Skip to main content

Manage your service’s configuration with GOV.UK Sign In

GOV.UK Sign In is an OpenID Connect (OIDC) provider.

You must first register your service with GOV.UK Sign In as a ‘relying party’ before being able to interact with GOV.UK Sign In. You need to do this once for the integration environment and once for the production environment. An OIDC relying party is an app that outsources its user authentication function to an identity provider, which in this instance is GOV.UK Sign In.

Register your service to use GOV.UK Sign In

To register your service to use GOV.UK Sign In, you need to:

  1. Choose your sector_identifier_uri.
  2. Contact the GOV.UK Sign In team and we’ll register your service for you.

Choose your sector_identifier_uri

Your service will use a pairwise user identifier when you use GOV.UK Sign In.

When using a pairwise identifier, GOV.UK Sign In provides a unique sub value in the ID token to each service. This means a user ID will not be the same across services, so the value cannot be matched and used to identify an individual user.

You need to specify your sector_identifier_uri parameter when you contact the GOV.UK Sign In team to register your service. GOV.UK Sign In will use this to create a unique subject identifier for your user.

Warning If you do not specify the sector_identifier_uri, GOV.UK Sign In will use the host name of your redirect URI when we generate the subject identifier for your user. You should be aware that if your redirect URI ever changes, your users’ subject identifiers will also change.

Contact the GOV.UK Sign In team to register your service

You need to contact the GOV.UK Sign In team to register your service.

  1. Start an email and include the following details.
  2. Send the email with the completed details to govuk-sign-in@digital.cabinet-office.gov.uk.
  3. The GOV.UK Sign In team will register your service for you and let you know when the registration is complete.

To register your service, you must send:

  • your service’s name
  • your service’s redirect URL
  • your service’s contact email addresses - this can be a group email or multiple separate email addresses or a combination of both
  • the scopes you selected when you chose which user attributes your service can request
  • the key you generated - only send the contents of the public_key.pem file and do not include the RSA headers (the words in caps above and below the key)
  • the URL you’d like your users redirected to if they log out of your service - if you do not specify one, your users will be redirected to the default GOV.UK sign out page
  • your sector_identifier_uri with the identifier for your sector

You can also receive user logout notifications from GOV.UK Sign In. To use this, send the GOV.UK Sign In team a back_channel_logout_uri specifying the URL you want GOV.UK Sign In to send notifications to when a user who was signed into your service using GOV.UK Sign In has logged out. There’s further guidance on responding to logout notifications from GOV.UK Sign In

Update your service’s details with GOV.UK Sign In

To update your service’s details with GOV.UK Sign In, you need to send an email to govuk-sign-in@digital.cabinet-office.gov.uk. We’ll get back to you with the next steps.

Progress your application to integrate with the integration environment

Once the GOV.UK Sign In team has registered your service, you are now a relying party for GOV.UK Sign In.

The next step before you can use the integration environment is to integrate your application with Authorization Code Flow.

This page was last reviewed on 21 January 2022.