Unifying Identity and Access Management in Norwegian Healthcare with HelseID

Learn how Norsk helsenett unified their identity and access management with HelseID using Duende IdentityServer.

Maarten Balliauw |

Norsk Helsenett

Industry: Government | Region: Norway

The Norwegian Health Network (NHN) is owned by the Norwegian government through the Ministry of Health and Care Services. As a national e-health service provider, it is tasked with maintaining a secure and suitable infrastructure to facilitate effective communication across all segments of the health and care services.

Their HelseID service is the central identity and access management platform that is used to facilitate and secure information sharing between healthcare providers, businesses, employees, and patients in Norway. Electronic prescriptions for every Norwegian citizen are facilitated by HelseID, as well as medical test results, reports, and other common e-health practices.

From Solving Single Sign-On to API Security for all Norwegians

Health care professionals like doctors typically log into multiple applications, on multiple devices, and sometimes in multiple locations throughout the day. Each of these applications typically required maintaining separate usernames and passwords. The HelseID project was started in 2015 with the initial goal of solving this complexity and to provide Single Sign-On (SSO) in the health sector.

With a diverse infrastructure across the Norwegian Health Network, with numerous stakeholders and different authentication mechanisms in use, they needed an adaptable and flexible solution, driven by open standards like OAuth 2.0 and OpenID Connect to ensure long-term interoperability with healthcare and industry partners.

Having a lot of experience with .NET development, NHN started building HelseID with IdentityServer3, and have since evolved to the latest Duende IdentityServer. This allowed them to focus on implementing their specific requirements without having to worry about implementing the security protocol themselves.

The HelseID service does not introduce any new form of identification or eID. Instead, it supports and relies on different identity providers such as ID-Porten (a common login solution for the public sector in Norway), BankID (an electronic ID using the Norwegian national identity number), BuyPass, and Commfides, certified against eIDAS.

To support these various identity providers, HelseID uses the federation gateway pattern supported by Duende IdentityServer.

Some APIs and national eHealth services may require higher security and support only a subset of these providers. It is the responsibility of each participant in the health care sector to ensure their own healthcare personnel have access to a suitable eID.

HelseID login interface showing different identity providers

After launching HelseID for Single Sign-On, NHN realized that their solution would also be suitable for API security across the Norwegian health sector. By using the OAuth 2.0 and OpenID Connect specifications as their security protocol, they were able to expand and grow HelseID into a solution that provides a clear and predictable landscape for access management and interaction in the Norwegian healthcare sector.

Today, HelseID offers functionality for login (identity authentication for healthcare professionals, systems, and businesses) and securing service provider APIs (technical access authorization). This functionality can be used as an important part of access management and control across the various businesses in the sector.

With over 1800 client applications, provided by 300 different vendors, consuming 100 different APIs across NHN, there is a need for self-service registration of new client applications and vendors. HelseID has a self-service portal where healthcare businesses and system providers can manage their participation in HelseID. In addition, a developer portal is available where participants can learn about integrating with HelseID.

Being driven by an open standard means that any participant can use their technology of choice and leverage a mature ecosystem of frameworks and libraries, conformance tools, and security best practices. Usually once libraries in .NET, Java, Kotlin, PHP, Ruby, Go, and other languages used by vendors in the healthcare sector are updated, the participants are quick to upgrade to newer security requirements.

Evolving Security Requirements and FAPI 2.0

HelseID is a service that evolves over time and adopts best current practices in security as part of that evolution. For example, they introduced the requirement for client applications to use Proof of Key Code Exchange (PKCE) and help prevent authorization code interception attacks, and require the use of private key JWT authentication for clients.

Using Duende IdentityServer as their identity infrastructure, implementing these was not a technical concern, as IdentityServer follows and implements new security practices (such as client authentication). At the start of 2026, HelseID requires Pushed Authorization Requests (PAR), which has been a part of Duende IdentityServer since version 7 and is enabled by default in newer .NET versions thanks to a contribution from Duende.

With IdentityServer handling OAuth 2.0 and OpenID Connect protocol and its evolution in best current practices, the HelseID team can focus on building their solution for the Norwegian health sector, including evolving security requirements for its participants.

NHN is moving towards adopting the FAPI 2.0 Security Profile for HelseID, which standardizes security requirements and reduces the challenges that come with integrating various organisations into NHN.

Read the OpenID Foundation case study on HelseID adopting the FAPI 2.0 Security Profile.

Duende IdentityServer is already FAPI 2.0 compliant, certified by the OpenID Foundation. HelseID chose to adopt and roll out FAPI 2.0 in phases, to avoid disrupting critical healthcare services with a one-time large release. This phased roll-out is supported by IdentityServer, as all of the FAPI 2.0 Security Profile building blocks, such as Demonstrating Proof-of-Possession (DPoP), Pushed Authorization Requests (PAR), and more, can be enabled separately.

Evolving Architecture and Infrastructure

Currently, HelseID is hosted on Windows Server machines backed by Microsoft SQL Server for its operational stores, distributed over multiple locations. To support future growth and availability needs, NHN plans to serve HelseID from multiple additional locations to ensure availability even if the main Internet backbones in Norway become unavailable. To do that, there is an ongoing effort to host HelseID on Kubernetes with operational data such as refresh tokens and grants stored in a geographically distributed Redis setup.

HelseID's solution requires substantial customization. Duende IdentityServer was chosen because it offers the deep extensibility necessary to achieve this, a capability not found in other off-the-shelf alternatives.