NemID (DK)

NemID gives you a solution that customers are conversant with and accustomed to. The majority of the Danish population aged 15 or older use NemID for online banking and on public and private websites. 

​Enable NemID in your services

​To enable NemID login through E-Ident, we need a VOCES certificate issued to your organisation and some information. The information will be gathered in the dialogue with support. 

More information about NemID:

VOCES certificate

All customers must order a new NemID VOCES (“virksomhedscertifikat”) certificate to be used with E-Ident and/or E-Signing in production. In test, your configuration will be set up with a general test VOCES.

Order​ing a Ne​mID Company certificate (called production-VOCES)

  • ​​​​​​Order the production-VOCES from the link below. Note: The production-VOCES must be ordered by a company administrator at the NemID Self Service:
  • ​​​​​​​When the production-VOCES is issued, an installation code will be shown. Send this code to support.esecurity@nets.eu.
  • If you forgot to retrieve the installation code, return to the "Administrer virksomhetssignatur" menu to retrieve the code again. Please note that this will generate a new code, and invalidate the old code.

​​PID agreement

NemID offers a PID cpr-service that can match a user’s PID with a CPR number. This will be ordered for you during configuration in E-Ident and/or E-Signing.

  • Support will send you the prepared agreement. Please verify the information and let an authorised officer sign it.
  • Return the signed agreement to support.esecurity@nets.eu as a scanned PDF.

Info about PID can be found here: http://www.nets.eu/dk-da/Produkter/Sikkerhed/NemID-tjenesteudbyder/supplerende-produkter/PID-RID-cpr-tjenester/Pages/default.aspx#tab1

Note: RID CPR matching is not supported due to the low number of user's with a CPR connected to their employee certificate.

Production access

NemID production access (only applicable if customer already have a TU-agreement)

If you already have a TU-agreement (“tjenesteudbyder”), a request for production access for your new production-VOCES will be done upon configuration in E-Ident and/or E-Signing.

  • Support will request a new Friendly name from you. Note: The Friendly name must be different from any of your other production-VOCES certificates.

NemID production access (if no TU-agreement is in place)

If you do not have a TU-agreement, support will fill out the agreement to be a service provider on behalf of the customer.

  • Support will request some information from you and you will receive information about the standard and general terms according to the TU-agreement. You will also receive a form to accept that support makes a TU-agreement on your behalf.

Test users​

​​Information about test users and how to create them can be found here​

Information about the end user

​Type​OIDC​SAML​Comments
​Authorised to represent

authorized-

_to_represent

Requires scope=organisation

AUTHORIZED-

_TO_REPRESENT

​The organisation number (CVR number) of the organisation the user is authorised to represent. Only available when using the Private NemID - on behalf of companies function.
​End user certificate

certificate

Requires

scope=cert

CERTIFICATE​The end user's certificate.
​Certificate policy OID

​certpolicyoid

Requires

scope=cert

CERTPOLICY-

OID

​The certificate policy OID from the end user certificate.
​Common name

cn

Requires

scope=cert

​CN​The common name from the end user's certificate.
Personal identifier

dk_dan_pid / pid

Requires

scope=openid

DK_DAN_PIDNemID personal identifier. Example: PID:1234-5678-2-627032981126
​Employee identifierdk_dan_ridDK_DAN_RID​RID number from certificate. Only present in employee certificates. Example: CVR:30808460-RID:42634739
​Danish CPR number

​dk_ssn / ssn

Requires

scope=ssn

​DK_SSN

​The end user's social security number (CPR number). For the OIDC protocol, this is returned in both the dk_ssn and ssn claim.  
Distingui-shed name

dn​

Requires

scope=cert

DN

​​The distinguised name from the end user certificate. Example

POCES: "CN=Thorgrim Mathiesen + SERIALNUMBER=PID:1234-5678-2-627032981126, O=Ingen organisatorisk tilknytning, C=DK"

MOCES: "SERIALNUMBER=CVR:12345678-RID:12345678 + CN=TU GENEREL MOCES, O=NETS DANID A/S // CVR:12345678, C=DK"

​Organisation name

​organisation-

_name

Requires scope=organisation

ORGANISATION-

_NAME

​Name of the organisation the end user is authorised to represent. Only available when using the Private NemID - on behalf of  companies function.
Organisation number (CVR)

organisation_number

Requires scope=organisation

ORGANISATION-

_NUMBER

​Organisation number of end user. Only available in employee (MOCES) certificates or when using the Private NemID - on behalf of companies function.

