​​​​​​​​​​​​​​​​​​​An identification through E-Ident can be performed using the SAML v1.1 identification protocol. This page outlines the identification process, the identification parameters, single sign-on (SSO) functionality and how to perform a log out.

Content on this page

SAML v1.1 identification

The figure below illustrates the identification sequence for an E-Ident customer using SAML v1.1.



  1. The end user accesses the E-Ident customer site with a request to log on. 
  2. The end user browser is redirected to E-Ident to begin identification. Sample identification request:​/its/index.html?mid=<value>&TARGET=<value>   
    Read more about the mandatory and optional identification request parameters.
  3. End user identification is initiated towards a selected eID. The end user supplies his/her credentials.
  4. E-Ident redirects the end user to the E-Ident customer's artifact resolver URL with the ArtifactID. The artificat resolver URL is defined upon customer registration.
  5. The customer sends a request directly to E-Ident to retrieve the user info based on the ArtifactID. E-Ident returns the SAML assertion containing all information about the user.
    Read more about the content of the SAML assertion.

Identification request parameters

The different identification request parameters are divided in these sections:


midCustomer identifier. This is an ID assigned to the customer upon configuration and must be used in subsequent requests to E-Ident.NA
TARGETData sent back to the artifact receiver after identification. Customers can use this to carry session specific data tokens such as name or URL of resource user intended to access, or a session ID. 

Parameter name must be in upper case.

URL encode following parameters: [? | & | #]



​The additional info parameter can be used by any customer to enter their own information. The parameter value will be returned as it was entered in the corresponding claim in the ID Token or attribute in the SAML assertion.

In addition, the information is added to E-Ident statistics and may be returned to the customers as part of statistics. The last part must be agreed with Nets in each case.



Max length: 50 characters

deflectWhere the artifact receiver should be opened. Options are to keep it in iframe (_self) or take over the page (_top).

Valid values: [_top, _self]

Default: _top

forcepkivendorA comma separated list of eIDs. The list limits the eIDs made available to the end user for identification. See the next table for a mapping between eID and the constraint.​

One or more of:

no_bankid, no_bidmob,  no_buypass, mitid, mitid:mitid_erhverv, se_bankid, se_bankid:mobile, NetsID_Verifier, mobile_id, ​smart_id, verimi, nets_sms


The language used to provide user with information during identification. If not provided, then E-Ident uses the language specified by the web browser.

If no supported languages are available in the browser, or the parameter, then English is used by default.

Supported language codes:

Supported language codes:

[nb-NO |  nn-NO | en-GB |  da-DK  sv-SE | fi-FI | sv-FI]

startA customer URL that points to a start page. The start page is used as an exit strategy for users that opt out of the identification sequence (for example, choosing to cancel the identification process midway or after a status message is displayed by E-Ident).

Note:  The start URL is not used if a status URL is provided.

Format: URL

Range: only URLs to trusted domains are allowed by E-Ident.

Trusted domains are a part of the customer configuration setup. 

This parameter overrides the URL issued to E-Ident during configuration.


The URL is used to provide end users with clear messages in cases where an unexpected event occurs. Unexpected events can be errors during identification, change of status, or other relevant information not associated with a successful identification. E-Ident always appends a status code to the provided URL, so this URL must allow a status code to be appended to it.

Example: If the event uid.expired occurs, and the URL is defined as being https://customer/statusurl.html?su= (notice how this URL works well with the appended status code), then the actual URL requested will be https://customer/statusurl.html?su=uid.expired

Format: URL

Range: only URLs to trusted domains are allowed by E-Ident

Trusted domains are a part of the customer configuration setup. 

This parameter overrides the URL issued to E-Ident during configuration.

styleA customer with a specific typographic, layout, or colour scheme can provide a URL to a CSS style sheet. If provided, the given style sheet will be used when rendering web pages in a browser.

Note: style is ignored if the wi parameter is set to “n” or not used.

Format: URL

Range: only URLs to trusted domains are allowed by E-Ident.

Trusted domains are a part of the customer configuration setup. 

This parameter overrides the URL issued to E-Ident during configuration.


