BankID (SE)

Used by almost 8 million Swedes, BankID has become a household brand and a highly trusted digital identification and signing service for Swedish citizens. Almost 7 million has a mobile BankID and this eID was used in 96 % of logins and signings. It is also available as BankID on file and BankID on card.

Enable BankID in your services
Information about the end user
User experience
Transaction text
Eident context
Known issues

Enable BankID in your services

To enable BankID to login using E-Ident it is necessary with a merchant certificate ("förlitande certifikat") to be used in the communication between E-Ident (on your behalf) and with BankID. Nets is reseller of BankID and will help establish this certificate.

More information about BankID:

Merchant certificate ("Förlitande certifikat")

BankID agreement through Nets as reseller

To establish the "Förlitande certifikat". Nets need the following information:

Your organisation name
Certificate display name (this is visible in the BankID security application during the end user's login)
VAT number

Nets will handle the communication with a bank issuing the certificate.

BankID agreement directly with an issuing bank

It is also possible to have a BankID agreement directly with a bank issuing BankID. You will need to enter into an agreement with the bank. To establish the "Förlitande certificat", these steps must be done:

Provide Nets with information about your organisation name, VAT number, certificate display name (visible during end user login) and the bank name.
Nets will generate a certificate request based on this information and send it to you.
You need to forward this certificate request to your bank. Do not make your own certificate request.
The bank will issue the certificate based on the certificate request. Please forward this to Nets.
Nets will install and setup you configuration with BankID.

Test "Förlitande certifikat"

Nets has a default test certificate that all customers can use. This will be set up during configuration, and you do not need to do anything.

BankIDs for end users

BankID for end users are available as either BankID on file, BankID on card or mobile BankID. The client used can be deducted from the CERTPOLICYOID attribute in the SAML assertion or from the certpolicyoid in the OIDC ID Token.

These are the possible values (from BankID's own documentation):

The values for production BankIDs are:

"1.2.752.78.1.1" - BankID on file
"1.2.752.78.1.2" - BankID on smart card
"1.2.752.78.1.5" - Mobile BankID
"1.2.752.71.1.3" - Nordea e-id on file and on smart card.

The values for test BankIDs are:

"1.2.3.4.5" - BankID on file
"1.2.3.4.10" - BankID on smart card
"1.2.3.4.25" - Mobile BankID
"1.2.752.71.1.3" - Nordea e-id on file and on smart card.
“1.2.752.60.1.6” - Test BankID for some BankID Banks

Test users

See here for more information on how to get a BankID test user.

Information about the end user

Type	OIDC	SAML	Comments
Country	c Requires scope=cert	C	The end user's country.
End user certificate	certificate Requires scope=cert	CERTIFICATE	The end user's certificate.
Certificate policy OID	certpolicyoid Requires scope=cert	CERTPOLICYOID	The certificate policy OID from the end user certificate.
Common name	cn Requires scope=cert	CN	The common name from the end user's certificate.
Distinguished name	dn Requires scope=cert	DN	The distinguished name from the end user's certificate.
Family name	family_name Requires scope=profile	SURNAME	End user's family name.
Given name	given_name Requires scope=profile	GIVENNAME	End user's first name(s).
Level of Assurance	acr	ACR	Accepts acr_values as urn:eident:acrp:level:substantial or urn:eident:acrp:level:low Always returns- urn:eident:cert:eidas:substantial
Swedish SSN	se_ssn / ssn Requires scope=ssn	SE_SSN	The end user's social security number. For the OIDC protocol, this is returned in both the se_ssn and ssn claim.

Handling of SSN

A user's SSN is a part of the end user certificate and always available from a BankID login. The SSN is the same as the SERIALNUMBER part of the dn claim in the ID Token (OIDC) or the DN attribute in the assertion (SAML). An example of this:

CN=Olav Widen, OID.2.5.4.41=(180427 13.09) Olav Widen - BankID på fil, SERIALNUMBER=195310021935, GIVENNAME=Olav, SURNAME=Widen, O=Testbank A AB (publ), C=SE

User experience

BankID client

Step 1 (autostart, presetid/login_hint identification request parameters not set). The picture is an illustration of the UI in standalone and pop-up UI.:

Note: The above screen was recently updated. Previously, when using another device for identification, the user had to enter their national identity number. With the introduction of QR code scanning, this is not longer necessary.

Step 2 (if selecting Mobile BankID):

Step 2 (if autostart is set or by clicking "BankID on this computer" in step 1). The display name from the "Förlitande certifikat" is "Test av BankID" in this example:

Step 3 (on mobile phone app):

Control the start of BankID app

BankID is available using two different versions of the BankID app; one for computers and one for mobile. To control the user interface presented to the end user, the autostart, presetid/login_hint and forcepkivendor/amr_values identification request parameters can be used.

autostart	presetid/login_hint	forcepkivendor/amr_values	Behaviour
false (default)	null (default)	se_bankid (default)	The user will be presented with a choice of using BankID on this computer or Mobile BankID for both identification and signing. See BankID’s demo implementation of this page: https://demo.bankid.com/nyademobanken/Logon.aspx
false	<SSN of user>	se_bankid	This indicates that the end user wants to start the client on another device. The end user will be presented a message; “Launch your BankID Security App".
true	null	se_bankid	A link will be shown to open the BankID app
true	<SSN of user>	se_bankid	A link will be shown to open the BankID app on same device and it will be limited to the certificate with the given SSN.
false	null	se_bankid:mobile	Desktop users- The user will be redirected to page which will show a QR code to scan. Mobile users- The user will be presented with a choice of using Mobile BankID on this device or Mobile BankID on another device.

BankID logo

If needed, the BankID logo can be downloaded from https://www.bankid.com/om-oss/pressmaterial and https://www.bankid.com/assets/bankid/logo/BankID-varumarkesguide-v10-SE-2019-06-11.pdf.

Transaction text

A transaction text may be connected to the BankID transaction through either the regular OIDC identification flow or the OIDC CIBA flow. For the OIDC identification flow, the transactiontext parameter may be appended to the identification request. For the CIBA flow, the binding message must be used.

This feature will invoke the BankID signing flow. How to support markdown see section below

Eident_context
If an OIDC signed request is provided with parameter eident_context then given value can be used as transaction text which will get displayed on end user's device. Eident_context should be base64 encoded in below JSON format-
{
“transactiontext": “base64encoded (content from merchant)",
“transactiontext_type": “<text/markdown>"
}
“transactiontext" can have values in plain text or in markdown. It can accept maximum of 1500 base64 encoded characters. “transactiontext_type" will accept only “text" or “markdown" value.

Known issues

It is not always possible to detect if the BankID app is installed on the device used for identification when using a mobile device. When the BankID app is closing, E-Ident tries to redirect the user back to the browser. However, it is not guaranteed that the user is redirected back to the same browser as the one that started the session. The customer implementation must support that the user is redirected back in a new web browser, eg cookies cannot be used.

E-Ident

BankID (SE)

Enable BankID in your services