...
The second manner of handling organization numbers is by setting up a multi-tenant client configuration in HelseID. These configurations can represent multiple parent organizations and HelseID must be informed about which parent organization number to include in the token. The organization number is then validated against Altinn and which delegations are setup there. HelseID will verify that there exists a delegation from the submitted organization number to the organization number of the Supplier stored in the client configuration. If the delegation exists, the organization number will be included in the supplied Access Token. The client can also supply a child organization number. HelseID does not validate this organization number against a whitelist.
Legacy support for Enterprise Certificates
| Note |
|---|
HelseID still supports Enterprise Certificates (virksomhetssertifikat) for client authentication, but they are not supported for new applications in HelseID Selvbetjening. |
Information from the Enterprise Certificate is included in claims prefixed with the namespace helseid://claims/client/ec/. Parent organization number and the expiry of the certificate is always included, but Organization Name and Child organization number may be included if they are available.
The parent and child organization numbers from the Enterprise Certificates are always mapped to the helseid://claims/client/claims/orgnr_parent and helseid://claims/client/claims/orgnr_child claims, so APIs can always use these claims to do access control.
Standard claims
A token will also contain a set of standard claims originating from OpenID Connect and the JSON Web Token specification.
...