The wi parameter is used to indicate that the user interface shall be embedded UI.

Note: The wi parameter may also be set to n to indicate standalone UI. However, as this is default UI option it is not necessary to use the wi parameter.

Valid values: [ r ]

Mapping of eID to forcepkivendor parameters:

eIDforcepkivendor parameter
BankID (NO) no_bankid
BankID (SE) se_bankid
BankID on mobile (NO) no_bidmob
Buypass (NO) no_buypass
MitID (DK)

mitid and/or mitid:mitid_erhverv
Nets ID Verifier​
Verimi verimi

Optional eID specific parameters​​


​Specifies the requested Authentication Assurance Level.

One of:

[ low | substantial | high ]

MitID (DK)
Specifies the action context for identification 
​MitID (DK)(Currently supported)​

​Used to set the minimum level of assurance for the identification.

Valid values:
urn:eident:acrp:level:high| urn:eident:acrp:level:substantial| urn:eident:acrp:level:low

BankID (NO), BankID (SE), MitID DK, Finnish Bank ID (FI), Mobile-ID, Nets One Time Code, Buypass, Verimi, Nets ID Verifier

​Used to set the authentication method for the identification.
Valid values:
See the eID specific page.

BankID (NO)


​Used to inform the service if it shall try to start the eID client automatically. (If the end user is using the device where the eID client is located)


 [true | false]

​BankID (SE)

​8-digit mobile/cell number for BankID on mobile (NO).

Encoding: Base64BankID on mobile (NO)

​6-digit date of birth for BankID on mobile (NO).

Encoding: Base64BankID on mobile (NO)

​​Specifies the requested Level of Assurance.

One of:

[ low | substantial | high ]

MitID (DK)​
​A pre-selected user ID to improve user experience and reduce number of steps for a user.
​See login_hint description on the eID specific pages.
​BankID (NO), BankID (SE), MitID (DK), Mobile-ID, Smart-ID and Verimi

​This parameter indicates the format to use for the display text. GSM-7 is default. UCS-2 supports all Cyrrillic characters.

Valid values:​

  • UCS-2: 20 characters
  • GSM-7: 40 characters (default)


​A pre-selected user ID to improve user experience and reduce number of steps for a user.


​See presetid description on the eID specific pages.​
BankID (NO), BankID (SE), MitID (DK) and Verimi

​Reference text displayed during MitID identification. The text is displayed in the MitID client or in the MitID app.

All characters allowed except: %<

Max limit: 130

MitID (DK)
​Specifies the requested Address
​Valid values: See the dID specific page.

For MitID:

This parameter is used to initiate the Private MitID - on behalf of companies function. 



MitID (DK)
Controls retrieval of SSN for customers that have SSN access. For BankID (NO), BankID on mobile (NO) the SSN will be returned if the parameter is not provided. For the other eIDs, SSN will not be returned if the parameter is not provided.

BankID (NO),  BankID on mobile (NO), MitID (DK), Mobile-ID and Smart-ID.

​This parameter can be used to decide which text to display to the user and it may give him possibilities to choice a verification code. 

Valid values:
See the eID specific page.

Text to be displayed in the Smart-ID user app.

Max length:
60 characters

​Text to be displayed in the Smart-ID user app. 

Max length:
200 characters

Transaction text displayed in the end user's app or phone: 
  • Mobile-ID (SIM card based
Characters max length:
  • 20 / 40 (Mobile-ID)
  • 600 (BankID SE)
Mobile-ID and BankID (SE)

SAML Assertion

The following table lists all available assertion attributes that may be returned in a SAML response. Not all attributes are available in all SAML responses. See the list of returned attributes below. The attributes is specific for the eID providers.

Attribute ​Description/Usage ​eID provider​

​Authentication Assurance Level

​One of
MitID (DK)
​Specifies the action context for identification
​MitID (DK)
(Currently supported)

​The level of assurance for the specific identification.

