MitID Controlled Transfer

Overview

MitID Controlled Transfer Token (CTT) allows an authenticated session from one service provider (SP A) to be securely transferred to another service provider (SP B). This mechanism ensures authentication integrity is maintained and supports seamless session sharing.

Process

Requesting a Controlled Transfer Token

Service Provider A requests a Controlled Transfer Token (CTT) from Signaturgruppen Broker.

Request:

POST https://pp.netseidbroker.dk/op/api/v1/MitId/ControlledTransfer/tokenExchangeCode

Headers:

{
  "Content-Type": "application/json",
  "Authorization": "Bearer {access_token}"
}

Body:

{
  "targetBroker": "{UUID of target broker}",
  "targetServiceProvider": "{UUID of target Service Provider (SP B)}",
  "transferTokenText": "some text"
}

The response includes a transferTokenExchangeCode, which must be passed to SP B.

Completing the Transfer at Service Provider B

SP A redirects the user to SP B with the token.

SP B exchanges the token at the broker endpoint:

GET https://pp.netseidbroker.dk/op/connect/authorize?
client_id={client_id}&redirect_uri={callback_url}&scope=openid mitid userinfo_token
&response_type=code&state={state_value}&idp_values=mitid&idp_params={transfer_token_details}

SP B receives an authentication response, completing the transfer.

Flow Diagram

—

Comparison of MitID CTT and Signaturgruppen Controlled Transfer

Feature	MitID Controlled Transfer Token (CTT)	Signaturgruppen Controlled Transfer
Purpose	Secure session transfer between SPs using MitID	General session transfer with extended customization
Broker Involved	Signaturgruppen Broker	Signaturgruppen Broker
Data Transfer	Only authentication session (CPR cannot be transferred)	Can include user attributes (claims, etc.), but the sender must ensure appropriate consent for data transfer.
Flexibility	Limited to MitID authentication flow	Can be adapted to various scenarios

Summary

MitID Controlled Transfer Token (CTT) is a standardized method specifically for MitID session transfers, ensuring authentication integrity between service providers. On the other hand, Signaturgruppen Controlled Transfer offers greater flexibility, allowing the inclusion of additional user data and broader use cases beyond MitID authentication. Both methods ensure secure and efficient session transfers between service providers.