BankID (SE)

​​Used by almost 8 million Swedes, BankID has become a household brand and a highly trusted digital identification and signing s​​ervice for Swedish citizens.​ Almost 7 million has a mobile BankID and this eID was used in 96 % of logins and signings. It is also available as BankID on file and BankID on card.​​

​Enable BankID in ​your services

To enable BankID to login using E-Ident it is necessary with a merchant certificate ("förlitande certifikat") to be used in the communication between E-Ident (on your behalf) and with BankID. Nets is reseller of BankID and will help establish this certificate. 

More information about BankID:

Merchant certificate ​​​​("Förlitande certifikat")

​BankID agreement through Nets as reseller

​To establish the "Förlitande certifikat". Nets need the following information:

  • Your organisation name 
  • Certificate display name (this is visible in the BankID security application during the end user's login)
  • ​VAT number
Nets will handle the communication with a bank issuing the certificate. 
 

BankID agreement directly with an​​​ issuing bank​

It is also possible to have a BankID agreement directly with a bank issuing BankID. You will need to enter into an agreement with the bank. To establish the "Förlitande certificat", these steps must be done:

  1. ​Provide Nets with information about your organisation name, VAT number, certificate display name (visible during end user login) and the bank name.
  2. Nets will generate a certificate request based on this information and send it to you.
  3. You need to forward this certificate request to your bank. Do not make your own certificate request.
  4. ​The bank will issue the certificate based on the certificate request. Please forward this to Nets. 
  5. Nets will install and setup you configuration with BankID. 

Test "Förlitande certifikat"

​Nets has a default test certificate that all customers can use. This will be set up during configuration, and you do not need to do anything.

BankIDs for end users 

BankID for end users are available as either BankID on file, BankID on card or mobile BankID. The client used can be deducted from the CERTPOLICYOID attribute in the SAML assertion or from the certpolicyoid​ in the OIDC ID Token.

These are the possible values (from BankID's own documentation):

The values for production BankIDs are:

  • "1.2.752.78.1.1" - BankID on file
  • "1.2.752.78.1.2" - BankID on smart card
  • "1.2.752.78.1.5" - Mobile BankID
  • "1.2.752.71.1.3" - Nordea e-id on file and on smart card.

The values for test BankIDs are:

  • ​"1.2.3.4.5" - BankID on file
  • "1.2.3.4.10" - BankID on smart card
  • "1.2.3.4.25" - Mobile BankID
  • "1.2.752.71.1.3" - Nordea e-id on file and on smart card.
  • ​“1.2.752.60.1.6” - Test BankID for some BankID Banks​

Test users

See here for more information on how to get a BankID test user.

Information about the end user

​Type​OIDC​SAML​Comments
​Country

​c

Requires scope=cert

​CThe end user's country.
​End user certificate

certificate

Requires scope=cert

CERTIFICATE​The end user's certificate.
​Certificate policy OID

certpolicyoid

Requires scope=cert

CERTPOLICYOID​The certificate policy OID from the end user certificate.
​Common name

cn

Requires scope=cert

​CN​The common name from the end user's certificate.
Distinguished name

dn​

Requires scope=cert

DN​​The distinguished name from the end user's certificate.
​Family name

family_name

Requires scope=profile

SURNAMEEnd user's family name. ​
​Given name

given_name

Requires scope=profile

GIVENNAMEEnd user's first name(s).
​Swedish SSN

​se_ssn / ssn

Requires scope=ssn

​SE_SSN

​The end user's social security number. For the OIDC protocol, this is returned in both the se_ssn and ssn claim.  

​Handling of SSN

​A user's SSN is a part of the end user certificate and always available from a BankID login. The SSN is the same as the SERIALNUMBER part of the dn claim in the ID Token (OIDC) or the DN attribute in the assertion (SAML). An example of this:

CN=Olav Widen, OID.2.5.4.41=(180427 13.09) Olav Widen - BankID på fil, SERIALNUMBER=195310021935, GIVENNAME=Olav, SURNAME=Widen, O=Testbank A AB (publ), C=SE 

​User experience

BankID client

Step 1 (autostart and presetid identification request parameters not s​et). The picture is an illustration of the UI in standalone and pop-up UI.:​

BankID SE - device selection_updated.PNG 

Note: The above screen was recently updated. Previously, when using another device for identification, the user had to enter their national identity number. With the introduction of QR code scanning, this is not longer necessary.

Step 2 (if selecting Mobile BankID):

BankID SE - QR code.PNG

​Step 2 (if autostart is set or by clicking "BankID on this computer" in step 1). The display name from the "Förlitande certifikat" is "Test av BankID" in this example:

BankID SE - step2_uten.png

Step 3 (on mobile phone app):

BankID SE - mobile.jpg

Control the start of BankID app

BankID is available using two different versions of the BankID app; one for computers and one for mobile. To control the user interface presented to the end user, the autostart and presetid identification request parameters can be used.

​autostart​presetid​Behaviour
​false (default)​null (default)​The user will be presented with a choice of using BankID on this computer or Mobile BankID for both identification and signing. See BankID’s demo implementation of this page: https://demo.bankid.com/nyademobanken/Logon.aspx
​false​<SSN of user>​This indicates that the end user wants to start the client on another device. The end user will be presented a message; “Launch your BankID Security App". 
​true​null​The client will be auto started on the current device.
​true​<SSN of user>​The client will be auto started on current device and it will be limited to the certificate with the given SSN. ​ 

Note: ​​On an iPhone in combination with embedded UI or on an Android device (any UI option), the user needs to click on a link to open the app when autostart is set to true.

There is also a problem with the use of autostart in the Chrome browser. ​This is a security feature in Chrome. A user gesture (e.g. click on a button) is required to take over the whole window, like we do when opening the BankID app. A workaround is to add this attribute on the iframe:

sandbox="allow-top-navigation allow-scripts"

BankID logo

If needed, the BankID logo can be downloaded from https://www.bankid.com/om-oss/pressmaterial and https://www.bankid.com/assets/bankid/logo/BankID-varumarkesguide-v10-SE-2019-06-11.pdf.

​​Known issues

It is not always possible to detect if the BankID app is installed on the device used for identification when using a mobile device. When the BankID app is closing, E-Ident tries to redirect the user back to the browser. However, it is not guaranteed that the user is redirected back to the same browser as the one that started the session. The customer implementation must support that the user is redirected back in a new web browser, eg cookies cannot be used. ​​