Service description

KMD Identity is a generic service/component created by KMD to make it easy for our KMD software to integrate with NemLog-In3 (and thereby enable MitID integration). Focus for our product is to use market available MitID broker (NemLog-In3) to provide highest possible security level for citizens but also decrease the efforts in the process of NemID to MitID migration. It is worth emphasizing that KMD Identity fully rely on NemLog-In3 and does not connect directly to MitID core in the process of authenticating users (KMD Identity is acting as sub broker for NemLog-In3).

KMD Identity is replacing previous internal infrastructure called Federation Broker, which was classified as a gateway for NemLog-In2. With the phaseout of a gateway model and introduction of NSIS standard, KMD Identity takes over the role of central integration component for KMD software and acts as a sub broker.

Development of generic component (used across KMD) guarantees compliance with Identity Providers but also ensures security and reliability of the process. Following modern software architecture patterns (like microservices), we choose to provide our component as a service (instead of dedicated library) to further strengthen the security, availability and streamline support efforts. Our component is an integral part of our KMD offering and not a separate offering.

Being an integrated part of KMD software, our component simply forwards all the communication/claims from Identity Provider to Relying Party.

Supported Identity Providers:

• NemLog-In3
• Context Handler
• Unilogin
• Municipality AD/Azure AD, KMD AD and others...

High level architecture

KMD Identity is a cloud-based solution, utilizing MS Azure infrastructure as an underlying technology stack. Main components of KMD Identity infrastructure are set of Active Directory Federation Services servers (ADFS), that enables Federated Identity by securely sharing digital identity and entitlements rights across security and enterprise boundaries. High level architecture of KMD Identity and detailed description of our infrastructure are available for internal use. Contact KMD Identity team if you want to know more details.

Processes and flows supported by solution

KMD Identity supports two main protocols: OpenID and SAML.

For supported flows please refer to corresponding part of documentation (Supported OpenID flows).

KMD Identity interfaces/API’s

As a central platform, KMD Identity connects Identity Providers and Relying Parties. Both participants have the ability to integrate with KMD Identity using one of two protocols mentioned before. Integration points depends on the protocol and role in the process and might include federation metadata URL or well-known/OpenID-configuration. Both are covered in corresponding chapters of this wiki.

Admin API’s

KMD identity offers an API limited only for the administrators of the systems to perform administrative tasks in the infrastructure. This is part of automation and infrastructure maintenance. API is available as a REST endpoint and accessible only for KMD Identity administrators.

Self-service API for Service Providers

API to simplify management and self-service for Service Providers is not implemented.

Payments

KMD Identity is a centrally developed and maintained component that simplifies integration with Identity Providers (NemLog-in3, Unilogin, AD, etc.) for KMD products. Use of KMD Identity is free of charge, however fees might apply due to the costs associated with underlying IDP (i.e. NemLog-In3 for private service providers). KMD Identity does not charge internal products or end-customers directly. Any pricing details are agreed, calculated, and invoiced by respective product areas and business units in KMD. As mentioned in the document, KMD Identity is not a standalone offering and should always be perceived as a part of KMD Product. Both authentication and authorization are used by KMD products. Therefore, KMD Identity is a tool enabling the usage for the need of KMD Products.

Terms and Conditions

KMD Identity provides high security services, protecting all data transmitted and stored in the authentication process. KMD Identity allows to extend token by additional claims (custom claims feature). The content of the claims is not controlled by KMD Identity it is however forbidden to put special categories of data (GDPR classification) into custom claims. Always contact KMD Identity and respective product area if you are in doubt.

End-users and Relying Parties (KMD Software) always needs to use the Electronic Identifier in accordance with the issuer's policies (including policies for use). It is forbidden to transfer Electronic Identifiers to others. KMD Software, acting as Relying Party for KMD Identity, needs to fully comply with Identity Provider requirements on the usage of Electronic Identifier. This includes the session lifetime, expiration dates, certificate validation etc.

KMD Identity takes all necessary precautions to protect all confidential information it is however critically important that the end-users protect their personal ID’s. Different Identity Providers provide different set of recommendations and policies for end-users.

MitID guidelines

For MitID please follow guidelines provided on MitID web page (quoted below) or follow advice located on sikkerdigital.dk.

• Do not show your codes to others.
• Do not ever share your MitID app, MitID code display or MitID audio code reader with others.
• Do not share your user ID with others – with the exception of MitID support, if and only if you have initiated the contact.
• Do not ever approve a transaction using MitID based on a phone call, an E-mail or a visit from someone pretending to represent a bank, support or something else. You will never be contacted in that way.
• Always read which transaction text for the transaction you are about to approve with MitID. If the text does not correspond with your intentions, or if you haven’t initiated the transaction, do not approve.

In case of compromise or suspected compromise, end-user or Relying Party is expected to immediately request to block Electronic Identifier. Moreover, Electronic Identifier needs to be immediately requested to be renewed if its content is no longer in accordance with the facts (including information provided during the registration process).

Privacy policy

KMD Identity is not a standalone offering and acts as a sub-broker in authentication flow. Therefore, KMD Identity does process only the data required by Service Providers or Identity Providers and only for the purpose of authentication process or due to compliance requirements. All personal data required by MitID are collected during the registration process by MitID owners (jointly owned by the Danish Agency for Digitisation and the Danish banks). Citizens consent to the terms and conditions for MitID when they register and activate MitID.

KMD Identity follows KMD Privacy Policy on storing and processing data.

The scope of audit data and diagnostic logging data is defined and described by “Technical requirements for connection of IT system in NemLog-in” section “Logging policy”.

For the detailed purpose of processing data refer to specific KMD software.