Enable BankID in your services
To get you started with BankID identification through E-Ident, Nets will need a merchant certificate and some configuration setting information from you. The configuration settings are supplied in the setup dialogue with support.
More information about BankID:
Merchant certificate
Nets through the Signing and Identification Services are resellers of BankID merchant certificates, and this can be ordered either separately or together with E-Ident and/or E-Signing. When ordering a merchant certificate through Nets, you will receive an information letter asking you to complete a form with information needed to create a BankID “brukerstedsavtale” with BankID Norge. Note: In this form you need to specify if you are allowed to handle SSN.
The form shall be returned to our support and based on the form Nets will register this order at BankID. After the registration you will be asked to confirm and sign the order. When the order is signed with BankID Norge, it will be sent to your bank for processing. Your bank may use up to 10 business days for processing the order. Nets will then receive activation information for your BankID merchant certificate from your bank. The merchant certificate will be activated and connected to your configuration.
In cases where you use another reseller, the BankID activation link and code must be sent to Nets without activating it. Contact Nets support to get contact details of receiver of the link and code.
Test merchant certificate
Nets will set you up with a common test merchant certificate if nothing else have been agreed.
Test users
Test users are available
here.
To get notified about BankID issues in BankID preproduction environment, subscribe to updates at this page:
Information about the end user
|
Level of assurance |
acr
|
ACR | See section below for possible values.
|
Authentication MEthod
| amr
| AMR
| See section below for possible values.
|
Birth date
| birthdate
Requires scope=profile
| DOB
| End user's date of birth.
|
End user certificate
| certificate Requires scope=cert | CERTIFICATE | The end user's certificate. |
| Certificate policy OID |
certpolicyoid Requires scope=cert |
CERTPOLICYOID | The certificate policy OID from the end user certificate. |
| Common name | cn Requires scope=cert |
CN | The common name from the end user's certificate. Example: "Olsen, Ole" |
| Distinguished name |
dn Requires scope=cert | DN | The distinguished name from the end user's certificate. Example: "CN=Olsen\\, Ole,O=TestBank1 AS,C=NO,SERIALNUMBER=xxxx-xxxx-x-xxxxxx" |
| Family name | family_name Requires scope=profile | SURNAME | End user's family name. Deducted from the first part of the CN field of the BankID end user certificate. Example "Olsen". |
| Given name | given_name Requires scope=profile | GIVENNAME | End user's first name(s). Deducted from the last part of the CN field of the BankID end user certificate. Example "Ole". |
| Personal identifier |
no_bid_pid / pid Requires scope=openid |
NO_BID_PID | Norwegian BankID personal identifier. For the OIDC protocol, this is returned in both the
no_bid_pid and
pid claim. |
Norwegian SSN
|
no_ssn / ssn Requires scope=ssn |
NO_SSN | The end user's social security number (no: fødselsnummer). For the OIDC protocol, this is returned in both the
no_ssn and
ssn claim. |
E-mail address
|
email Requires scope=email | Not Applicable
| The end user's e-mail address
|
Phone number
|
phone number Requires scope=phone | Not Applicable
| The end user's phone number
|
Possible ACR values
Merchants set up with the new (purple) BankID style and user experience will have access to control the level of assurance for specific identification. The level of assurance allowed by eID will be returned in the acr claim/attribute. If the acr_values parameter is not defined, the level of assurance will be not returned. Supported values for the acr_values identification parameter are:
• urn:bankid:bid
• urn:bankid:bis
Upcoming changes to BankID in E-Ident
E-Ident is introducing a new feature to indicate the level of assurance supported by each eID. There will be some changes to the amr and acr request parameters from then onwards.
Supported values for the acr_values identification parameter will be:
• urn:eident:acrp:level:high
• urn:eident:acrp:level:substantial
• urn:eident:acrp:level:low
The possible values for acr claim/attribute in response will be:
• ["urn:eident:cert:eidas:high”]
• ["urn:eident:cert:eidas:substantial”]
• ["urn:eident:cert:eidas:high", "urn:bankid:bid;LOA=4"]
• ["urn:eident:cert:eidas:substantial", "urn:bankid:bis;LOA=3"]
All companies that are allowed to handle social security numbers (SSN) can get this in return after a BankID identification. For customers using the SAML protocol, SSN is returned as default, but this can be turned off by appending returnssn=false to the identification request. For customers using OIDC, SSN will only be returned if scope=ssn is set in the identification request. Read more about the optional eID specific scopes and identification request parameters for OIDC and SAML respectively.
Note: Remember to specify that you want to process SSN when ordering your BankID merchant certificate and giving Nets your E-Ident configuration details.
BankID with Biometric
BankID support biometrics based authentication, where end users can use facial recognition and/or fingerprints in the BankID app to log-in and access services online. By doing so, users will experience that the login process will go from 30 seconds to just a few seconds. The level of assurance for BankID Biometrics is defined as "substantial" where as regular BankID (two-factor based) authentication is considered as "high".
If you want to allow end users to authenticate using BankID Biometric, you need to be set up on the latest (purple) BankID style and you will need to set the acr_values to "urn:bankid:bis", as described in the section above. Please reach out to us if you still don't have access to the new BankID style with biometrics support, and we will assist you in the migration process.
User experience
The below three images shows the flow for a standard BankID authentication.
Step 2 may differ depending on the authentication methods available for the user.
BankID authentication
Step 1 (enter SSN):
Step 2 (enter OTP):
Step 3 (enter password):
Step 4 (check/uncheck EMAIL, PHONE, and ADDRESS): This page will be shown only when scope email, phone and/or address is requested through Eident. If “Cancel” is selected then show the result without email, phone and/or address.
![]()
BankID with Biometric authentication
BankID with Biometric is triggered by setting
acr_values to "urn:bankid:bis". Dialogs are displayed with black background.
Step 1 (enter SSN):
Step 2 (Biometric):
For more information about BankID with Biometric user experience, see official BankID pages at
https://www.bankid.no/en/company/bankid-with-biometrics/
BankID in IFRAME
BankID doesn't support iframe, with one exception. If your
implementation is using the old Legacy BankID, you may still run the BankID client in an iframe, and the recommended and minimum IFRAME sizes from BankID are:
- Large screen (Desktop/tablet): 396px (w) by 280px (h) (recommended) / 370px (w) by 204px (h) (minimum)
- Small screen (Smartphone) (only minimum sizes): 320px (w) by 350px (h) (portrait) / 480px (w) by 200px (h) (landscape)
CSS file adjustment for Legacy BankID in iframe
The BankID client may be styled with CSS. The default styling has CSS rule that set the proper sizes. Styling can be overridden either by setting av style URL in the customer configuration at Nets or by sending a style parameter when starting the identification. The default CSS styling sets width and height to 100%. The client will then expand to fill the container (iframe), regardless of the container size.
When overriding styling, the sample CSS below will produce the same effect as the default styling.
#nobankid_index_html {
height: 100%;
overflow-y: hidden; /* make sure no scroll bar is shown */
}
#nobankid_index_html .iframe,
#nobankid_index_html .iframe .ipage {
height: 100%;
}
#nobankid_index_html .iframe .ipage .main {
height: 100%;
min-height: 200px;
}
Read more about CSS styling and download E-Ident default style here.
Error codes
BankID specific error codes can be found in BankID documentation at https://confluence.bankidnorge.no/confluence/kiev-open/bankid-services-error-codes
BankID logo
If needed, the BankID logo can be downloaded from https://www.bankid.no/privat/om-oss/presse/.
