Unilogin - kmd-identity/documentation GitHub Wiki

Unilogin is a SAML identity provider (IdP) owned by Styrelsen for IT og Læring (STIL) which provides a digital id for pupils, parents and employees working at educational institutions. For more information about what Unilogin is, go to STILs website.

KMD Identity supports both SAML and OpenID applications that would like to authenticate users using Unilogin.

How to get started

To integrate with Unilogin via KMD Identity:

Step 1 - Register your application(s) with KMD Identity. See the "Get Started" pages for SAML and OpenID applications.

Step 2 - Have the integration enabled for your application. Follow the instructions on this page, which detail the requirements to use a specific integration, what we need to know from you and how to contact us.

Unilogin test users

Unilogin has published a small number of test user credentials for use in their Ekstern Test (ET) environment here.

Unilogin LoA (Level of Assurance) and NSIS levels

Unilogin has a list of different Unilogin LoA levels and the corresponding NSIS LoA levels here.

Logon methods

By default, KMD Identity integrates to Unilogin requesting what is also their "default" logon method. The default is currently that the user is asked to logon using their username and password (one-factor authentication). The user can optionally decide to authenticate with NemID/MitID through two-factor authentication.

Upon request KMD Identity can enable your application to be able to select the logon method. Once enabled you can add a query parameter named "accr" to your logon request. Values that can be sent using this parameter are:

  • Loalow
  • Loasubstantial
  • AdultVerified
  • OneFactor [DEPRECATED]
  • TwoFactor [DEPRECATED]

KMD Identity will map these to the ones supported by Unilogin, and add them to the SAML request that the user is then redirected to make towards Unilogin. Unilogin will prompt the user to use the correct logon method if it receives a request for a level higher than one-factor (default). However you should always verify, that the token your application receives has the expected assurance level. See the link above for the possible claim values.

If certain areas of your application requires step-up a new login request should be sent to KMD Identity with the desired level. To see examples, go to the testapplications.