SAML

​An identification through E-Ident can be performed using the SAML v1.1 identification protocol. This page outlines the identification process, the identification parameters, single sign-on (SSO) functionality and how to perform a log out.

Content on this page


 

SAML v1.1 identification

The figure below illustrates the identification sequence for an E-Ident customer using SAML v1.1.

 

  1. The end user accesses the E-Ident customer site with a request to log on. 
  2. The end user browser is redirected to E-Ident to begin identification. Sample identification request:  https://www.ident-preprod1.nets.eu​/its/index.html?mid=<value>&TARGET=<value>   
    Read more about the mandatory and optional identification request parameters.
  3. End user identification is initiated towards a selected eID. The end user supplies his/her credentials.
  4. E-Ident redirects the end user to the E-Ident customer's artifact resolver URL with the ArtifactID. The artificat resolver URL is defined upon customer registration.
  5. The customer sends a request directly to E-Ident to retrieve the user info based on the ArtifactID. E-Ident returns the SAML assertion containing all information about the user.
    Read more about the content of the SAML assertion.
     

Identification request parameters

The different identification request parameters are divided in these sections:

Mandatory

​Parameter​Description​Constraints
​mid​Customer identifier. This is an ID assigned to the customer upon configuration and must be used in subsequent requests to E-Ident.​NA
​TARGET​Data sent back to the artifact receiver after identification. Customers can use this to carry session specific data tokens such as name or URL of resource user intended to access, or a session ID. 

​Parameter name must be in upper case.

URL encode following parameters: [? | & | #]

Optional

​Parameter​Description​Constraints
​deflect​Name of a target frame. The named frame is the one assigned to render the artifact receiver after identification

​Default: _top

Regular expression:
[\_a-zA-Z0-9]{1,12}

​locale

The language used to provide user with information during identification. If not provided, then E-Ident uses the language specified by the web browser.

If no supported languages are available in the browser, or the parameter, then Norwegian is used by default.

​Supported language codes:

[nb_NO |  en_GB |  da_DK  sv_SE | fi_FI | sv_FI]

​start​A customer URL that points to a start page. The start page is used as an exit strategy for users that opt out of the identification sequence (for example, choosing to cancel the identification process midway or after a status message is displayed by E-Ident).

Note:  The start URL is not used if a status URL is provided.

Format: URL

Range: only URLs to trusted domains are allowed by E-Ident.

Trusted domains are a part of the customer configuration setup. 

This parameter overrides the URL issued to E-Ident during configuration.

​status

​The URL is used to provide end users with clear messages in cases where an unexpected event occurs. Unexpected events can be errors during identification, change of status, or other relevant information not associated with a successful identification. E-Ident always appends a status code to the provided URL, so this URL must allow a status code to be appended to it.

Example: If the event uid.expired occurs, and the URL is defined as being https://customer/statusurl.html?su= (notice how this URL works well with the appended status code), then the actual URL requested will be https://customer/statusurl.html?su=uid.expired

​Format: URL

Range: only URLs to trusted domains are allowed by E-Ident

Trusted domains are a part of the customer configuration setup. 

This parameter overrides the URL issued to E-Ident during configuration.

​styleA customer with a specific typographic, layout, or colour scheme can provide a URL to a CSS style sheet. If provided, the given style sheet will be used when rendering web pages in a browser.

Note: style is ignored if the wi parameter is set to “n”.

​Format: URL

Range: only URLs to trusted domains are allowed by E-Ident.

Trusted domains are a part of the customer configuration setup. 

This parameter overrides the URL issued to E-Ident during configuration.

​wi​Web interface hint.

​Valid values:

[ n | r ]

n: Standalone GUI (default)

r: Embedded GUI

​forcepkivendorA comma separated list of eIDs. The list limits the eIDs made available to the end user for identification. See the next table for a mapping between eID and the constraint.​

​One or more of:

no_bankid, no_bidmobdk_nemid_js, dk_nemid-opensign, se_bankid, fi_tupas, fi_mobiilivarmenne, vipps

Mapping of eID to forcepkivendor parameters:

​eID​forcepkivendor parameter
​BankID (NO)no_bankid
​BankID on mobile (NO)no_bidmob
​Vipps (NO)​​vipps
​NemID with key card - Java script client (DK)dk_nemid_js
​NemID with key file - codefile client (DK)dk_nemid-opensign
​BankID (SE)se_bankid
​Tupas - banks (FI)fi_tupas
​Mobiilivarmenne (FI)fi_mobiilivarmenne

Optional eID specific parameters​​

​Name​Description​Constraints​eID
​presetid
​​​​​

​A pre-selected user ID. Customer can use this to limit identification to the given ID.

