Using the IAS admin portal

PreviousTest IAS with Postman NextNotifications / Hnipp

Last updated 2 days ago

Was this helpful?

Using the IAS admin portal

Public institutions and municipalities who use the IAS are granted access to an admin portal accessible at . The admin portal is still under development and new features are added regularly but currently organizations should be able to set up and configure OpenID Connect/OAuth clients and scopes to fulfill most of their needs. If you think you cannot achieve some functionality please contact island.is support at island@island.is.

Organizations can manage who has access to the IAS admin portal on their behalf using the island.is delegation system (Umboðskerfi Ísland.is). Ideally a representative(s) of the institution or municipality manages all IAS settings on behalf of the institution/municipality. In the case where the technical knowledge to effectively use the admin portal is lacking, granting access to technical vendors is acceptable. We do however recommend that some representative of the institution/municipality monitors the usage of applications/permissions in the IAS admin portal.

To assist first time users in using the IAS admin portal we've created instructions for a few common use cases.

Use case: The government institution MyOrg wants to setup a login for their service portal/my pages.

Go to the Application overview and click Create Application.
Enter a name, a matching ID will be auto-filled but can be edited if you wish.
Select environment. We recommend first creating the application in staging, finish all development and testing and then using the publish function to create an identical application in production. For the remainder of this guide we will assume that's the approach you took as well.
Application type should be Web Application.
Click Create.
Under Application URLs fill in both the Callback URL and Logout URL fields. Both fields can hold multiple URLs with one URL per line, the list of URLs is most likely provided by your dev team. Don't forget to click Save settings once you're done.
Send the Client ID and Client Secret to your dev team. The ID and secret can be considered equivalent to a username and password combination, the ID can be made public but the secret MUST be kept private so we recommend using a secret sharing service such as or to safely send the secret via email or similar. Never send the secret in plaintext or share pictures of it. See for instructions on what to do if a secret is exposed.
Once development is complete and your login is ready to go live open the application again, click the drop-down in the top-right corner and select "Publish to Production"
In the pop-up window select "publish from Staging", this will copy all relevant settings from staging to production
Add application URLs for your production environment to the Callback URL and Logout URL fields.
Send the Client Secret for production to your dev or operation team, remember to keep the Client Secret private and follow the directions under in case the secret is exposed.

Go to the Permissions overview and click Create Permission
Enter a name, a matching ID will be auto-filled but can be edited if you wish.
Enter a description, this should give users a clear and concise idea of what rights this permission will give.
Select environment, as with creating an application we recommend creating the permission in staging first and completing all development work before going to production.
Add an english translation of both name and description for your permission.
Under Delegations select which user groups should get this delegation.
1. Procuration Holders: If selected Procuration Holders as registered in the Company Registry (Fyrirtækjaskrá) can log in on behalf of their companies.
2. Legal Guardians: If selected Legal Guardians of children (up to 18 years old) as registered in the National Registry (Þjóðskrá) can log in on behalf of their children.
3. .
4. Custom Delegations: If selected users can grant permission to individuals to login on their behalf. If this option is selected it is critical that the name and description chosen in steps 2, 3 and 5 are clear to the user.
5. Legal Representative: If selected Legal Representatives as registered by the District Commissioner (Sýslumaður) can log in on behalf of their wards.
Go to Applications and select your application.
Make sure you've selected "Staging" in the drop-down in the top right corner.
Under the Permissions section click Add Permission, find the permission you just created (you might have to refresh the page) and add the new permission. Don't forget to click Save Settings once you're done.
Under the Delegations section select the same options as you did for the permission. We also recommend checking "Always prompt delegations" as this will prompt your users to select a delegation (if there's multiple options) upon login. Before clicking "Save" make sure to un-check "Save in all environments", this ensures that the changes we make now are limited to Staging and won't affect the login process for live users.
Send the permission ID to your dev team and have them add it to the list of requested scopes during the login process.
Once development is complete and the use of the delegations ready to go live open the permission again, click the drop-down in the top-right corner and select "Publish to Production"
In the pop-up window select "Publish from Staging", this will copy all relevant settings from staging to production.
Go to Applications and select your application
Under the Permissions tab click Add Permission, find the permission you just created (you might have to refresh the page) and add the permission. Don't forget to click Save Settings once you're done.
Click the drop-down in the top-right corner and select "Staging"
Under the Delegations tab click the button that says "out of sync" and then click "sync settings from this environment". This will transfer all the settings we changed in step 6 from staging to production.

Exposed Secret

In case of an exposed secret it is critical that the secret be replaced as soon as possible, before malicious parties are able to exploit the secret.

Open your application in the IAS admin portal
Scroll to the bottom of the page, to the Danger Zone
Click Rotate Secret
Select if you wish to revoke the old secrets immediately, if you suspect that malicius parties already have access to the secret we recommend doing revoking of the secret immediately.
Confirm that the new secret works and logging in is possible.
If you checked "Rotate Secret" in step 4 you're done. If you didn't you'll see a warning box at the top of the page letting you know that multiple secrets are still active. Click Revoke old secrets to de-activate them.

