SAML

​An identification through E-Ident can be performed using the SAML v1.1 identification protocol. This page outlines the identification process, the identification parameters, single sign-on (SSO) functionality and how to perform a log out.

Content on this page

SAML v1.1 identification

The figure below illustrates the identification sequence for an E-Ident customer using SAML v1.1.

 

 

  1. The end user accesses the E-Ident customer site with a request to log on. 
  2. The end user browser is redirected to E-Ident to begin identification. Sample identification request:  https://www.ident-preprod1.nets.eu​/its/index.html?mid=<value>&TARGET=<value>   
    Read more about the mandatory and optional identification request parameters.
  3. End user identification is initiated towards a selected eID. The end user supplies his/her credentials.
  4. E-Ident redirects the end user to the E-Ident customer's artifact resolver URL with the ArtifactID. The artificat resolver URL is defined upon customer registration.
  5. The customer sends a request directly to E-Ident to retrieve the user info based on the ArtifactID. E-Ident returns the SAML assertion containing all information about the user.
    Read more about the content of the SAML assertion.
     

Identification request parameters

The different identification request parameters are divided in these sections:

Mandatory

​Parameter​Description​Constraints
​mid​Customer identifier. This is an ID assigned to the customer upon configuration and must be used in subsequent requests to E-Ident.​NA
​TARGET​Data sent back to the artifact receiver after identification. Customers can use this to carry session specific data tokens such as name or URL of resource user intended to access, or a session ID. 

​Parameter name must be in upper case.

URL encode following parameters: [? | & | #]

Optional

​Parameter​Description​Constraints
​deflect​Where the artifact receiver should be opened. Options are to keep it in iframe (_self) or take over the page (_top).

 Valid values: [_top, _self]

 Default: _top

​locale

The language used to provide user with information during identification. If not provided, then E-Ident uses the language specified by the web browser.

If no supported languages are available in the browser, or the parameter, then Norwegian is used by default.

​Supported language codes:

[nb_NO |  en_GB |  da_DK  sv_SE | fi_FI | sv_FI]

​start​A customer URL that points to a start page. The start page is used as an exit strategy for users that opt out of the identification sequence (for example, choosing to cancel the identification process midway or after a status message is displayed by E-Ident).

Note:  The start URL is not used if a status URL is provided.

Format: URL

Range: only URLs to trusted domains are allowed by E-Ident.

Trusted domains are a part of the customer configuration setup. 

This parameter overrides the URL issued to E-Ident during configuration.

​status

​The URL is used to provide end users with clear messages in cases where an unexpected event occurs. Unexpected events can be errors during identification, change of status, or other relevant information not associated with a successful identification. E-Ident always appends a status code to the provided URL, so this URL must allow a status code to be appended to it.

Example: If the event uid.expired occurs, and the URL is defined as being https://customer/statusurl.html?su= (notice how this URL works well with the appended status code), then the actual URL requested will be https://customer/statusurl.html?su=uid.expired

​Format: URL

Range: only URLs to trusted domains are allowed by E-Ident

Trusted domains are a part of the customer configuration setup. 

This parameter overrides the URL issued to E-Ident during configuration.

​styleA customer with a specific typographic, layout, or colour scheme can provide a URL to a CSS style sheet. If provided, the given style sheet will be used when rendering web pages in a browser.

Note: style is ignored if the wi parameter is set to “n”.

​Format: URL

Range: only URLs to trusted domains are allowed by E-Ident.

Trusted domains are a part of the customer configuration setup. 

This parameter overrides the URL issued to E-Ident during configuration.

​wi​Web interface hint.

