Terms for using NemLog-in through WAYF

In the event of any ambiguity or mismatch with the Danish text, the latter shall prevail.

An Actor, by using NemLog-in through WAYF for its Service, agrees to the following terms:

• Definitions. WAYF’s sole counterparty is hereinafter referred to as the “Actor”, using the nomenclature of the Danish Agency for Digital Government. The Actor is an organisation that receives authentications from NemLog-in through WAYF either for its own use in the role of Service Provider or on behalf of one or more Service Providers in the role of Supplier. A Service Provider is an organisation responsible for a self-service solution (the “Service”) made available to end users. A Supplier is an organisation that delivers the Service to one or more Service Providers and acts as a data processor for each of them with respect to the data processed in the Service, including data received in authentications from NemLog-in through WAYF. If the Actor is a Service Provider, the Actor also assumes the obligations imposed on the “Service Provider” by these terms. If, on the other hand, the Actor is a Supplier, the Actor must, in its agreements with the Service Provider, impose on the Service Provider the obligations imposed on the Service Provider by these terms, and must agree with the Service Provider that such obligations may be amended if WAYF amends these terms vis-à-vis the Supplier. For many of the obligations, it will be appropriate for the Supplier to agree with the Service Provider that the Supplier fulfils the obligation on behalf of the Service Provider. Many of the requirements in these terms and their allocation between Supplier and Service Provider are dictated by the Danish Agency for Digital Government and are unlikely to be expressed more simply. The designation “Intermediary” refers to the Actor if the Actor is a Supplier; otherwise, it refers to WAYF. The Intermediary is the organisation from which the Service Provider directly receives NemLog-in.
• Connection. In order to connect its Service to NemLog-in through WAYF, the Actor must first connect the Service to WAYF and accept the terms for participation in WAYF. The Actor then gains access to the NemLog-in identity provider by additionally accepting these specific terms, which, in the event of any inconsistency, take precedence over the aforementioned general terms for participation in WAYF.
• Public authorities only. The Service Provider warrants that it is subject to the Executive Order on the provision and use of the MitID solution and NemLog-in for public authorities and public-law bodies. Authentications from NemLog-in may only be received by public data controllers and may only be used as part of the performance of authority tasks by the Service Provider. The powers vested in the Danish Agency for Digital Government pursuant to the Executive Order apply regardless of the fact that authentications are received via the Intermediary. Such powers may be exercised by the Danish Agency for Digital Government through the Intermediary.
• No remuneration. The Actor’s use of NemLog-in through WAYF is free of charge. Authentications to public authorities and public-law bodies that perform authority tasks through the Service are covered by joint public financing.
• Prohibition on charging fees. No party may charge end users a fee for authentications received by the Actor from NemLog-in.
• Assurance levels. The Service Provider is responsible for ensuring that the NSIS assurance level in the authentication response from NemLog-in is sufficient to meet the specific needs of the Service. WAYF, however, provides only the NSIS assurance level “Substantial” and guarantees that all delivered authentication responses have the NSIS assurance level Substantial (never High or Low). Guidance and tools for determining the NSIS assurance level required for the Service are available on the Danish Agency for Digital Government’s website.
• Derived identities. If the Service Provider uses an authentication from NemLog-in to establish a derived identity with its own authentication mechanism, authentications with such a mechanism must not be presented, described or otherwise represented as an authentication from NemLog-in or from any of the identification schemes mediated by NemLog-in, including MitID. Neither the Danish Agency for Digital Government nor WAYF can be held responsible in any way for the security or other aspects of such local authentication. This includes, inter alia, that information about any blocking or suspension of an end user’s identification means, or other identity-related conditions, no longer has effect vis-à-vis the Service Provider. The Service Provider must be aware of the security aspects of such authentications and bears full responsibility and risk for their validity and security quality. The Service Provider must inform end users of the specific risks associated with the authentication in question and that it does not constitute an authentication from NemLog-in or any of the identification means available there. Furthermore, continued use of an authentication from NemLog-in for more than 8 hours without re-authentication must be regarded as use of a derived identity.
• Session duration. The Service Provider must configure the Service such that any user sessions expire after a period of inactivity. The total session duration for a NemLog-in authentication at the Service Provider may not exceed 8 hours, after which the end user must be re-authenticated via NemLog-in. The Service Provider may, however, extend the session beyond 8 hours if the following requirements are met:
  • The end user is active throughout the entire session, in accordance with the requirement for session termination upon inactivity.
  • There is a concrete and legitimate business need for the session to exceed 8 hours, including that the purpose of the end user’s authentication and use of the Service would be lost if the session could not be maintained.
  • It is not reasonably possible to design the Service in such a way that the business need can continue to be met within a maximum session duration of 8 hours.
  WAYF forwards every login request from the Service to NemLog-in and holds no session data beyond what is necessary to perform single logout.
• Branding. The visual identity and design components made available for the NemLog-in infrastructure may only be used in connection with authentication via NemLog-in. The Service Provider may not use them to support its own or third-party services. The Service Provider is obliged to comply with the applicable rules for the use of NemLog-in’s and MitID’s branding (hereinafter “branding”), including names, logos and domain names, as well as other material related to the cooperation between the Danish Agency for Digital Government and Finance Denmark regarding MitID. Guidelines for UX/UI and communication related to NemLog-in and MitID are available at the Danish Agency for Digital Government’s Service Provider site. The Service Provider is granted a right to use the branding and is obliged to use it in connection with offering authentication via the NemLog-in solution and marketing thereof. The guidelines may be amended, and the branding may be changed in whole or in part. The Service Provider is obliged to keep itself continuously informed of such changes and to comply with the applicable guidelines at any given time. Upon cessation of use of NemLog-in, the Service Provider is obliged to remove any reference to the branding and cease its use, unless otherwise agreed with a rights holder.
