MitID (DK)

​MitID is the next generation NemID, and it will replace NemID during 2021/2022.

Enable MitID in your services

MitID is the new eID in Denmark, and it will replace NemID. The Nets E-Signing service offers two ways of signing with MitID: 

In the migration phase from NemID to MitID it is recommended to support both NemID and MitID for document signing as users will be migrated during 2022.

More information about MitID:

MitID signing through NemLog-in

The MitID signing through NemLog-in is integrated in the E-Signing service and the usage of it is described on this page. MitID signing through NemLog-in requires an agreement with Digitaliseringsstyrelsen through the below link: 

Timeline for MitID signing through NemLog-in in E-Signing:

  • Customer test:
    • MitID signing through NemLog-in was made available in E-Signing from Summer 2021
    • A coming release will include support for CPR as the SignerID and identification before signing functionality when using MitID signing through NemLog-in. The date for this release is not set, and it is dependent on the release of a matching service from NemLog-in. 
  • Production: 4th April 2022

Two signing formats

MitID through NemLog-in offers two different signing formats:

  • XAdES
  • PAdES

In the E-Signing service, the XAdES signature will be packaged in a SDO. By using this signing format, E-Signing continues to support that several users can sign one document and that the user can sign with either MitID or NemID (or any other eID supported by E-Signing). The XAdES signature can be extracted from the SDO using the GetSignature call.

MitID will also support PAdES as an output format directly. This can't be used in combination with NemID and it only supports one signature on each document. Read more about MitID PAdES.

Note: E-Signing still supports a PAdES generated based on a SDO where the last page will include all signers of the document. Read more about PAdES generated from SDO.

Handling of SSN and SignerID

E-Signing offers a functionality to define the signer that will sign a specific document using a SignerID. For NemID, the SignerID is either CPR or the PID from the user's NemID certificate. For MitID, the unique SignerID is either the user's CPR (SSN) or the user's CPR UUID. The CPR UUID can be found in the user's signature when using the GetSignature call.

The SignerID may only be set to SSN if the customer is allowed to handle SSN. This is a configuration on your merchant setup. 

Note: Setting the SignerID to SSN with the user's CPR number is currently not supported. As soon as a CPR matches signer function is delivered from NemLog-in, the E-Signing service will be updated to support SSN as SignerID. 

The SDO will include the CPR number if the customer is allowed to handle CPR numbers and if the SignerID element has been set to SSN. The CPR number will be returned as a custom property named "national-identifier". Read for more information about custom properties.

User experience

Step 1 - eID selection

The eID selection page is displayed if there are more than one possible eID to display to the user. The usage of the AcceptedPKIs element in the sign order or adding the forcepkivendor parameter to the sign URL can control the number of eIDs to display to the user.

eID selection page for standalone and pop-up UI:

Step 1 - eID selection 2.PNG

eID selection page for embedded UI:

Step 1 - eID selection.PNG

Step 2 - read document

The document is opened in an iframe. The minimum recommended iframe height is 600px. The document title displayed is the value from the Document -> Title element in the sign order. The reference code is set by NemLog-in3 and this is also displayed when the user authenticates.

MitID - read document.PNG

Step 3 - authentication

The user is redirected to NemLog-in for authentication. The NemLog-in page opens in a new browser window. In the first test version of MitID signing, the customers must use the Test login tab to authenticate. See the test users page for test users.

MitID - NemLog-in.PNG

Step 4 - accept terms

The user must accept the terms to complete the signing.

MitID - terms and conditions.PNG

Step 5 - sign 

Select the user and sign as private user. The document title and reference code is following the transaction.

MitID - sign.PNG

Step 6 - finalizing document signing

The NemLog-in browser window is closed and the user is directed back to the document signing page. The document is now being signed and the user is directed to the wanted exit url.

MitID - sign3.png

Document types and sizes

​​The following document formats are supported using NemID:

  • PDF
  • Text

Note: XML/XSL and HTML may be available later. If you need signing with these formats, please contact support.esecurity@nets.eu to inform us about your need.

The size limit of a document in E-Signing is set to 10 MB base64 encoded document. An encoded document adds approximately 30 % extra to a non-encoded document.

PDF validation

The supported PDF format is based on the PDF format supported by the NemID Signing Client with some exceptions.

See appendix D in https://migrering.nemlog-in.dk/media/fcej4wyk/signeringsdokumentation-v1-0-1.zip

MitID PAdES

MitID offers PAdES as an output format when signing PDF documents and this is supported in the E-Signing service. Each PAdES  may only include one MitID signature, and this is restricted in the sign order. 

Note: MitID PAdES can't be used in combination with NemID signing. 

Also note, that the MitID PAdES signing may be used in combination with Norwegian BankID PAdES signing. The MitID PAdES signing must be defined in the first step of the order, and the Norwegian BankID PAdES signing in later steps. 

Authentication-based signing

The E-Signing service offers the possibility to sign a document based on an authentication. To create a sign order with authentication-based signing, please have a look at the authentication-based signing page.

The MitID specific values are listed in the table below:

​Element/parameter​Description​Value
​AuthenticationID
​This element can be used to indicate that MitID is one of the eID's the signer can sign with. ​mitid
​IncludeSSN
​This element can be used to request the return of the user's SSN in the signed document. The SSN will be returned as a custom property value - ID Token. Note: If the SignerID has been set to the user's SSN, the SSN will also be returned in the ID Token custom property.
​[true | false]
​SignerID

The SignerID element can specify which user that will sign the document. For authentication-based signing with MitID, this is either the user's CPR number or the MitID UUID (can be retrieved from a user authentication). 

If the PID is used as SignerID, the first screen in the authentication dialogue will be skipped. 

​IDType: SSN or PID

IDValue: 

    • SSN: User's CPR number
    • PID: User's mitid.uuid 
​forcepkivendorThe forcepkivendor parameter can be used to point the user directly to this eID. Read more about forcepkivendor. ​abs:mitid

User experience

Read the document

The document is presented by E-Signing. The UI below is based on the Standalone UI. 

MitID-abs - read doc.PNG

User authentication

The user is redirected to Signaturgruppens eID broker. This page may be customized for each customer. See MitID description at the E-Ident page for more information. 

Note: The first page in the authentication dialogue may be skipped if the user's MitID UUID is known and defined as the SignerID. In those cases, the user will be directed straight to the next step in the MitID authentication flow. This may be the page informing the user to open the MitID app. MitID-abs - auth.PNG

Open app or other identification tool

The next steps in the MitID authentication flow. This may be information to open the MitID app, but may be other steps also.