​Valid values:

[ n | r ]

n: Standalone GUI (default)

r: Embedded GUI

​forcepkivendorA comma separated list of eIDs. The list limits the eIDs made available to the end user for identification. See the next table for a mapping between eID and the constraint.​

​One or more of:

no_bankid, no_bidmobdk_nemid_js, dk_nemid-opensign, se_bankid, fi_tupas, fi_mobiilivarmenne, vipps

Mapping of eID to forcepkivendor parameters:

​eID​forcepkivendor parameter
​BankID (NO)no_bankid
​BankID on mobile (NO)no_bidmob
​Vipps (NO)​​vipps
​NemID with key card - Java script client (DK)dk_nemid_js
​NemID with key file - codefile client (DK)dk_nemid-opensign
​BankID (SE)se_bankid
Bank IDs (FI)fi_tupas
​Mobiilivarmenne (FI)fi_mobiilivarmenne

Optional eID specific parameters​​

​Name​Description​Constraints​eID
​presetid

​A pre-selected user ID. Customer can use this to limit identification to the given ID.

​Possible value:

​[SSN]

Encoding: Base64

​BankID (NO
​dob6

​6-digit date of birth for BankID on mobile (NO).

​Encoding: Base64​BankID on mobile (NO)
​​celnr8

​8-digit mobile/cell number for BankID on mobile (NO).

​Encoding: Base64​BankID on mobile (NO)
returnssn

​This parameter is used to turn off the retrival of SSN when using BankID (NO) and BankID on mobile (NO). When setting it to false, E-Ident will not request the SSN from BankID and it will not return the SSN to the customer.

​​Value: [false]​BankID (NO),  BankID on mobile (NO) and NemID JS to private (DK)
​autostart

​Used to inform the service if it shall try to start the eID client automatically. (If the end user is using the device where the eID client is located)

​Values:

 [true | false]

​​BankID (SE)
​nemid_clientmode

​The NemID JS client can either be shown in a standard or in a limited mode. The standard mode includes administration possibilities for the end user like activation for new end user.

Some customers might notice that the content of their iFrame is moved slightly when pressing the question mark button in the NemID client. This could be prevented by using this parameter with “limited” as the value.

​Value:

[standard | limited]


 Default:

standard
​NemID JS (DK)
​transactiontext​Transaction text displayed in the end user's NemID code app.​Characters
Max length: 100​
​NemID JS (DK)​​
​returnorg

​For NemID:

This parameter is used to initiate the Private NemID - on behalf of companies function. In addition, if using NemID MOCES, the organisation number in the user's certificate will be returned explicitly. 

For Finnish Bank ID:

The parameter is used to get information about the organisation name and number for a legal person user. If the user is not a legal person, no organisation values are returned.

Values:

 [true false]

​NemID (DK) and Finnish Bank ID (FI)
​forcebank​To direct the end user directly to the wanted bank, the customer can use this parameter. It can only be used in combination with              forcepkivendor=fi_tupas.

If the parameter is not used, a list of all the banks will be displayed.

One of: nordea | opbank | danske | handelsbanken | aland | sbank | aktia | popbank | savingsbank| omasp

​Finnish Bank ID (FI)

 

SAML Assertion

The following table lists all available assertion attributes that may be returned in a SAML response. Not all attributes are available in all SAML responses. See the list of returned attributes below. The attributes is specific for the eID providers.

Attribute ​​Description/Usage ​eID provider​
IDPROVIDER​The ID provider used for identification.​ALL. See valid values in a table below this table.​
CERTPOLICYOID​A policy identifier for the end user certificate.​ALL​
CN​Common Name from end user certificate.​ALL​
DN ​Distinguished Name from end user certificate.​ALL​
CERTIFICATE​The  X509 certificate of the identified end user.​ALL except Finnish Bank ID (FI).​
NOTAFTER​Certificate validity end time.​ALL except Finnish Bank ID (FI).​
NOTBEFORE​Certificate validity begin time.​ALL except Finnish Bank ID (FI).​
FIRSTNAME​End user first name (from certificate).​ALL (where available).​
SURNAME​End user surname (from certificate).​ALL (where available).​​
GIVENNAME​End user given name (from certificate)​ALL (where available).​
C​Country code​ALL (where available).​
DOB​Date of birth where available​
FULLNAME​Name of identified user.Finnish Bank ID (FI)
DK_SSN​Danish SSN.​NemID​
NO_SSN​Norwegian SSN.​Norwegian BankID.​
NO_CEL8​8-digit mobile/cell number (provided by merchant or user).​Norwegian BankID Mobile.​​
NO_DOB6​6-digit date of birth (provided by merchant or user)​Norwegian BankID Mobile​
NO_BID_PID​Norwegian BankID PID​Norwegian BankID​
SE_SSN​Swedish SSN​Swedish BankID​
​FI_SATU

