Manage your service’s configuration with GOV.UK One Login
GOV.UK One Login is an OpenID Connect (OIDC) provider.
You must first register your service with GOV.UK One Login as a ‘relying party’ before being able to interact with GOV.UK One Login. You need to do this once for the integration environment and once for the production environment. An OIDC relying party is an app that outsources its user authentication function to an identity provider, which in this instance is GOV.UK One Login.
Register your service to use GOV.UK One Login
To register your service to use GOV.UK One Login, you need to:
- Choose your
sector_identifier_uri. - Contact the GOV.UK One Login team and we’ll register your service for you.
Choose your sector_identifier_uri
Your service will use a pairwise user identifier when you use GOV.UK One Login.
When using a pairwise identifier, GOV.UK One Login provides a unique sub value in the ID token to each service. This means a user ID will not be the same across services, so the value cannot be matched and used to identify an individual user.
You need to specify your sector_identifier_uri parameter when you contact the GOV.UK One Login team to register your service. GOV.UK One Login will use this to create a unique subject identifier for your user.
sector_identifier_uri, GOV.UK One Login will use the host name of your redirect URI when we generate the subject identifier for your user. You should be aware that if your redirect URI ever changes, your users’ subject identifiers will also change.
Contact the GOV.UK One Login team to register your service
You need to contact the GOV.UK One Login team to register your service.
- Start an email and include the following details.
- Send the email with the completed details to govuk-one-login@digital.cabinet-office.gov.uk.
- The GOV.UK One Login team will register your service for you and let you know when the registration is complete.
To register your service, you must send:
- your service’s name
- your service’s redirect URL
- your service’s contact email addresses - this can be a group email or multiple separate email addresses or a combination of both
- the scopes you selected when you chose which user attributes your service can request
- the key you generated - only send the contents of the
public_key.pemfile and do not include the RSA headers (the words in caps above and below the key) - the URL you’d like your users redirected to if they log out of your service - if you do not specify one, your users will be redirected to the default GOV.UK sign out page
- your
sector_identifier_uriwith the identifier for your sector
By default, GOV.UK One Login will sign the id_token JSON Web Token (JWT) using the ES256 algorithm but some third party tooling does not support ES256. If your service needs an alternative algorithm, we can sign your id_token JWT using the RS256 algorithm. Let us know if you need this when you register your service.
You can also receive user logout notifications from GOV.UK One Login. To use this, send the GOV.UK One Login team a back_channel_logout_uri specifying the URL you want GOV.UK One Login to send notifications to when a user who was signed into your service using GOV.UK One Login has logged out. There’s further guidance on responding to logout notifications from GOV.UK One Login.
Update your service’s details with GOV.UK One Login
To update your service’s details with GOV.UK One Login, you need to send an email to govuk-one-login@digital.cabinet-office.gov.uk. We’ll get back to you with the next steps.
Progress your application to integrate with the integration environment
Once the GOV.UK One Login team has registered your service, you are now a relying party for GOV.UK One Login.
The next step before you can use the integration environment is to integrate your application with Authorization Code Flow.