Privileges - kmd-identity/documentation GitHub Wiki
Privileges is a claim that a user can get in the assertion, when authenticating in KMD Identity, using the NemLogin-3-Prod-Public IDP.
The privilege can then be used in your application to grant the user privileges:
-
as a private person to do something on behalf of another citizen. This is called a Citizen Delegation Privilege, and the citizens CPR number is used as scope. It requires sign in with private NemLogin/MitID.
-
as an employee to do something on behalf of a company. This is called Employee Privilege and uses the CVR number for scope. It requires the user to sign in in with NemLogin/MitID and choose the professional profile.
The privilege claim is called "https://data.gov.dk/model/core/eid/privilegesIntermediate". It is sent in base64 encoded format.
Below is an example, which is from our test user:
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48YnBwOlByaXZpbGVnZUxpc3QgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeG1sbnM6YnBwPSJodHRwOi8vZGlnc3QuZGsvb2lvc2FtbC9iYXNpY19wcml2aWxlZ2VfcHJvZmlsZSI+PFByaXZpbGVnZUdyb3VwIFNjb3BlPSJ1cm46ZGs6Z292OnNhbWw6Y3ByTnVtYmVySWRlbnRpZmllcjoxNDEyNzQxMjczIj48UHJpdmlsZWdlPnVybjpkazprbWQ6cG46bmV4dXNib3JnZXJwb3J0YWw6ZnVsZG1hZ3Q8L1ByaXZpbGVnZT48L1ByaXZpbGVnZUdyb3VwPjwvYnBwOlByaXZpbGVnZUxpc3Q+
When decoded it is XML and looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<bpp:PrivilegeList
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:bpp="http://digst.dk/oiosaml/basic_privilege_profile">
<PrivilegeGroup Scope="urn:dk:gov:saml:cprNumberIdentifier:1412741273">
<Privilege>urn:dk:kmd:pn:nexusborgerportal:fuldmagt</Privilege>
</PrivilegeGroup>
</bpp:PrivilegeList>
For more information regarding privileges see this document from Digitaliseringsstyrelsen.
Please note that the model used in KMD Identity is the Intermediate model.
To receive a privilege for your users contact KMD Identity and supply:
- Either the client ID (OpenID) or relying party identifier (SAML) of your application
- Name of the privilege
- If it is a new privilege also the type, citizen or employee