Possible values are listed on the eID pages, 
which will be one of:
[ urn:eident:cert:eidas:high| 
u​​rn:eident:cert:eidas:low ]

​Specifies the address of a user
​Auth Method Ref. JSON array of strings that are identifiers for authentication methods used in the authentication.
Valid values:
See the eID specific page for Verimi and BankID (NO)


The value of the additional info parameter if used.

AUTHFILESURL​A URL to download authentication files. Read more about the authentication files. Nets ID Verifier

​​The organisation number (Danish CVR number) the user has selected and is authorised to represent. 

The user can select a company when using the Private MitID - on behalf of companies ​functions.

MitID (DK)​
C​Country code​ALL (where available).​
CERTIFICATE​The  X509 certificate of the identified end user.​ALL (where available)
CERTPOLICYOID​A policy identifier for the end user certificate.​ALL​
CN​Common Name from end user certificate.​ALL​
DK_SSN​Danish SSN.​MitID (DK)
DN ​Distinguished Name from end user certificate.​ALL​
DOB​Date of birth where available​
FIRSTNAME​End user first name (from certificate).​ALL (where available).​
FULLNAME​Name of identified user.ALL (where available)
GIVENNAME​End user given name (from certificate)​ALL (where available).​

​Identity Assurance Level

​One of
MitID (DK)
Type of identification
Possible values are:
  • private
  • professional
Professional indicates Erhverv user
MitID (DK)
IDPROVIDER​The ID provider used for identification.​ALL. See valid values in a table below this table.​

​Level of Assurance

​One of
MitID (DK)

​The list of authenticators used to achieve the resulting level of assurance for a MitID identification.

​Possible values for Mit​ID are:

  • password
  • code_token
  • code_reader
  • code_app
  • code_app_enchanced
  • u2f_token

Possible values for MitID Erhverv are:
  • mitid:password
  • mitid:code_token
  • mitid:code_reader
  • mitid:code_app
  • mitid:code_app_enchanced
  • mitid:u2f_token
MitID (DK)​

Unique ID for MitID.

MitID (DK)
Age of Erhverv user
MitID (DK)
CVR number of the Organisation for which the MitID user is authorized to represent.​
MitID (DK)
Unique ID for Erhverv user
MitID (DK)
Company CVR for Erhverv user
MitID (DK)
Date of birth for Erhverv user
MitID (DK)​
Email address for Erhverv user​
MitID (DK)​
Family name for Erhverv user​MitID (DK)​
Given name for Erhverv user​
MitID (DK)​

​Identity Assurance Level

​One of
MitID (DK)
Full name of Erhverv user
MitID (DK)
Employee certificate RID from NemID migration (or assigned)
MitID (DK)
Company name for Erhverv user
MitID (DK)
Company P number for Erhverv user​MitID (DK)​
MitID Erhverv’s Global UUID/ID from EIA MitIDMitID Erhverv’s Global UUID/ID from EIA
Company SE number for Erhverv user
MitID (DK)
NOTAFTER​Certificate validity end time.​ALL (where available)
NOTBEFORE​Certificate validity begin time.​ALL (where available)
NO_CEL8​8-digit mobile/cell number (provided by merchant or user).​Norwegian BankID Mobile.​​
NO_BID_PID​Norwegian BankID PID​Norwegian BankID​
NO_DOB6​6-digit date of birth (provided by merchant or user)​Norwegian BankID Mobile​
NO_SSN​Norwegian SSN.​Norwegian BankID.​

Private MitID:​

The name of the organisation the user logs in on behalf of.​

Applicable eID:
MitID (DK)

​For MitID:

The organisation number received when using the Private MitID - on behalf of companies function.

