Want To Implement the ID4me-Login-Button to Your Website?
The average implementation time for a partner to implement the ID4me login on their website or application is less than 30 minutes.
The Login Partner is a service that authenticates End-Users using the ID4me protocol. It redirects the End-User to its Identity Authority for authentication and contacts the Identity Agent to request identity data. If the End-User does not have an ID4me Identifier, it points the user to an Identity Agent (free choice whom to work with). The Login Partner is a service which wants to accept ID4me identifiers to allow users easier login and hand-over of the data. Implementing Login Partner role can be very different depending on used platform, framework or programming language. This page summarizes useful material and resources for most common approaches to Relying Party implementation.
- Technical overview – a very good document to start with and learn the principles of ID4me protocol (pdf)
- ID4me Technical Specification – detailed technical specification of all ID4me specific usage OpenID Connect as well as applied extensions independent of the role (pdf) (adoc)
- ID4me Relying Party Implementer’s Guide – step-by-step guide with full examples of the whole flow from the perspective of Relying Party (pdf) (adoc)
|Repository & Documentation
|Reference implementation in C#
Framework Libraries / Extensions
|Repository & Documentation
|ID4me Extension to django-allauth.
|Plugin from CloudFest Hackathon
|Based on id4me/id4me-rp, only Authentication
|Login with ID4m
|Community contribution, Stable
|Work in progress
|Community contribution, Alpha
Reference designs for the login Button in various formats and sizes are available here: Login_Button.zip.
Implementation tips & hints
As ID4me is based on Open ID Connect, a well established standard, there are many libraries available which cover a big portion of the protocol saving precious implementation time. Many frameworks have already built in support or available APIs to utilize functionalities of Single-Sign-On. The support can be either native or through already available plugins or extensions. Before implementing a library from the scratch or heading for very custom implementation it’s worth a while to do a research of available options for your purpose.
ID4me utilizes some features of OpenID Connect, which are not always implemented by available libraries. Common suspects are Dynamic Client Registration and Distributed Claims. Please make sure the library of your choice have it covered or allows easy extension of the missing part. If planning to use ID4me’s unique feature to specify reasons for data requirements, which is not a part of OpenID Connect, most likely a custom implementation would be needed.
Heading for own implementation of OpenID Connect it is especially advised to use a well established and tested library for JOSE and JWT, implementing all necessary checks and free of known security vulnerabilities. A handy repository of options is available at https://jwt.io/ together with a very useful debugger. The library must support JWE (encrypted) and JWS (signed) tokens, as well as offer handling for JWK and JWKSets.
Important remarks on ID4me Identifier
ID4me Identifier provider by End User as an initial input to the bootstrap process MUST NOT be used as an identification of that user by Relying Party. It SHOULD however be used as display identification of the End User. Authentication of the End User is asserted by an ID token therefore Login Partner SHALL use the pair
sub to identify the End User in a globally unique way and for any internal associations.
Tools and testing end-points
Getting a new ID4me Identifier
In order to test your integration you would of course need an own ID4me identifier. You can register one very easily, assuming you have a domain name you can set DNS records on. There is an open instance of an agent working with Identity Authority instance of DENIC – DENIC ID available at https://identityagent.de.
Register your ID: https://identityagent.de/register
Debugging Relying Party flow
For debugging purposes there is a Relaying Party instance at https://rp.test.denic.de/ which allows full flow through the login process and displays relevant tokens.
In order to debug particular calls Relying Party would need to do you can use this Postman collection and just adjust end-points or values.
DNS Records resolver
This service concludes the discovery step to get an Identity Authority URL behind an ID as well as verification of required DNSSEC signatures of the corresponding DNS zones. Source code.
Let us know if you work on an open source project with ID4me. We will be glad to list a reference to your work on this page.
We are available for any questions you might have during your integration: email@example.com. You can also just post a comment.
Meet the ID4me team at Industry Events!
Subscribe to always stay in touch with us and get the latest news about our company and all of your activities!