Passing extended context information as an IDP

Owned by Rune Andreas Grimstad
Last updated: Apr 30, 2024 by Øyvind Bech
2 min read

HelseID will parse the incoming ID-Token from an external IDP and use the relevant user information to create a single-signon session. The following claims are always expected: National Identity Number, Security Level and Authentication Method (amr).

It is a prerequisite that HelseID is integrated with the external IDP using OpenID Connect.

An IDP can also include claims containing extended information about the user. This information must be structured in exactly the same way as if the information was passed from the client. The information will be presented in tokens the same way but the source will be the IDP instead of the client.

The name of the claim must match a known name that is already registered in HelseID. The structure is not registered or validated by HelseID except that it is valid JSON and that it is below a maximum length.

"claim_name": { Json structure that adheres to a well known structure }

HelseID will maintain a registry of claims that can be passed using this mechanism. An IDP can pass values for any known claim, but HelseID will only include the values in ID-Tokens or Access Tokens if the Client or API has been given access to the claim.

A real-world example

The AMK-project needs information about local role information for the user. This information can either be passed by the client software that requests a logon or it can be passed by the IDP. The name of the claim is helseid://claims/external/amk-context.

When passing the claim it will look as follows:

"helseid://claims/external/amk-context": { "roles": [ {"name": "role1"}, {"name": "role2"} ] }

In addition to this claim the ID-Token from the IDP may contain other context claims and the rest of the standard required claims.