​​​​​

​Possible value:

​[SSN]

Encoding: Base64

​BankID (NO
​dob6

​6-digit date of birth for BankID on mobile (NO).

​Encoding: Base64​BankID on mobile (NO)
​​celnr8

​8-digit mobile/cell number for BankID on mobile (NO).

​Encoding: Base64​BankID on mobile (NO)
returnssn

​This parameter is used to turn off the retrival of SSN when using BankID (NO) and BankID on mobile (NO). When setting it to false, E-Ident will not request the SSN from BankID and it will not return the SSN to the customer.

​​Value: [false]​BankID (NO) and BankID on mobile (NO)
​autostart

​Used to inform the service if it shall try to start the eID client automatically. (If the end user is using the device where the eID client is located)

​Values:

 [true | false]

​​BankID (SE)
​nemid_clientmode

​The NemID JS client can either be shown in a standard or in a limited mode. The standard mode includes administration possibilities for the end user like activation for new end user.

Some customers might notice that the content of their iFrame is moved slightly when pressing the question mark button in the NemID client. This could be prevented by using this parameter with “limited” as the value.

​Value:

[standard | limited]


 Default:

standard
​NemID JS (DK)
​transactiontext​Transaction text displayed in the end user's NemID code app.​Characters
Max length: 100​
​NemID JS (DK)
​forcebank​To direct the end user directly to the wanted Tupas bank, the customer can use this parameter. It can only be used in combination with              forcepkivendor=fi_tupas.

If the parameter is not used, a list of all the Tupas banks configured on the customer site will be displayed.

One of: nordea | opbank | danske | handelsbanken | aland | sbank | aktia | popbank | savingsbank| omasp

​Finnish Bank ID (FI)

 

SAML Assertion

The following table lists all available assertion attributes that may be re-turned in a SAML response. Not all attributes are available in all SAML re-sponses. See the list of returned attributes below. The attributes is specific for the eID providers.

Attribute ​​Description/Usage ​eID provider​
IDPROVIDER​The ID provider used for identification.​ALL. See valid values in a table below this table.​
CERTPOLICYOID​A policy identifier for the end user certificate.​ALL​
CN​Common Name from end user certificate.​ALL​
DN ​Distinguished Name from end user certificate.​ALL​
CERTIFICATE​The X509 certificate of the identified end user.​ALL except Finnish Bank ID (FI).​
NOTAFTER​Certificate validity end time.​ALL except Finnish Bank ID (FI).​
NOTBEFORE​Certificate validity begin time.​ALL except Finnish Bank ID (FI).​
FIRSTNAME​End user first name (from certificate).​ALL (where available).​
SURNAME​End user surname (from certificate).​ALL (where available).​​
GIVENNAME​End user given name (from certificate)​ALL (where available).​
C​Country code​ALL (where available).​
DOB​Date of birth where available​
FULLNAME​Name of identified customer from the bank's database.​Finnish Bank ID (FI)
DK_SSN​Danish SSN.​NemID​
NO_SSN​Norwegian SSN.​Norwegian BankID.​
NO_CEL8​8-digit mobile/cell number (provided by merchant or user).​Norwegian BankID Mobile.​​
NO_DOB6​6-digit date of birth (provided by merchant or user)​Norwegian BankID Mobile​
NO_BID_PID​Norwegian BankID PID​Norwegian BankID​
SE_SSN​Swedish SSN​Swedish BankID​
FI_SSN​The customer's identifier, which can be either an encrypted identifier or a plaintext customer code depending on the contents of the A01Y_IDTYPE field in the identification request.​Finnish Bank ID (FI) and Mobiilivarmenne (FI)​
FI_TUPAS_PID​The identifier that the bank attaches to the certificate to identify it in the bank's system.​Finnish Bank ID (FI)​
FI_TUPAS_BANK​The end user’s bank used in the identification process. Possible values are:
nordea | opbank | danske | handelsbanken | aland | sbank | aktia | popbank | savingsbank​ | omasp
Finnish Bank ID (FI)
FI_TRX_CODE​Unique, but transient anonymous identifier for the end user. Remains the same in identity token and UserInfo responses during one authentication session, but is different in subsequent authentications of the same user.​
Mobiilivarmenne (FI)​

The following table gives the valid values for the IDPROVIDER attribute: 

