Configure access to Persontjenesten in the HelseID self service portal

This guide will take you through how to configure access to Persontjenestens test environment, using the HelseID self service portal, available at selvbetjening.test.helseid

HelseID self service portal

For more information on the HelseID self service portal see their service documentation

For more information on the self service portal in the test environment and how to get access, see Selvbetjening i TEST

This guide will assume you have access to the HelseID self service portal in the test environment on behalf of the organization you represent (also referred to as a configuration owner).

Login and user configuration

You log in to the self service portal using your personal electronic id, for instance using ID-porten and BankID.

After identifying yourself using an electronic id, you should be able to see the front page. This page should contain some tiles you can select. In order to complete the setup for connecting to Persontjenesten, you should at least be able to see the "Ta i bruk HelseID" and the "Dine klientsystemer" tiles.

In the top right corner you should see your name, and which configuration owner you currently represent. If you represent multiple configuration owners, there should be a drop down menu with all available configuration owners. Select the configuration owner which is relevant for Persontjenesten. For more information, see the service documentation

Creating a new client system

To get access to Persontjenestens test environment, you'll need to create a new client system.

  1. In the self service portal front page, select the "Dine klientsystemer" tile. Landing page
  2. Press the "Nytt klientsystem" button.
    New client system
  3. Fill in a suitable client system name, application type and system tags. It's mandatory to choose at least one tag, if nothing fits just select the one which seems most relevant for your system.
    Basis information
  4. Choose how your application will authenticate with HelseID. In our case this is machine to machine authentication.
    Authentcation
  5. Choose a token lifetime. The default value of 60 seconds is a sensible value for machine to machine interaction.
    Token lifetime
  6. Choose which services your client system should be able to connect to. In our case, this is the "Persontjenesten API".
    Services
  7. Choose which organizations the client system should be available for. Selecting the second option, "Klientsystemet skal bare være tilgjengelig for utvalgte virksomheter" will make the client system only available to your organization. It's also possible to add other specific organizations the client system should be available for, but this is not mandatory.
    Availability
  8. Confirm the configuration for the client system, and add a work e-mail as a contact for the client system.
    Confirm configuration

You've now created a new client system, and specified that it should have access to Persontjenesten using machine to machine authentication. However, in order to get access to Persontjenesten, we first need to create a client configuration.

Creating a client configuration

  1. Go back to the portal home page and select the "Ta i bruk HelseID" tile
    Use HelseID
  2. Press the "Ny konfigurasjon" button to create a new client configuration
  3. Find and select the client system you created previously
    New configuration
  4. Select which services and scopes to use for this client configuration. In our case, select Persontjenesten API, which should be the only one available, and select the "Read access for public with legal basis" scope. It's possible to select multiple scopes, but don't use the "Read" scope, as this scope is deprecated and access to the API with this scope will be removed. Scopes are coupled with an authorization bundle in the API (rettighetspakke). For more information, see Rett og plikt ved bruk av Persontjenestens opplysninger
    Services and scopes
  5. A client configuration is identified with a public/private key pair. In this step you can choose which keypair you want to use. In our case we'd like HelseID to generate a keypair for us, so we'll select the "Få generert et nøkkelpar" option.
    Keypair
  6. In the next step we can choose which organizational units should have access to the client configuration. This step is not relevant for this guide, so just skip to the next step.
  7. Confirm the client configuration, and add a work e-mail as a contact for the client configuration. What's important to note in this step is that the client configuration still needs to be approved before it can be used to access Persontjenesten.
    Confirm client configuration
  8. After the configuration is created, you'll get the option to download a configuration file containing the client id and private key you'll need to use to exchange a valid HelseID token with access to Persontjenesten.
    NB! This configuration file will not contain the scope you configured when setting up your client configuration until the access request has been approved by someone on Persontjenesten. You can still download the configuration file and use the client id and private key and fill in the scope manually.
    Download configuration

Congratulations! You've successfully created a client system and a client configuration for your system with access to Persontjenesten with HelseID.

Next steps

The next step to start testing Persontjenesten is to implement an API client which is able to exchange a HelseID token using the client configuration created in this guide and use this token when making requests to the Persontjenesten API. For Java and .NET, it's possible to take a look at some samples here: Persontjenesten API client samples