Applicable eID:
MitID (DK) 
​Reference text from MitID and/or Erhverv transaction
​​MitID (DK)
SE_SSN​Swedish SSN​
Swedish BankID​

​This value returns information about the type of Smart-ID interaction flow that was used. This can be one of:

  • displayTextAndPIN
  • verificationCodeChoice
  • confirmationMessage
  • confirmationMessageAndVerificationCodeChoice


End user surname (from certificate).​ALL (where available).​​
​The Document Number
Verimi IDCard
Nets ID Verifier
​The Document Type
​Verimi IDCard
Nets ID Verifier
​Place of Birth
​Verimi IDCard
Nets ID Verifier
​Date of Expiry of the document
​Verimi IDCard
Nets ID Verifier
​Citizenship of the end user
​Verimi IDCard
​The Document issue date
Verimi IDCard​
​The Document issuing authority
​Verimi IDCard
​Verification Method
​Verimi IDCard
​Date of verification
​Verimi IDCard​

The following table gives the valid values for the IDPROVIDER attribute: 

BankID (NO)
BankID (SE)
BankID on mobile (NO)​no_bidmob​
Buypass (NO)
MitID (DK)
Nets ID Verifier


Example SAML response​

<soapenv:Envelope xmlns:soapenv="" xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
                  xmlns:ns1="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:ns2=""
                  xmlns:ns3="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xs=""
        <ns1:Response xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
                      InResponseTo="76C4438E7CCFBA0E03B12014F6C99DF88CD08C33" IssueInstant="2019-01-03T14:27:50.906Z"
                      MajorVersion="1" MinorVersion="1" ResponseID="TI2-47A7F798E258169482197E2E7266DAAA0671D9AF">
                <ns1:StatusCode Value="ns1:Success"/>
            <ns3:Assertion AssertionID="TI2-878D39A6C769451CE67D4066603A6D87370A258D"
                           IssueInstant="2019-01-03T14:27:50.911Z" Issuer=""
                           MajorVersion="1" MinorVersion="1">
                <ns3:Conditions NotBefore="2019-01-03T15:27:50.000Z" NotOnOrAfter="2019-01-03T14:57:50.000Z"/>
                <ns3:AuthenticationStatement AuthenticationInstant="2019-01-03T14:27:50.911Z"
                        <ns3:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=Nilsen\, Åse,O=BankID - TestBank1,C=NO,SERIALNUMBER=9578-6000-4-201090</ns3:NameIdentifier>
                        <ns3:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
                            CN=Nilsen\, Åse,O=BankID - TestBank1,C=NO,SERIALNUMBER=9578-6000-4-201090
                    <ns3:Attribute AttributeName="IDPROVIDER" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">no_bankid</ns3:AttributeValue>
                    <ns3:Attribute AttributeName="DOB" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">02.10.1958</ns3:AttributeValue>
                    <ns3:Attribute AttributeName="DN" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">CN=Nilsen\, Åse,O=BankID - TestBank1,C=NO,SERIALNUMBER=9578-6000-4-201090</ns3:AttributeValue>
                    <ns3:Attribute AttributeName="CN" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">Nilsen, Åse</ns3:AttributeValue>
                    <ns3:Attribute AttributeName="NO_BID_PID" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">9578-6000-4-201090</ns3:AttributeValue>
                    <ns3:Attribute AttributeName="CERTPOLICYOID" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">2.16.578.</ns3:AttributeValue>
                    <ns3:Attribute AttributeName="NO_SSN" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">02105892090</ns3:AttributeValue>
                    <ns3:Attribute AttributeName="CERTIFICATE" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">

Single sign-on (SSO)

Single sign-on allowed registered customer sites in a cluster to share asserted end user attributes without requiring the end users to identify themselves again. A SSO enable identification is transparent to the customer and requires no special treatment in the customer application. The request and valid parameters are identical to those in an ordinary identification request.

Log out​​

An end user session can be terminated using the log out functionality.

  1. Invoke a log out by calling​/gls/logout.html
    Read more about the log out parameters.
  2. E-Ident will call the customers's log out URL provided upon registration. This allows the customers web site to clean any session context data for the end user.

Log out parameters


Where the nexturl should be opened. Options are to keep it in iframe (_self) or take over the page (_top).

Required: no​

Valid values: [_top, _self]

Default: _top

midMerchant identifier. This is an ID assigned to the customer upon configuration and must be used in subsequent requests to E-Ident.Required: yes

After log out, the End user will be directed to the URL pointed to by the nexturl parameter.

If not provided, E-Ident presents the user with a generic log out page.

Required: no
Format: URL