​Finnish unique identification number (sähköinen asiointitunnus).

​Finnish Bank ID (FI)
FI_SSN​

​End user's ​Finnish personal identity code (henkilötunnus).

Finnish Bank ID (FI) and Mobiilivarmenne (FI)​
FI_TUPAS_PID​

​A fixed identifier for the user set in the E-Ident / FTN service.

Finnish Bank ID (FI)​
FI_TUPAS_BANK​The end user’s bank used in the identification process. Possible values are:
nordea | opbank | danske | handelsbanken | aland | sbank | aktia | popbank | savingsbank​ | omasp
Finnish Bank ID (FI)
FI_TRX_CODE​Unique, but transient anonymous identifier for the end user. Remains the same in identity token and UserInfo responses during one authentication session, but is different in subsequent authentications of the same user.​
Mobiilivarmenne (FI)​
​AUTHORIZED_TO_REPRESENT

​The organisation number (Danish CVR number) the user has selected and is authorised to represent. 

The user can select a company when using the Private NemID - on behalf of companies​ ​function.

Applicable eID:
NemID (DK) POCES users
​ORGANISATION_NAME

For Private NemID:​

The name of the organisation the user logs in on behalf of.​

For Finnish Bank ID:
The organisation name connected to the user's legal person ID.

​Applicable eID:
NemID (DK) and Finnish Bank ID (FI)
​ORGANISATION_NUMBER​​

For NemID:

​The organisation number either from a NemID MOCES certificate or the organisation number received when using the Private NemID - on behalf of companies​ ​function. 

Note: When a NemID MOCES is used to login, the authorized_to_represent claim will be empty. This as no validation of user rights on behalf of company has been performed. The organisation number is fetched from the user's certificate. 

For Finnish Bank ID:
​​The organisation number (VAT) connected to the user's legal person ID.

​Applicable eID:
NemID (DK) - MOCES and POCES users​ and Finnish Bank ID (FI)

The following table gives the valid values for the IDPROVIDER attribute: 

​eID providerIDPROVIDER value​
BankID (NO)no_bankid​
BankID on mobile (NO)​no_bidmob​
NemID JS client (DK)​dk_nemid_js​
NemID CodeFile client (DK)​dk_nemid-opensign​
BankID (SE)se_bankid​
Finnish Bank ID (FI)fi_tupas​
Mobiilivarmenne (FI)​fi_mobiilivarmenne​​

