Supported identity providers
Mit ID
Idp value: acr_values=idp:MitId
ssn scope support
If request is made with the ssn scope, upon login into Mit ID, user will be prompted to enter their CPR number.
Provider-specific claims
transactionid - unique identifier for user issued by Mit ID.
Transfer of control (Controlled Transfer)
Transfer of control is a way for you to "pass on" the Mit ID user session you initiated to Addo. To initiate transfer of control to Addo sign you must include two additional parameters into the authorize request: transfer_token_exchange_code and transfer_token_text.
transfer_token_exchange_code - the code/token you get from your mit id broker in exchange for transfer token text.
transfer_token_text - the text you provide when exchanging user session for transfer exchange code.
Initiating transfer of control
The following in a minimal example to initiate transfer of control to Addo:
https://demo.addosign.net/authentication-service/connect/authorize?response_type=code&redirect_uri={your redirect url}&state={your state information/token}&acr_values=idp:MitId&prompt=login&response_mode=form_post&client_id={your client id}&scope=openid profile&transfer_token_exchange_code={your exchange code}&transfer_token_text={your text}
The same url with new lines for clarity:
https://demo.addosign.net/authentication-service/connect/authorize
?response_type=code
&redirect_uri={your redirect url}
&state={your state information/token}
&acr_values=idp:MitId
&prompt=login
&response_mode=form_post
&client_id={your client id}
&scope=openid profile
&transfer_token_exchange_code={your exchange code}
&transfer_token_text={your text}
Information required to initiate transfer of control with your broker
Demo environment
Addo service provider id: c3008304-8e59-4f6e-bb21-173746b1bc6c
Addo Mit ID broker id: f81b4f9a-2ca2-49ec-ba52-654de7edfcdc
Production
Addo service provider id: f5af5a6f-37ce-4d6f-bd2c-e4945a38dceb
Addo Mit ID broker id: a9df260d-42c6-4e4c-85a5-681423673a78
Mit ID Erhverv
Idp value: acr_values=idp:mitid_erhverv
This idp value will actually allow user to choose between company (Mit ID Erhverv) identity and private (Mit ID) identity, if available. Because of this, there are special considerations for implementing this idp value.
ssn scope support
Company identity
If user chooses company identity, the ssn scope will be ignored. You will not receive ssn claim in identity token or user info endpoint response.
Private identity
If user chooses private identity, the flow will be the same as with Mit ID, user will be prompted to enter their CPR number. The identity token and user info response will contain the ssn claim.
Supported claims
Two different sets of provider specific claims are available based on the identity chosen by user.
Mit ID Erhverv
transactionid - unique identifier for user issued by the identity provider.
organisationIdentifier - organization name.
cvr - cvr number.
rid - rid number.
Mit ID
See Mit ID Supported claims section.
Identifying what identity was chosen
http://schemas.microsoft.com/identity/claims/identityprovider - the provider chosen by the user. If you allow a user to choose between company and private identities, this parameter should be used to determine which one was chosen. Possible values: mitid, mitid_erhverv
Parameters
Allow private
By default acr_values=idp:mitid_erhverv value will allow user to choose both private and company identities. If you want to only allow company identity, you must set the mitid_erhverv_allow_private parameter to false. If the parameter is not sent, or its value is true The user will be able to choose private identity.
Example
The following is a minimal example with mitid_erhverv_allow_private included. User will not be able to choose private identity.
ℹ️ Tip
You can use a tool like Postman to edit the url below more easily. Paste it into request url field and Postman should start showing all query parameters in their own separate editable fields.
https://demo.addosign.net/authentication-service/connect/authorize?client_id={your client id}&response_type=code&scope=openid profile ssn&redirect_uri={your redirect url}&state={your state information/token}&acr_values=idp:mitid_erhverv&prompt=login&response_mode=form_post&mitid_erhverv_allow_private=false
The same url with new lines for clarity:
https://demo.addosign.net/authentication-service/connect/authorize
?client_id={your client id}
&response_type=code
&scope=openid profile ssn
&redirect_uri={your redirect url}
&state={your state information/token}
&acr_values=idp:mitid_erhverv
&prompt=login
&response_mode=form_post
&mitid_erhverv_allow_private=false
Tupas
Idp value: acr_values=idp:Tupas
Norwegian bank ID
Idp value: acr_values=idp:NorwegianBankId
Freja Org
Idp value: acr_values=idp:FrejaOrg
Swedish bank ID
Idp value: acr_values=idp:SwedishBankId
Freja
Idp value: acr_values=idp:Freja
Freja plus
Idp value: acr_values=idp:FrejaPlus
Efos
Idp value: acr_values=idp:Efos
Siths
Idp value: acr_values=idp:Siths