​eID providerIDPROVIDER value​
BankID (NO)no_bankid​
BankID on mobile (NO)​no_bidmob​
NemID JS client (DK)​dk_nemid_js​
NemID CodeFile client (DK)​dk_nemid-opensign​
BankID (SE)se_bankid​
Finnish Bank ID (FI)fi_tupas​
Mobiilivarmenne (FI)​fi_mobiilivarmenne​​

Example SAML response

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
                  xmlns:ns1="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#"
                  xmlns:ns3="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"
                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <soapenv:Header/>
    <soapenv:Body>
        <ns1:Response xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
                      InResponseTo="76C4438E7CCFBA0E03B12014F6C99DF88CD08C33" IssueInstant="2019-01-03T14:27:50.906Z"
                      MajorVersion="1" MinorVersion="1" ResponseID="TI2-47A7F798E258169482197E2E7266DAAA0671D9AF">
            <ns1:Status>
                <ns1:StatusCode Value="ns1:Success"/>
            </ns1:Status>
            <ns3:Assertion AssertionID="TI2-878D39A6C769451CE67D4066603A6D87370A258D"
                           IssueInstant="2019-01-03T14:27:50.911Z" Issuer="https://www.ident-preprod1.nets.eu/saml1resp/"
                           MajorVersion="1" MinorVersion="1">
                <ns3:Conditions NotBefore="2019-01-03T15:27:50.000Z" NotOnOrAfter="2019-01-03T14:57:50.000Z"/>
                <ns3:AuthenticationStatement AuthenticationInstant="2019-01-03T14:27:50.911Z"
                                             AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
                    <ns3:Subject>
                        <ns3:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=Nilsen\, Åse,O=BankID - TestBank1,C=NO,SERIALNUMBER=9578-6000-4-201090</ns3:NameIdentifier>
                        <ns3:SubjectConfirmation>
                            <ns3:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ns3:ConfirmationMethod>
                        </ns3:SubjectConfirmation>
                    </ns3:Subject>
                </ns3:AuthenticationStatement>
                <ns3:AttributeStatement>
                    <ns3:Subject>
                        <ns3:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
                            CN=Nilsen\, Åse,O=BankID - TestBank1,C=NO,SERIALNUMBER=9578-6000-4-201090
                        </ns3:NameIdentifier>
                        <ns3:SubjectConfirmation>
                            <ns3:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ns3:ConfirmationMethod>
                        </ns3:SubjectConfirmation>
                    </ns3:Subject>
                    <ns3:Attribute AttributeName="IDPROVIDER" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">no_bankid</ns3:AttributeValue>
                    </ns3:Attribute>
                    <ns3:Attribute AttributeName="DOB" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">02.10.1958</ns3:AttributeValue>
                    </ns3:Attribute>
                    <ns3:Attribute AttributeName="DN" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">CN=Nilsen\, Åse,O=BankID - TestBank1,C=NO,SERIALNUMBER=9578-6000-4-201090</ns3:AttributeValue>
                    </ns3:Attribute>
                    <ns3:Attribute AttributeName="CN" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">Nilsen, Åse</ns3:AttributeValue>
                    </ns3:Attribute>
                    <ns3:Attribute AttributeName="NO_BID_PID" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">9578-6000-4-201090</ns3:AttributeValue>
                    </ns3:Attribute>
                    <ns3:Attribute AttributeName="CERTPOLICYOID" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">2.16.578.1.16.1.12.1.1</ns3:AttributeValue>
                    </ns3:Attribute>
