Enable NemID in your services
To enable NemID login through E-Ident, we need a VOCES certificate issued to your organisation and some information. The information will be gathered in the dialogue with support.
More information about NemID:
All customers must order a new NemID VOCES (“virksomhedscertifikat”) certificate to be used with E-Ident and/or E-Signing in production. In test, your configuration will be set up with a general test VOCES.
Ordering a NemID Company certificate (called production-VOCES)
NemID offers a PID/RID cpr-service that can match a user’s PID/RID with a CPR number. This will be ordered for you during configuration in E-Ident and/or E-Signing.
- Support will send you the prepared agreement. Please verify the information and let an authorised officer sign it. Return the signed agreement to email@example.com as a scanned PDF.
Info about PID/RID can be found here:
NemID production access (only applicable if customer already have a TU-agreement)
If you already have a TU-agreement (“tjenesteudbyder”), a request for production access for your new production-VOCES will be done upon configuration in E-Ident and/or E-Signing.
- Support will request a new Friendly name from you. Note: The Friendly name must be different from any of your other production-VOCES certificates.
NemID production access (if no TU-agreement is in place)
If you do not have a TU-agreement, support will fill out the agreement to be a service provider on behalf of the customer.
- Support will request some information from you and you will receive information about the standard and general terms according to the TU-agreement. You will also receive a form to accept that support makes a TU-agreement on your behalf.
Information about test users and how to create them can be found
Retrieve SSN (CPR)
The CPR (Danish social security number) is not a part of the NemID end user certificate that is returned during a user authentication unless you are a public organisation. However, NemID is offering a service to match the PID (personal identifier from NemID end user certificate) with the user's CPR. To get the CPR number you need to do this:
When this is set, the user will be prompted for their CPR number and this will be returned in the ID Token (OIDC) and Assertion (SAML). The E-Ident service will do a lookup towards the PID/CPR register to match the PID and the typed CPR. The CPR number will be returned in the
dk_ssn claim /
DK_SSN of respectively the ID Token and SAML assertion. The CPR page is listed as step 3 below.
Step 1 (enter user ID and password):
Step 2 (enter key code):
Step 3 (optional - enter CPR):
NemID transaction text in the code app
It is possible to add a transaction text to the NemID code app. This is added by appending the transactiontext parameter to the identification request. The text is visible in the code app as the "This is the input to the transaction text parameter" text in the screen shot example below.
Read more about the identification request parameters for OIDC
NemID Codefile client
Step 1 (select certificate):
Step 2 (enter password):
CSS style adjustment
The Step 3 page where the user enters his/her CPR number can be styled by overriding the Nets default style.
Read for more information about CSS styling and download of Nets default style.
Private NemID - on behalf of companies
A user may choose to use his or hers private NemID (POCES) when acting on behalf of a company. This feature is also available when using E-Ident. During the logon flow, the user will select the company he or she will represent and this information is sent to the customer.
Read more about the usage of private NemID in a company setting:
To use this functionality in E-Ident, you need to:
- be an ID-Rights customer as well as E-Ident (no integration to ID-Rights necessary)
- have a PID/CPR agreement
User flow and implementation
- The customer sends an identification request to E-Ident.
- If OIDC, the
organisation scope must be appended to the request
- If SAML, the
returnorg=true parameter must be appended to the request.
- The user logs in with his/her private NemID.
- After the NemID login, the user will be prompted for his/her CPR number to retrieve information about companies the user are authorised to represent on his/her own.
- In the background, a PID/CPR match is performed using the PID from the NemID certificate used for login and the typed CPR. This to validate that the NemID login session belongs to the person with the typed CPR.
- A lookup to Virk.dk is performed using the CPR number.
- The user is presented with a list of companies he/she is authorised to represent.
- He/she selects the company he/she will represent in this session.
- Information about the selected company is returned in the IDToken (OIDC) or Assertion (SAML) as the following values:
- IDToken values:
- authorized_to_represent: CVR number
- organisation_name: Name of organisation
- organisation_number: CVR number
- Assertion attributes:
- AUTHORIZED_TO_REPRESENT: CVR number
- ORGANISATION_NAME: Name of organistation
- ORGANISATION_NUMBER: CVR number
- In case of error, the following error codes are returned:
- The PID/CPR match fails:
- The user is not authorised to represent any company:
- A system error like timeout towards backend systems and Virk.dk:
After the regular NemID login the user will be presented with a page to enter his/hers CPR number (ref. point 3 above):
A list of companies the user is autorised to represent is presented, and the user selects the one to use in this session:
The testing of this functionality is done towards a mock test database. We have registered these users from the list of NemID test users in the mock data.
- Tinemarie258 - to test with a user that isn't authorised to represent any company.
To test with any of you own NemID test users, please send the test user's CPR number and some fake CVR numbers to our support.