Fælleskommunal adgangsstyring

Owned by Mogens Kjeldsen (Unlicensed)
Last updated: Jan 25, 2024
3 min read

Access control and user rights for internal web users is handled by Fælleskommunal Adgangsstyring https://digitaliseringskataloget.dk/l%C3%B8sninger/adgangsstyring-brugere

It was agreed to use Context Handler 2 as it was in production when OS2valghalla was planned to be production ready in October 2023.

This means Context Handler 1 is not supported in OS2valghalla.

Context handler 2 roadmap

Skærmbillede 2024-01-19 kl. 14.03.45.png

Security level

It was a non-functional requirement to OS2valghalla 3.0 to support NSIS since this is the new security model used by KOMBIT and other public authorities in Denmark.

Using an Excel tool made by Digitaliseringsstyrelsen and KOMBIT the required security level has been set to ‘Betydelig’. This was done with help from Thomas Vangsaa from Vangsaa Consult.

Requirements for local IdP’s in municipalities

In January 2024 during the implementation in three test municipalities it became clear that not all municipalities have their local IdP setup for Context Handler 2 and NSIS yet. Some municipalities have also decided not to use their IdP for NSIS login but instead handle it using MitID Erhverv.

If the municipality can’t support Contet Handler 2, they will not be able to login.

Getting local IdP ready for NSIS

The proces of getting the IdP NSIS ready is a bit complicated: https://digitaliseringskataloget.dk/digitaliseringsstyrelsen-har-accepteret-nsis-anmeldelse-af-context-handler-2 and https://docs.kombit.dk/id/ededbde2

Thankfully KOMBIT will distribute a so called ‘KLIK-opgave' that describes what is needed. The task has a deadline in May '24 (in relation to the new VALG-system) so we can’t demand it to be solved by the municipalities. But we can point to it to make them setup both their local IdP and their Fælleskommunal Adgangsstyring setup.

However some municipalities will not do this yet, since all systems using an NSIS ready IdP will have to use two factor login. This means some municipalities like Skive and Aarhus are running both an “old” IdP and an NSIS ready IdP until NSIS and two factor login is more broadly implemented.

NSIS vs. NIST security level

Until municipalities are ready for NSIS, it is possible to configure each municipality’s OS2valghalla to use NSIT security level instead. This is done in the vendor end of Fælleskommunal Adgangsstyring.

According to KOMBIT there is no available tool to set a NIST level. They suggest this “translation”:

Umiddelbart findes der ikke noget tilsvarende til at fastsætte et NIST niveau, men man laver normalt en oversættelse der hedder

NSIS – NIST

Lav – 2

Betydelig – 3

Høj – 4

We will set NIST security level to 3. This level requires two factor login, but the municipalities should be able to handle this.

Municipalities without NSIS enabled IdP

On Jan 19, 2024 KOMBIT writes:

Det er selvfølgelig op til den enkelte kommune, om de vil have deres IdP til at blive NSIS godkendt.

I sådanne tilfælde vil deres medarbejdere blive sendt over til NemLog-In 3 for at logge på med deres MitID i stedet.

Så i kan sagtens lave et system, der kræver NSIS, kommunerne kan blot selv vælge om deres egen IdP skal NSIS godkendes eller de vil logge på via MitID erhverv.

For jeres system vil der ikke være nogen forskel.

For kommunerne kræver det at de sender medarbejderens NL3 UUID eller CPR med, så vi kan sammenligne det vi få tilbage fra MitID erhverv.

Når vi kan se at informationerne er det samme så sætter vi roller på som vi plejer.

Hvis kommunen slet ikke har en IdP skal de lægge brugernes roller mv i vores attributservice.