PreviousTest IAS with Postman NextNotifications / Hnipp

Last updated 2 days ago

Was this helpful?

To assist first time users in using the IAS admin portal we've created instructions for a few common use cases.

Use case: The government institution MyOrg wants to setup a login for their service portal/my pages.

Go to the Application overview and click Create Application.
Enter a name, a matching ID will be auto-filled but can be edited if you wish.
Select environment. We recommend first creating the application in staging, finish all development and testing and then using the publish function to create an identical application in production. For the remainder of this guide we will assume that's the approach you took as well.
Application type should be Web Application.
Click Create.
Under Application URLs fill in both the Callback URL and Logout URL fields. Both fields can hold multiple URLs with one URL per line, the list of URLs is most likely provided by your dev team. Don't forget to click Save settings once you're done.
Send the Client ID and Client Secret to your dev team. The ID and secret can be considered equivalent to a username and password combination, the ID can be made public but the secret MUST be kept private so we recommend using a secret sharing service such as or to safely send the secret via email or similar. Never send the secret in plaintext or share pictures of it. See for instructions on what to do if a secret is exposed.
Once development is complete and your login is ready to go live open the application again, click the drop-down in the top-right corner and select "Publish to Production"
In the pop-up window select "publish from Staging", this will copy all relevant settings from staging to production
Add application URLs for your production environment to the Callback URL and Logout URL fields.
Send the Client Secret for production to your dev or operation team, remember to keep the Client Secret private and follow the directions under in case the secret is exposed.

Use case: The government MyOrg wants to allow companies to submit documents to their service portal. This tutorial assumes you've already completed the steps in and have a staging application for testing/development and a production application with live users.

Go to the Permissions overview and click Create Permission
Enter a name, a matching ID will be auto-filled but can be edited if you wish.
Enter a description, this should give users a clear and concise idea of what rights this permission will give.
Select environment, as with creating an application we recommend creating the permission in staging first and completing all development work before going to production.
Add an english translation of both name and description for your permission.
Under Delegations select which user groups should get this delegation.
1. Procuration Holders: If selected Procuration Holders as registered in the Company Registry (Fyrirtækjaskrá) can log in on behalf of their companies.
2. Legal Guardians: If selected Legal Guardians of children (up to 18 years old) as registered in the National Registry (Þjóðskrá) can log in on behalf of their children.
3. .
4. Custom Delegations: If selected users can grant permission to individuals to login on their behalf. If this option is selected it is critical that the name and description chosen in steps 2, 3 and 5 are clear to the user.
5. Legal Representative: If selected Legal Representatives as registered by the District Commissioner (Sýslumaður) can log in on behalf of their wards.
Go to Applications and select your application.
Make sure you've selected "Staging" in the drop-down in the top right corner.
Under the Permissions section click Add Permission, find the permission you just created (you might have to refresh the page) and add the new permission. Don't forget to click Save Settings once you're done.
Under the Delegations section select the same options as you did for the permission. We also recommend checking "Always prompt delegations" as this will prompt your users to select a delegation (if there's multiple options) upon login. Before clicking "Save" make sure to un-check "Save in all environments", this ensures that the changes we make now are limited to Staging and won't affect the login process for live users.
Send the permission ID to your dev team and have them add it to the list of requested scopes during the login process.
Once development is complete and the use of the delegations ready to go live open the permission again, click the drop-down in the top-right corner and select "Publish to Production"
In the pop-up window select "Publish from Staging", this will copy all relevant settings from staging to production.
Go to Applications and select your application
Under the Permissions tab click Add Permission, find the permission you just created (you might have to refresh the page) and add the permission. Don't forget to click Save Settings once you're done.
Click the drop-down in the top-right corner and select "Staging"
Under the Delegations tab click the button that says "out of sync" and then click "sync settings from this environment". This will transfer all the settings we changed in step 6 from staging to production.

When deciding on a name and description for your permission, go to and take a look at how other government agencies have worded their names and description. Creating a consistent experience and understanding for users who interact with multiple government agencies can improve the user experience and reduce risk of misunderstandings.

Exposed Secret

In case of an exposed secret it is critical that the secret be replaced as soon as possible, before malicious parties are able to exploit the secret.

Open your application in the IAS admin portal
Scroll to the bottom of the page, to the Danger Zone
Click Rotate Secret
Select if you wish to revoke the old secrets immediately, if you suspect that malicius parties already have access to the secret we recommend doing revoking of the secret immediately.
Click Generate, this will create a new secret for your client. Copy the new secret and send it to your ops team using some secure secret sharing method, see the section on for more information on secret sharing.
Confirm that the new secret works and logging in is possible.
If you checked "Rotate Secret" in step 4 you're done. If you didn't you'll see a warning box at the top of the page letting you know that multiple secrets are still active. Click Revoke old secrets to de-activate them.

Setting up a login for a webpage

Enabling delegations (umboð) for an existing login

Exposed Secret

Setting up a login for a webpage

Enabling delegations (umboð) for an existing login

Exposed Secret