• Blocking. The Service Provider’s access to NemLog-in may be blocked by the Intermediary if the Service Provider materially fails to comply with these requirements, or if the Service Provider’s behaviour otherwise constitutes a security risk or materially affects, or is likely to affect, end users’ perception of NemLog-in and related solutions, including the MitID solution, negatively. The Intermediary is furthermore entitled to pass on a blocking imposed by the Danish Agency for Digital Government, including blockings justified by material security reasons. WAYF may additionally block the Actor’s access to NemLog-in if the Actor acts in violation of these terms or WAYF’s general terms for service connection.
• Data controllership and legal basis. The Service Provider is the data controller for the personal data obtained by the Service Provider in authentication tickets from NemLog-in through WAYF, which itself is the data controller upon its receipt of each corresponding authentication ticket from the Danish Agency for Digital Government. The purpose of WAYF’s disclosure of authentication tickets to the Service Provider is to ensure that end users can securely identify themselves to the Service. The Service Provider may not use authentications from NemLog-in in any other manner or for any other purposes than those set out in the Act on MitID and NemLog-in, unless the Service Provider has an independent legal basis for the processing.
• Data processing agreement. If the Actor is a Supplier, the Actor must enter into a data processing agreement with the Service Provider specifying which of the following data the Actor receives from NemLog-in through WAYF and therefore processes on behalf of the Service Provider:
  • Name and CPR number (if a CPR number is registered)
  • E-mail address (business users)
  • Pseudonym (business users)
  • PID and RID
  • CVR number (business users)
  • Assurance level
  • NemLog-in identification number of the electronic identity (UUID)
• Prohibition on mediation. On the basis of authentications received by the Actor from NemLog-in, no issuance, exchange or signing of security tokens or similar may take place. The Actor may therefore not act as a “trusted third party” vis-à-vis other organisations or individuals, nor otherwise vouch for the authenticated identity.
• Single sign-on. The Service can only achieve single sign-on with other services in the NemLog-in federation if the Actor has registered a single logout URL with WAYF; WAYF’s invocation of this with a logout request must result in the user losing their session with the Service, after which the Service must respond to WAYF with a logout response. See WAYF’s general terms regarding endpoint operability.
• Encryption requirements. The Service may only receive authentications from NemLog-in if the Actor has provided a public encryption key to WAYF and the Service is able to decrypt the authentication using the corresponding private key. This does not refer to TLS, but to separate encryption of authentications prior to transmission to the Service. This does not apply if the Service’s server receives each authentication’s personal data directly from WAYF’s server and never via a browser, in which case the data may be received without encryption other than that provided by TLS.
• Security and technical requirements. The Service Provider must comply with the security requirements set out on the NemLog-in Service Provider site. The Service Provider must furthermore not, in any other context, expose NemLog-in and related solutions, including the MitID solution, to security risks with respect to authenticity, integrity and confidentiality. The Service Provider is obliged to notify end users and the Intermediary of any security breaches related to the use of NemLog-in. Both the Service Provider and any Supplier must comply with the technical requirements for connected services set out on the Service Provider site.
• Interface. WAYF offers, with great flexibility, the Actor the possibility to receive NemLog-in via the same protocols and in the same formats as WAYF uses towards any other service in the federation. Technically, NemLog-in is an identity provider in WAYF in exactly the same manner as the identity providers corresponding to WAYF’s user organisations. It is also noted that WAYF does not impose any requirement for OCES certificates in the Actor’s setup, as the Danish Agency for Digital Government does for direct connections to NemLog-in.
• Support. WAYF will, as far as possible, provide the Actor with support, both during connection and on an ongoing basis, aimed at ensuring that the connection to NemLog-in functions correctly. End users must be supported by the Actor itself. In the event of operational disruptions, the Actor should primarily consult the Danish Agency for Digital Government’s website, and only secondarily WAYF’s.
• Age of identified persons. Authentications received from NemLog-in through WAYF may correspond to natural persons aged 13 years and above. The Service Provider is responsible for verifying end users’ age and enforcing any restrictions relating to specific age groups in the Service.
• Scope of availability. WAYF can only make NemLog-in available to the Actor to the extent that the Danish Agency for Digital Government makes NemLog-in available to WAYF. For example, the Actor must accept that NemLog-in through WAYF is unavailable if the Danish Agency for Digital Government has made NemLog-in unavailable to WAYF. Furthermore, WAYF as a general rule provides only the authentication solution and not other elements of NemLog-in (such as digital signing) to the Actor.
• Disclaimer of liability. The Actor’s use of NemLog-in through WAYF takes place (as any use of WAYF) at the Actor’s own risk and without any potential liability for damages on the part of WAYF. In relation to NemLog-in, the Actor may not bring any claim against WAYF or the Danish Agency for Digital Government or any partner or supplier of either, unless such a right arises from legislation. The Actor is liable for any claim that may be brought against WAYF as a result of use, in violation of these terms, of authentications received by the Actor from NemLog-in through WAYF. If the Actor is a Supplier, the Service Provider may, in relation to NemLog-in, bring claims only against the Actor.
• Changes to the terms. These terms may be amended without notice; however, WAYF will endeavour to notify the Actor of material changes. The Actor must not expect such notification unless the Actor maintains its contact details with WAYF. The Actor is obliged to keep itself continuously informed of the terms in force at any time as published on www.wayf.dk.
• Replay protection. Replay protection at the Service is the Actor’s own responsibility; the Actor may not assume that WAYF protects the Service against replay of authentication tickets.
• Registration. If the Actor is a Supplier, the Actor is obliged to register whether the Service Provider is a public authority or a public-law body. The Actor is also obliged, upon request, to inform WAYF of the identity of each Service Provider.