Managing OpenID Connect applications

After registered the service you can add OAuth details to configure the service by clicking “Add OIDC-configuration” under the tab configurations.

Screenshot of configuration tab when register a new service

Screenshot of configuration tab when register a new service

Redirect URL after login is the URL where the client is redirected back to after authentication. This should be available in the documentation of the software you are about to install. The Redirect URI can be changed later.

Read more in our technical specification about Feide and OIDC/OAuth.

Redirect URL after logout is the URL to control where the user is redirected after logging out. The application must also include the URI in the logout request. Read more her

Screenshot of adding redirect URI for OIDC-configuration

Screenshot of adding redirect URI for OIDC-configuration

For service that have multiple configurations like needs separate configurations for each organization with access to the service you can enter different name for the configuration to separate multiple configurations in the field “Configuration name”. The name will be displayed when logging in to the configuration as follows: “You must log in via Feide to access <service name> - <configuration name>”.

Screenshot of adding name for OIDC-configuration

Screenshot of adding name for OIDC-configuration

In the field “Configuration loging page” you can add URL for the configuration login page. This is practical for services with multiple configurations and have separate login pages for each host organization.

Screenshot of adding login page for OIDC-configuration

Screenshot of adding login page for OIDC-configuration

Restricting access

If you have multiple configurations for the service, where only one organization should be able to use this instance, you can configure this using the “Restrict login to selected organizations”-checkbox. This means that only host organizations that are added for the configuration appear as a login option in Feide for the configuration even if they have activated the service. If you choose to use the option to restrict login to selected organizations, you need to keep an eye on who has access for each configuration so it’s up to date.

Screenshot of restrict login to the configuration

Screenshot of restrict login to the configuration

Test users

For Feide we have two separate organizations with test users – the “Service Provider”-organization and the “Feide”-organization. To enable login for Feide test users you check this box for test users. For OIDC-configuration check of for Service provider-organization and for SAML-configuration the Feide-organization.

Remember to deactivate test users for your production service when you are not using them. The test users are publically known, so others may be able to use the test users to access your service.

Screenshot of enabling Feide test users for OIDC-configuration

Screenshot of enabling Feide test users for OIDC-configuration

To get the test users send an e-mail to kontakt@sikt.no with information about which configuration is used and what type of organization the test users should come from (Primary and lower secondary schools, upper secondary schools and/or universities/university colleges). To check what information is registered about the user, log in to innsyn.feide.no with the test user. We have some standard test users that can be used for testing, but we can also create a couple of new test users if it’s necessary for testing the service.

Start login in the service. and you should then be sent to the Feide login system. Select “Feide” as the organization for SAML or “Feide test users” under “Other login alternatives” for OIDC, and log in using the username and the password. You should then be sent back to your service.

Allow other login methods

With OpenID Connect services using Feide can enable a variety of login providers. In addition to allowing login for users from Norwegian educational institution, you can also allow users to login using ID-porten, edugGAIN or social media.

See the login providers overview for more details.

Using third-party APIs

Feide allows institutions and data owners to make available new datasets that will be very easy to use for application developers.

If you are interested in setting up your own API:

Using the API Gatekeeper

The available APIs can be listed in the tab for third party APIs in the dataporten dashboard. Services that are registered in the customer portal are synchronized to the dashboard dataporten so you don’t need to register a new service in dataorten dashboard to registered or get access to API.

If you are registered as an administrator in the Feide customer portal, you will be able to login to the dataporten dashboard with the same credentials. For users without a Feide account, choose Feide Guest users when login into dataporten dashboard.

Screenshot from dashboard showing available third-party APIs

Screenshot from dashboard showing available third-party APIs

APIs that you have made available your self will be visible in the My APIs tab, while all others will be available in the 3rd party API tab.

Some APIs may be made available instantly without moderation, while others may require moderation by either the API owner or each of the institutions behind.