Example SAML response

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
                  xmlns:ns1="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#"
                  xmlns:ns3="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"
                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <soapenv:Header/>
    <soapenv:Body>
        <ns1:Response xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
                      InResponseTo="76C4438E7CCFBA0E03B12014F6C99DF88CD08C33" IssueInstant="2019-01-03T14:27:50.906Z"
                      MajorVersion="1" MinorVersion="1" ResponseID="TI2-47A7F798E258169482197E2E7266DAAA0671D9AF">
            <ns1:Status>
                <ns1:StatusCode Value="ns1:Success"/>
            </ns1:Status>
            <ns3:Assertion AssertionID="TI2-878D39A6C769451CE67D4066603A6D87370A258D"
                           IssueInstant="2019-01-03T14:27:50.911Z" Issuer="https://www.ident-preprod1.nets.eu/saml1resp/"
                           MajorVersion="1" MinorVersion="1">
                <ns3:Conditions NotBefore="2019-01-03T15:27:50.000Z" NotOnOrAfter="2019-01-03T14:57:50.000Z"/>
                <ns3:AuthenticationStatement AuthenticationInstant="2019-01-03T14:27:50.911Z"
                                             AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
                    <ns3:Subject>
                        <ns3:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=Nilsen\, Åse,O=BankID - TestBank1,C=NO,SERIALNUMBER=9578-6000-4-201090</ns3:NameIdentifier>
                        <ns3:SubjectConfirmation>
                            <ns3:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ns3:ConfirmationMethod>
                        </ns3:SubjectConfirmation>
                    </ns3:Subject>
                </ns3:AuthenticationStatement>
                <ns3:AttributeStatement>
                    <ns3:Subject>
                        <ns3:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
                            CN=Nilsen\, Åse,O=BankID - TestBank1,C=NO,SERIALNUMBER=9578-6000-4-201090
                        </ns3:NameIdentifier>
                        <ns3:SubjectConfirmation>
                            <ns3:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ns3:ConfirmationMethod>
                        </ns3:SubjectConfirmation>
                    </ns3:Subject>
                    <ns3:Attribute AttributeName="IDPROVIDER" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">no_bankid</ns3:AttributeValue>
                    </ns3:Attribute>
                    <ns3:Attribute AttributeName="DOB" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">02.10.1958</ns3:AttributeValue>
                    </ns3:Attribute>
                    <ns3:Attribute AttributeName="DN" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">CN=Nilsen\, Åse,O=BankID - TestBank1,C=NO,SERIALNUMBER=9578-6000-4-201090</ns3:AttributeValue>
                    </ns3:Attribute>
                    <ns3:Attribute AttributeName="CN" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">Nilsen, Åse</ns3:AttributeValue>
                    </ns3:Attribute>
                    <ns3:Attribute AttributeName="NO_BID_PID" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">9578-6000-4-201090</ns3:AttributeValue>
                    </ns3:Attribute>
                    <ns3:Attribute AttributeName="CERTPOLICYOID" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">2.16.578.1.16.1.12.1.1</ns3:AttributeValue>
                    </ns3:Attribute>
                    <ns3:Attribute AttributeName="NO_SSN" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">02105892090</ns3:AttributeValue>