                    <ns3:Attribute AttributeName="NO_SSN" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">02105892090</ns3:AttributeValue>
                    </ns3:Attribute>
                    <ns3:Attribute AttributeName="CERTIFICATE" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">
                            MIIFaTCCA1GgAwIBAgIDCxjZMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNVBAYTAk5PMRUwEwYDVQQKDAxUZXN0QmFuazEgQVMxEjAQBgNVBAsMCTEyMzQ1Njc4OTEjMCEGA1UEAwwaQmFua0lEIFRlc3RCYW5rMSBCYW5rIENBIDIwHhcNMTcxMDEwMTA1MjUwWhcNMTkxMDEwMTA1MjUwWjBeMRswGQYDVQQFExI5NTc4LTYwMDAtNC0yMDEwOTAxCzAJBgNVBAYTAk5PMRswGQYDVQQKDBJCYW5rSUQgLSBUZXN0QmFuazExFTATBgNVBAMMDE5pbHNlbiwgw4VzZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAODf+meT3z3qZOjjMZobh6XMd2C7zS5nTm742Af/3MNxTji2X9f0d7hhvc3RHuq50kiTSz99yGPha2TKGzr2ApuXWplkIZhhShxImlelsRROqOSiICYiNhM/pzxEldq7jkP+tIqpPDy4tM7baNFp+uV6G0DdJJO0QbB9mXTJ1wevmYC+qIJKhl3D1XCMDtkS8V+d0rCplPYEdQx0582OlArG94JcLRBOaAI5Qfn3XWWVNhlZd2b3xbXiLmj9UepOomW+kJrzAWmD/aRXa0hIUW7W+zLpM2AVGUbl9useJTpNFliqvMDSPgf3OVSQ1BqI9VSwDBzJzR28RdzUhcrY+gECAwEAAaOCAS8wggErMBYGA1UdIAQPMA0wCwYJYIRCARABDAEBMCgGA1UdCQQhMB8wHQYIKwYBBQUHCQExERgPMTk1ODEwMDIwMDAwMDBaMBMGB2CEQgEQAgEECDAGBAQ5OTgwMBQGB2CEQgEQAgIECTAHBAVCSU5BUzA5BggrBgEFBQcBAQQtMCswKQYIKwYBBQUHMAGGHWh0dHBzOi8vdmEtcHJlcHJvZDEuYmFua2lkLm5vMDEGCCsGAQUFBwEDBCUwIzAIBgYEAI5GAQEwFwYGBACORgECMA0TA05PSwIDAYagAgEAMA4GA1UdDwEB/wQEAwIDiDAfBgNVHSMEGDAWgBSx5ynedCftwfjDGbgmb15zO14m/jAdBgNVHQ4EFgQUlRl4WJDdJA5PFwftO6HQn5nDX1EwDQYJKoZIhvcNAQELBQADggIBADjkWp+KfciWYBHuDBonqpzAtymIuBfVGILLAwHqlg8moI2ujraVJNjWQk56i2CDUAW6zlAdGoErM90OyxoDBo/Fea3pzMhWYL0U0yaW93Y3dw4e6gbo10mcULJtoLnBAqpz3gSJo4VBcjP0rEvCndl1HEyCT3fkHYccx6FSgMPdyzLlM46lZkOEvQqdraokNMlYBruERNpegee51uCMCcpH/a1X/0ziZGiNkQCo+1X8pGf8axt3XC3/ASssrFLlfvCpZv/vOzGA8Jeva5FoZovsiVuwtv6e0rzaZm8FQB4xhzt2JwEm9TQCqehh6TrOp0Zx5xhVV0UCbUwRdgF2SCe37jX3U238AMPIN8nr6fv2rp3Sk7Rkc6TEkXXve69ph0vAVl/1FDO2KcDegvFkGogRK/p08f2+NFOtT+pzNhunHZcTL/gW2ScUE4Md5KVkF59Bha4BP6z9Fq4wEe/gnmcKhBmsfA9uKym559BvSS6HDeYGQ3+0WLjhVn0/h+I/9lSgLBjbEm927O3QW75QrOgd90Mrx1N6UUaMH/ATFZKY2VauziQT2XBT0SXnpI+iGbdcVsVHj8h08GuLIUTZrflrvsHVavPOl11rbO0n3n9twmZtWz5F672ynZwlDC966uH+3h1l24LI5uw3Z7LbqKDWVRvdV2veq5rSa0xuXEX2
                        </ns3:AttributeValue>
                    </ns3:Attribute>
                </ns3:AttributeStatement>
            </ns3:Assertion>
        </ns1:Response>
    </soapenv:Body>
</soapenv:Envelope>

Single sign-on (SSO)

Single sign-on allowed registered customer sites in a cluster to share asserted end user attributes without requiring the end users to identify themselves again. A SSO enable identification is transparent to the customer and requires no special treatment in the customer application. The request and valid parameters are identical to those in an ordinary identification request.
 

Log out​​

An end user session can be terminated using the log out functionality.
  1. Invoke a log out by calling https://www.ident-preprod1.nets.eu​/gls/logout.html
    Read more about the log out parameters.
  2. E-Ident will call the customers's log out URL provided upon registration. This allows the customers web site to clean any session context data for the end user.

Log out parameters

​Parameter​Description​Constraints
​mid​Merchant identifier. This is an ID assigned to the customer upon configuration and must be used in subsequent requests to E-Ident.Required: yes
​nexturl

​After log out, the End user will be directed to the URL pointed to by the nexturl parameter.

If not provided, E-Ident presents the user with a generic log out page.

​Required: no
Format: URL
​deflect​Name of a target frame. The named frame is the one assigned to render the artifact receiver after identification. This is used if the customer wishes to display the nexturl in a different frame.​Required: no
Default: _top
Regular expression:
[\_a-zA-Z0-9]{1,12}