NemID (DK)

NemID gives you a solution that customers are conversant with and accustomed to. The majority of the Danish population aged 15 or older use NemID for online banking and on public and private websites. 

​Enable NemID in your services

​To enable NemID login through E-Ident, we need a VOCES certificate issued to your organisation and some information. The information will be gathered in the dialogue with support. 

More information about NemID:


VOCES certificate

All customers must order a new NemID VOCES (“virksomhedscertifikat”) certificate to be used with E-Ident and/or E-Signing in production. In test, your configuration will be set up with a general test VOCES.

Order​ing a Ne​mID Company certificate (called production-VOCES)

NemID VOCES.jpg

 

​​PID/RID agreement

NemID offers a PID/RID cpr-service that can match a user’s PID/RID with a CPR number. This will be ordered for you during configuration in E-Ident and/or E-Signing.

  • Support will send you the prepared agreement. Please verify the information and let an authorised officer sign it. Return the signed agreement to support.esecurity@nets.eu as a scanned PDF.

Info about PID/RID can be found here: http://www.nets.eu/dk-da/Produkter/Sikkerhed/NemID-tjenesteudbyder/supplerende-produkter/PID-RID-cpr-tjenester/Pages/default.aspx#tab1


NemID production access (only applicable if customer already have a TU-agreement)

If you already have a TU-agreement (“tjenesteudbyder”), a request for production access for your new production-VOCES will be done upon configuration in E-Ident and/or E-Signing.

  • Support will request a new Friendly name from you. Note: The Friendly name must be different from any of your other production-VOCES certificates.


NemID production access (if no TU-agreement is in place)

If you do not have a TU-agreement, support will fill out the agreement to be a service provider on behalf of the customer.

  • Support will request some information from you and you will receive information about the standard and general terms according to the TU-agreement. You will also receive a form to accept that support makes a TU-agreement on your behalf.

​​

Test users​

​​Information about test users and how to create them can be found here​

Retrieve SSN (CPR)

The CPR (Danish social security number)​ is not a part of the NemID end user certificate that is returned during a user authentication unless you are a public organisation. However, NemID is offering a service to match the PID (personal identifier from NemID end user certificate) with the user's CPR. This require that the end user types his/her CPR number after identification. The E-Ident service will do a lookup towards the PID/CPR register to match the PID and the typed CPR. In those cases, the CPR number will be returned in the dk_ssn claim / DK_SSN of respectively the ID Token and SAML assertion. ​When using OIDC, remember to include ssn as part of the scope in the identification request. The CPR page is listed as step 3 below.  ​

User experience

NemID JavaScript client

​Step 1 (enter user ID and password):

NemID JS - step 1_uten.png 

Step 2 (enter key code):

NemID JS - step 2_uten.png

Step 3 (optional - enter CPR):

NedID JS - step 3_med.png

NemID tran​​​saction text i​n the code app

​It is possible to add a transaction text to the NemID code app. This is added by appending the transactiontext parameter to the identification request. The text is visible in the code app as the "This is the input to the transaction text parameter" text in the screen shot example below.​ 
Read more about the identification request parameters for OIDC and SAML.​​

NemID Codefile client​​​​

​Step 1 (select certificate):

NemID CodeFile - step 1.png

Step 2​​ (enter password):

NemID CodeFile - step 2.png

CSS sty​​​le adjustment

The Step 3 page where the user enters his/her CPR number can be styled by overriding the Nets default style. 

​Read for more information about CSS styling and download of Nets default style.​

Private NemID - on behalf of​ companies​

​A user may choose to use his or hers private NemID (POCES) when acting on behalf of a company. This feature is also available when using E-Ident. During the logon flow, the user will select the company he or she will represent and this information is sent to the customer.

Read more about the ​usage of private NemID in a company setting: https://digst.dk/it-loesninger/nemlog-in/om-loesningen/initiativer/​​​

​​Prerequisites​​

​To use this functionality in E-Ident, ​you need to:

  • be an ID-Rights customer as well as E-Ident (no integration to ID-Rights necessary)
  • have a PID/CPR agreement

User flow​​​​ and implementation

  1. The customer sends an identification request to E-Ident.
    1. If OIDC, the organisation scope must be appended to the request
    2. If SAML, the returnorg=true parameter must be appended to the request.
  2. The user logs in with his/her private NemID. 
  3. After the NemID login, the user will be prompted for his/her CPR number to retrieve information about companies the user are authorised to represent on his/her own. 
    1. In the background, a PID/CPR match is performed using the PID from the NemID certificate used for login and the typed CPR. This to validate that the NemID login session belongs to the person with the typed CPR. 
    2. A lookup to Virk.dk is performed using the CPR number. 
  4. ​The user is presented with a list of companies he/she is authorised to represent. 
  5. He/she selects the company he/she will represent in this session. 
  6. Information about the selected company is returned in the IDToken (OIDC) or Assertion (SAML) as the following values:
    1. IDToken  values:
      1. authorized_to_represent: CVR number
      2. organisation_name: Name of organisation
      3. organisation_number: CVR number
    2. Assertion attributes:
      1. AUTHORIZED_TO_REPRESENT: CVR number
      2. ORGANISATION_NAME: Name of organistation
      3. ORGANISATION_NUMBER: CVR number​
  7. ​In case of error, the following error codes are returned:
    1. The PID/CPR match fails: incorrectcpr
    2. The user is not authorised to represent any company: blankcvr
    3. A system error like timeout towards backend systems and Virk.dk: nemidserviceloadfailed

​User interface

After the regular NemID login the user will be presented with a page to enter his/hers CPR number (ref. point 3 above):

Private NemID - on behalf of - 1.png

A list of companies the user is autorised to represent is presented, and the user selects the one to use in this session:

Private NemID - on behalf of - 2.png

The testing of this functionality is done towards a mock test database. We have registered these users from the list of NemID test users in the mock data.  

  • ​Tienna141 
  • Thorgrim122
  • Tinemarie258 - to test with a user that isn't authorised to represent any company.​
To test with any of you own NemID test users, please send the test user's CPR number and some fake CVR numbers to our support.