                    </ns3:Attribute>
                    <ns3:Attribute AttributeName="CERTIFICATE" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">
                            MIIFaTCCA1GgAwIBAgIDCxjZMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNVBAYTAk5PMRUwEwYDVQQKDAxUZXN0QmFuazEgQVMxEjAQBgNVBAsMCTEyMzQ1Njc4OTEjMCEGA1UEAwwaQmFua0lEIFRlc3RCYW5rMSBCYW5rIENBIDIwHhcNMTcxMDEwMTA1MjUwWhcNMTkxMDEwMTA1MjUwWjBeMRswGQYDVQQFExI5NTc4LTYwMDAtNC0yMDEwOTAxCzAJBgNVBAYTAk5PMRswGQYDVQQKDBJCYW5rSUQgLSBUZXN0QmFuazExFTATBgNVBAMMDE5pbHNlbiwgw4VzZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAODf+meT3z3qZOjjMZobh6XMd2C7zS5nTm742Af/3MNxTji2X9f0d7hhvc3RHuq50kiTSz99yGPha2TKGzr2ApuXWplkIZhhShxImlelsRROqOSiICYiNhM/pzxEldq7jkP+tIqpPDy4tM7baNFp+uV6G0DdJJO0QbB9mXTJ1wevmYC+qIJKhl3D1XCMDtkS8V+d0rCplPYEdQx0582OlArG94JcLRBOaAI5Qfn3XWWVNhlZd2b3xbXiLmj9UepOomW+kJrzAWmD/aRXa0hIUW7W+zLpM2AVGUbl9useJTpNFliqvMDSPgf3OVSQ1BqI9VSwDBzJzR28RdzUhcrY+gECAwEAAaOCAS8wggErMBYGA1UdIAQPMA0wCwYJYIRCARABDAEBMCgGA1UdCQQhMB8wHQYIKwYBBQUHCQExERgPMTk1ODEwMDIwMDAwMDBaMBMGB2CEQgEQAgEECDAGBAQ5OTgwMBQGB2CEQgEQAgIECTAHBAVCSU5BUzA5BggrBgEFBQcBAQQtMCswKQYIKwYBBQUHMAGGHWh0dHBzOi8vdmEtcHJlcHJvZDEuYmFua2lkLm5vMDEGCCsGAQUFBwEDBCUwIzAIBgYEAI5GAQEwFwYGBACORgECMA0TA05PSwIDAYagAgEAMA4GA1UdDwEB/wQEAwIDiDAfBgNVHSMEGDAWgBSx5ynedCftwfjDGbgmb15zO14m/jAdBgNVHQ4EFgQUlRl4WJDdJA5PFwftO6HQn5nDX1EwDQYJKoZIhvcNAQELBQADggIBADjkWp+KfciWYBHuDBonqpzAtymIuBfVGILLAwHqlg8moI2ujraVJNjWQk56i2CDUAW6zlAdGoErM90OyxoDBo/Fea3pzMhWYL0U0yaW93Y3dw4e6gbo10mcULJtoLnBAqpz3gSJo4VBcjP0rEvCndl1HEyCT3fkHYccx6FSgMPdyzLlM46lZkOEvQqdraokNMlYBruERNpegee51uCMCcpH/a1X/0ziZGiNkQCo+1X8pGf8axt3XC3/ASssrFLlfvCpZv/vOzGA8Jeva5FoZovsiVuwtv6e0rzaZm8FQB4xhzt2JwEm9TQCqehh6TrOp0Zx5xhVV0UCbUwRdgF2SCe37jX3U238AMPIN8nr6fv2rp3Sk7Rkc6TEkXXve69ph0vAVl/1FDO2KcDegvFkGogRK/p08f2+NFOtT+pzNhunHZcTL/gW2ScUE4Md5KVkF59Bha4BP6z9Fq4wEe/gnmcKhBmsfA9uKym559BvSS6HDeYGQ3+0WLjhVn0/h+I/9lSgLBjbEm927O3QW75QrOgd90Mrx1N6UUaMH/ATFZKY2VauziQT2XBT0SXnpI+iGbdcVsVHj8h08GuLIUTZrflrvsHVavPOl11rbO0n3n9twmZtWz5F672ynZwlDC966uH+3h1l24LI5uw3Z7LbqKDWVRvdV2veq5rSa0xuXEX2
                        </ns3:AttributeValue>
                    </ns3:Attribute>
                </ns3:AttributeStatement>
            </ns3:Assertion>
        </ns1:Response>
    </soapenv:Body>
</soapenv:Envelope>

Single sign-on (SSO)

Single sign-on allowed registered customer sites in a cluster to share asserted end user attributes without requiring the end users to identify themselves again. A SSO enable identification is transparent to the customer and requires no special treatment in the customer application. The request and valid parameters are identical to those in an ordinary identification request.
 

Log out​​

An end user session can be terminated using the log out functionality.
  1. Invoke a log out by calling https://www.ident-preprod1.nets.eu​/gls/logout.html
    Read more about the log out parameters.
  2. E-Ident will call the customers's log out URL provided upon registration. This allows the customers web site to clean any session context data for the end user.

Log out parameters

​Parameter​Description​Constraints
​mid​Merchant identifier. This is an ID assigned to the customer upon configuration and must be used in subsequent requests to E-Ident.Required: yes
​nexturl

​After log out, the End user will be directed to the URL pointed to by the nexturl parameter.

If not provided, E-Ident presents the user with a generic log out page.

​Required: no
Format: URL
​deflect

​Where the nexturl should be opened. Options are to keep it in iframe (_self) or take over the page (_top).

Required: no​

Valid values: [_top, _self]

Default: _top