Enable NemID in your services
To enable NemID login through E-Ident, we need a VOCES certificate issued to your organisation and some information. The information will be gathered in the dialogue with support.
More information about NemID:
VOCES certificate
All customers must order a new NemID VOCES (“virksomhedscertifikat”) certificate to be used with E-Ident and/or E-Signing in production. In test, your configuration will be set up with a general test VOCES.
Ordering a NemID Company certificate (called production-VOCES)
- Order the production-VOCES from the link below. Note: The production-VOCES must be ordered by a company administrator at the NemID Self Service:
- When the production-VOCES is issued, an installation code will be shown. Send this code to agreed contact at support.esecurity@nets.eu.
- If you forgot to retrieve the installation code, return to the "Administrer virksomhetssignatur" menu to retrieve the code again. Please note that this will generate a new code, and invalidate the old code.
PID agreement
NemID offers a PID cpr-service that can match a user’s PID with a CPR number. This will be ordered for you during configuration in E-Ident and/or E-Signing.
- Support will send you the prepared agreement. Please verify the information and let an authorised officer sign it.
- Return the signed agreement to support.esecurity@nets.eu as a scanned PDF.
Info about PID can be found here:
http://www.nets.eu/dk-da/Produkter/Sikkerhed/NemID-tjenesteudbyder/supplerende-produkter/PID-RID-cpr-tjenester/Pages/default.aspx#tab1
Note: RID CPR matching is not supported due to the low number of user's with a CPR connected to their employee certificate.
Production access
NemID production access (only applicable if customer already have a TU-agreement)
If you already have a TU-agreement (“tjenesteudbyder”), a request for production access for your new production-VOCES will be done upon configuration in E-Ident and/or E-Signing.
- Support will request a new Friendly name from you. Note: The Friendly name must be different from any of your other production-VOCES certificates.
NemID production access (if no TU-agreement is in place)
If you do not have a TU-agreement, support will fill out the agreement to be a service provider on behalf of the customer.
- Support will request some information from you and you will receive information about the standard and general terms according to the TU-agreement. You will also receive a form to accept that support makes a TU-agreement on your behalf.
Test users
Information about test users and how to create them can be found
here.
Information about the end user
Authorised to represent |
authorized-
_to_represent Requires scope=organisation |
AUTHORIZED-
_TO_REPRESENT | The organisation number (CVR number) of the organisation the user is authorised to represent. Only available when using the
Private NemID - on behalf of companies function. |
End user certificate | certificate Requires scope=cert | CERTIFICATE | The end user's certificate. |
Certificate policy OID |
certpolicyoid Requires scope=cert |
CERTPOLICY-
OID | The certificate policy OID from the end user certificate. |
Common name | cn Requires scope=cert |
CN | The common name from the end user's certificate. |
Personal identifier |
dk_dan_pid / pid Requires scope=openid |
DK_DAN_PID | NemID personal identifier. Example: PID:1234-5678-2-627032981126 |
Employee identifier | dk_dan_rid | DK_DAN_RID | RID number from certificate. Only present in employee certificates. Example: CVR:30808460-RID:42634739 |
Danish CPR number |
dk_ssn / ssn Requires scope=ssn |
DK_SSN | The end user's social security number (CPR number). For the OIDC protocol, this is returned in both the
dk_ssn and
ssn claim. |
Distingui-shed name |
dn Requires scope=cert | DN | The distinguised name from the end user certificate. Example POCES: "CN=Thorgrim Mathiesen + SERIALNUMBER=PID:1234-5678-2-627032981126, O=Ingen organisatorisk tilknytning, C=DK" MOCES: "SERIALNUMBER=CVR:12345678-RID:12345678 + CN=TU GENEREL MOCES, O=NETS DANID A/S // CVR:12345678, C=DK" |
Organisation name |
organisation-
_name Requires scope=organisation | ORGANISATION-
_NAME | Name of the organisation the end user is authorised to represent. Only available when using the
Private NemID - on behalf of companies function. |
Retrieve SSN (CPR)
The CPR (Danish social security number) is not a part of the NemID end user certificate that is returned during a user authentication unless you are a public organisation. However, NemID is offering a service to match the PID (personal identifier from NemID end user certificate) with the user's CPR. To get the CPR number you need to do this:
When this is set, the user will be prompted for their CPR number and this will be returned in the ID Token (OIDC) and Assertion (SAML). The E-Ident service will do a lookup towards the PID/CPR register to match the PID and the typed CPR. The CPR number will be returned in the
dk_ssn and
ssn claim /
DK_SSN of respectively the ID Token and SAML assertion. The CPR page is listed as step 3 below.
User experience
NemID JavaScript client
Step 1 (enter user ID and password):
Step 2 (enter key code):
Step 3 (optional - enter CPR). This is an illustration of the standalone and pop-up UI:
NemID transaction text in the code app
It is possible to add a transaction text to the NemID code app. This is added by appending the transactiontext parameter to the identification request. The text is visible in the code app as the "This is the input to the transaction text parameter" text in the screen shot example below.
Read more about the identification request parameters for
OIDC and
SAML.
NemID Codefile client
Step 1 (select certificate):
Step 2 (enter password):
NemID logo
If needed, the NemID logo can be downloaded from
https://www.nemid.nu/dk-da/om-nemid/presse/logo_og_grafik/.
A user may choose to use his or hers private NemID (POCES) when acting on behalf of a company. This feature is also available when using E-Ident. During the logon flow, the user will select the company he or she will represent and this information is sent to the customer.
Read more about the usage of private NemID in a company setting:
https://digst.dk/it-loesninger/nemlog-in/om-loesningen/initiativer/
Prerequisites
To use this functionality in E-Ident, you need to:
User flow and implementation
- The customer sends an identification request to E-Ident.
- If OIDC, the
organisation scope must be appended to the request
- If SAML, the
returnorg=true parameter must be appended to the request.
- The user logs in with his/her private NemID.
- After the NemID login, the user will be prompted for his/her CPR number to retrieve information about companies the user are authorised to represent on his/her own
- R.
- A lookup to Virk.dk is performed using the CPR number.
- The user is presented with a list of companies he/she is authorised to represent.
- He/she selects the company he/she will represent in this session.
- Information about the selected company is returned in the IDToken (OIDC) or Assertion (SAML) as the following values:
- IDToken values:
- authorized_to_represent: CVR number
- organisation_name: Name of organisation
- organisation_number: CVR number
- Assertion attributes:
- AUTHORIZED_TO_REPRESENT: CVR number
- ORGANISATION_NAME: Name of organistation
- ORGANISATION_NUMBER: CVR number
- In case of error, the following error codes are
- returned:
- The PID/CPR match fails:
incorrectcpr
- The user is not authorised to represent any company:
blankcvr
- A system error like timeout towards backend systems and Virk.dk:
nemidserviceloadfailed
User i
nterface
After the regular NemID login the user will be presented with a page to enter his/hers CPR number (ref. point 3 above). This is an illustration of the standalone and pop-up UI:
A list of companies the user is autorised to represent is presented, and the user selects the one to use in this session:
The testing of this functionality is done towards a mock test database. We have registered these users from
the list of NemID test users in the mock data.
- Tienna141
- Thorgrim122
- Tinemarie258 - to test with a user that isn't authorised to represent any company.
To test with any of you own NemID test users, please send the test user's CPR number and some fake CVR numbers to
our support.