Enable NemID in your services
To enable NemID login through E-Ident, we need a VOCES certificate issued to your organisation and some information. The information will be gathered in the dialogue with support.
More information about NemID:
All customers must order a new NemID VOCES (“virksomhedscertifikat”) certificate to be used with E-Ident and/or E-Signing in production. In test, your configuration will be set up with a general test VOCES.
Ordering a NemID Company certificate (called production-VOCES)
NemID offers a PID cpr-service that can match a user’s PID with a CPR number. This will be ordered for you during configuration in E-Ident and/or E-Signing.
- Support will send you the prepared agreement. Please verify the information and let an authorised officer sign it.
- Return the signed agreement to firstname.lastname@example.org as a scanned PDF.
Info about PID can be found here:
Note: RID CPR matching is not supported due to the low number of user's with a CPR connected to their employee certificate.
NemID production access (only applicable if customer already have a TU-agreement)
If you already have a TU-agreement (“tjenesteudbyder”), a request for production access for your new production-VOCES will be done upon configuration in E-Ident and/or E-Signing.
- Support will request a new Friendly name from you. Note: The Friendly name must be different from any of your other production-VOCES certificates.
NemID production access (if no TU-agreement is in place)
If you do not have a TU-agreement, support will fill out the agreement to be a service provider on behalf of the customer.
- Support will request some information from you and you will receive information about the standard and general terms according to the TU-agreement. You will also receive a form to accept that support makes a TU-agreement on your behalf.
Information about test users and how to create them can be found
Information about the end user
|Authorised to represent|
|The organisation number (CVR number) of the organisation the user is authorised to represent. Only available when using the
Private NemID - on behalf of companies function. |
|End user certificate|
|CERTIFICATE||The end user's certificate. |
|Certificate policy OID|
|The certificate policy OID from the end user certificate. |
CN||The common name from the end user's certificate. |
dk_dan_pid / pid
DK_DAN_PID||NemID personal identifier. Example: PID:1234-5678-2-627032981126|
|Employee identifier||dk_dan_rid||DK_DAN_RID||RID number from certificate. Only present in employee certificates. Example: CVR:30808460-RID:42634739|
|Danish CPR number|
dk_ssn / ssn
|The end user's social security number (CPR number). For the OIDC protocol, this is returned in both the
ssn claim. |
The distinguised name from the end user certificate. Example
POCES: "CN=Thorgrim Mathiesen + SERIALNUMBER=PID:1234-5678-2-627032981126, O=Ingen organisatorisk tilknytning, C=DK"
MOCES: "SERIALNUMBER=CVR:12345678-RID:12345678 + CN=TU GENEREL MOCES, O=NETS DANID A/S // CVR:12345678, C=DK"
|Name of the organisation the end user is authorised to represent. Only available when using the
Private NemID - on behalf of companies function. |
Retrieve SSN (CPR)
The CPR (Danish social security number) is not a part of the NemID end user certificate that is returned during a user authentication unless you are a public organisation. However, NemID is offering a service to match the PID (personal identifier from NemID end user certificate) with the user's CPR. To get the CPR number you need to do this:
When this is set, the user will be prompted for their CPR number and this will be returned in the ID Token (OIDC) and Assertion (SAML). The E-Ident service will do a lookup towards the PID/CPR register to match the PID and the typed CPR. The CPR number will be returned in the
ssn claim /
DK_SSN of respectively the ID Token and SAML assertion. The CPR page is listed as step 3 below.
Step 1 (enter user ID and password):
Step 2 (enter key code):
Step 3 (optional - enter CPR). This is an illustration of the standalone and pop-up UI:
NemID transaction text in the code app
It is possible to add a transaction text to the NemID code app. This is added by appending the transactiontext parameter to the identification request. The text is visible in the code app as the "This is the input to the transaction text parameter" text in the screen shot example below.
Read more about the identification request parameters for OIDC
NemID Codefile client
Step 1 (select certificate):
Step 2 (enter password):
If needed, the NemID logo can be downloaded from
Private NemID - on behalf of companies
A user may choose to use his or hers private NemID (POCES) when acting on behalf of a company. This feature is also available when using E-Ident. During the logon flow, the user will select the company he or she will represent and this information is sent to the customer.
Read more about the usage of private NemID in a company setting:
To use this functionality in E-Ident, you need to:
User flow and implementation
- The customer sends an identification request to E-Ident.
- If OIDC, the
organisation scope must be appended to the request
- If SAML, the
returnorg=true parameter must be appended to the request.
- The user logs in with his/her private NemID.
- After the NemID login, the user will be prompted for his/her CPR number to retrieve information about companies the user are authorised to represent on his/her own
- In the background, a PID/CPR match is performed using the PID from the NemID certificate used for login and the typed CPR. This to validate that the NemID login session belongs to the person with the typed CPR.
- A lookup to Virk.dk is performed using the CPR number.
- The user is presented with a list of companies he/she is authorised to represent.
- He/she selects the company he/she will represent in this session.
- Information about the selected company is returned in the IDToken (OIDC) or Assertion (SAML) as the following values:
- IDToken values:
- authorized_to_represent: CVR number
- organisation_name: Name of organisation
- organisation_number: CVR number
- Assertion attributes:
- AUTHORIZED_TO_REPRESENT: CVR number
- ORGANISATION_NAME: Name of organistation
- ORGANISATION_NUMBER: CVR number
- In case of error, the following error codes are returned:
- The PID/CPR match fails:
- The user is not authorised to represent any company:
- A system error like timeout towards backend systems and Virk.dk:
After the regular NemID login the user will be presented with a page to enter his/hers CPR number (ref. point 3 above). This is an illustration of the standalone and pop-up UI:
A list of companies the user is autorised to represent is presented, and the user selects the one to use in this session:
The testing of this functionality is done towards a mock test database. We have registered these users from
the list of NemID test users in the mock data.
- Tinemarie258 - to test with a user that isn't authorised to represent any company.
To test with any of you own NemID test users, please send the test user's CPR number and some fake CVR numbers to