to your service with Feide Guest user that made. Your service will only receive information about the user’s name, username and email that the user has registered.

The “Feide guest users” solution is managed by Sikt, and is in the process of being phased out. Notice however that the solution will be replaced and users will be alerted before it is removed.

This is done when adding or editing OIDC-configuration for a service in the Feide customer portal under “Allow other login methods”.

How to enable Feide test users#

During the development and test phase, you can enable login for Feide test users. This is done by checking this box for test users when adding or editing OIDC-configuration for a service in the Feide customer portal:

Screenshot of enabling Feide test users

Be sure to disable Feide test users before you move your service to a production environment.

For more information about the test users, including how to access them, see our documentation about test users.

How to enable Feide service providers#

During the development and test phase, you can enable login for Feide service providers. These are personal user accounts for various service providers.

Enable these users by checking the box for service provider users when adding or editing OIDC-configuration for a service in the Feide customer portal:

Screenshot of enabling Feide service providers

Be sure to disable Feide test users before you move your service to a production environment.

For more information about the test users, including how to access them, see our documentation about test users.

Phased out: Login through social media#

Warning

Logins with Twitter, Linkedin and Facebook were phased out from July 3rd, 2023. This is due to social media logins being very little used. We recommend services that have a need for social media login to integrate such login directly.