Retrieve SSN (CPR)

The CPR (Danish social security number)​ is not a part of the NemID end user certificate that is returned during a user authentication unless you are a public organisation. However, NemID is offering a service to match the PID (personal identifier from NemID end user certificate) with the user's CPR. To get the CPR number you need to do this:

  • OIDC: Set the scope parameter to ssn (in addition to other values)
  • SAML: Append the returnssn=true parameter to the identification request.

When this is set, the user will be prompted for their CPR number and this will be returned in the ID Token (OIDC) and Assertion (SAML).  The E-Ident service will do a lookup towards the PID/CPR register to match the PID and the typed CPR. The CPR number will be returned in the dk_ssn and ssn claim / DK_SSN of respectively the ID Token and SAML assertion. ​The CPR page is listed as step 3 below.  ​

User experience

NemID JavaScript client

​Step 1 (enter user ID and password):

NemID JS - step 1_uten.png 

Step 2 (enter key code):

NemID JS - step 2_uten.png

Step 3 (optional - enter CPR). This is an illustration of the standalone and pop-up UI:

NemID CPR 2.PNG 

 

NemID tran​​​saction text i​n the code app

​It is possible to add a transaction text to the NemID code app. This is added by appending the transactiontext parameter to the identification request. The text is visible in the code app as the "This is the input to the transaction text parameter" text in the screen shot example below.​ 
Read more about the identification request parameters for OIDC and SAML.​​

NemID Codefile client​​​​

​Step 1 (select certificate):

NemID CodeFile - step 1.png

Step 2​​ (enter password):

NemID CodeFile - step 2.png

NemID logo

If needed, the NemID logo can be downloaded from https://www.nemid.nu/dk-da/om-nemid/presse/logo_og_grafik/.

Private NemID - on behalf of​ companies​

​A user may choose to use his or hers private NemID (POCES) when acting on behalf of a company. This feature is also available when using E-Ident. During the logon flow, the user will select the company he or she will represent and this information is sent to the customer.

Read more about the ​usage of private NemID in a company setting: https://digst.dk/it-loesninger/nemlog-in/om-loesningen/initiativer/​​​

​​Prerequisites​​

​To use this functionality in E-Ident, ​you need to:

  • have a PID/CPR agreement

User flow​​​​ and implementation

  1. The customer sends an identification request to E-Ident.
    1. If OIDC, the organisation scope must be appended to the request
    2. If SAML, the returnorg=true parameter must be appended to the request.
  2. The user logs in with his/her private NemID. 
  3. After the NemID login, the user will be prompted for his/her CPR number to retrieve information about companies the user are authorised to represent on his/her own
    1. In the background, a PID/CPR match is performed using the PID from the NemID certificate used for login and the typed CPR. This to validate that the NemID login session belongs to the person with the typed CPR. 
    2. A lookup to Virk.dk is performed using the CPR number. 
  4. ​The user is presented with a list of companies he/she is authorised to represent. 
  5. He/she selects the company he/she will represent in this session. 
  6. Information about the selected company is returned in the IDToken (OIDC) or Assertion (SAML) as the following values:
    1. IDToken  values:
      1. authorized_to_represent: CVR number
      2. organisation_name: Name of organisation
      3. organisation_number: CVR number
    2. Assertion attributes:
      1. AUTHORIZED_TO_REPRESENT: CVR number
      2. ORGANISATION_NAME: Name of organistation
      3. ORGANISATION_NUMBER: CVR number​
  7. ​In case of error, the following error codes are returned:
    1. The PID/CPR match fails: incorrectcpr
    2. The user is not authorised to represent any company: blankcvr
    3. A system error like timeout towards backend systems and Virk.dk: nemidserviceloadfailed

​User interface

After the regular NemID login the user will be presented with a page to enter his/hers CPR number (ref. point 3 above). This is an illustration of the standalone and pop-up UI:

Private NemID 1.PNG

A list of companies the user is autorised to represent is presented, and the user selects the one to use in this session:

Private NemID 3.PNG

The testing of this functionality is done towards a mock test database. We have registered these users from the list of NemID test users in the mock data.  

  • ​Tienna141 
  • Thorgrim122
  • Tinemarie258 - to test with a user that isn't authorised to represent any company.​
To test with any of you own NemID test users, please send the test user's CPR number and some fake CVR numbers to our support.