SAML

​​An identification through E-Ident can be performed using the SAML v1.1 identification protocol. This page outlines the identification process, the identification parameters, single sign-on (SSO) functionality and how to perform a log out.

Content on this page

SAML v1.1 identification

The figure below illustrates the identification sequence for an E-Ident customer using SAML v1.1.

 

 

  1. The end user accesses the E-Ident customer site with a request to log on. 
  2. The end user browser is redirected to E-Ident to begin identification. Sample identification request:  https://www.ident-preprod1.nets.eu​/its/index.html?mid=<value>&TARGET=<value>   
    Read more about the mandatory and optional identification request parameters.
  3. End user identification is initiated towards a selected eID. The end user supplies his/her credentials.
  4. E-Ident redirects the end user to the E-Ident customer's artifact resolver URL with the ArtifactID. The artificat resolver URL is defined upon customer registration.
  5. The customer sends a request directly to E-Ident to retrieve the user info based on the ArtifactID. E-Ident returns the SAML assertion containing all information about the user.
    Read more about the content of the SAML assertion.
     

Identification request parameters

The different identification request parameters are divided in these sections:

Mandatory

ParameterDescriptionConstraints
midCustomer identifier. This is an ID assigned to the customer upon configuration and must be used in subsequent requests to E-Ident.NA
TARGETData sent back to the artifact receiver after identification. Customers can use this to carry session specific data tokens such as name or URL of resource user intended to access, or a session ID. 

Parameter name must be in upper case.

URL encode following parameters: [? | & | #]

Optional

ParameterDescriptionConstraints
additional_info

​The additional info parameter can be used by any customer to enter their own information. The parameter value will be returned as it was entered in the corresponding claim in the ID Token or attribute in the SAML assertion.

In addition, the information is added to E-Ident statistics and may be returned to the customers as part of statistics. The last part must be agreed with Nets in each case.

​Format:

[A-Za-z0-9_\-åøæÅØÆ]{0,50} 

Max length: 50 characters

deflectWhere the artifact receiver should be opened. Options are to keep it in iframe (_self) or take over the page (_top).

Valid values: [_top, _self]

Default: _top

forcepkivendorA comma separated list of eIDs. The list limits the eIDs made available to the end user for identification. See the next table for a mapping between eID and the constraint.​

One or more of:

no_bankid, no_bidmobno_buypass, dk_nemid_js, dk_nemid-opensign, mitid, mitid:mitid_erhverv, se_bankid, passport_reader, mobile_id, smart_id, verimi, nets_sms

locale

The language used to provide user with information during identification. If not provided, then E-Ident uses the language specified by the web browser.

If no supported languages are available in the browser, or the parameter, then English is used by default.


Supported language codes:

Supported language codes:

[nb-NO |  nn-NO | en-GB |  da-DK  sv-SE | fi-FI | sv-FI]

startA customer URL that points to a start page. The start page is used as an exit strategy for users that opt out of the identification sequence (for example, choosing to cancel the identification process midway or after a status message is displayed by E-Ident).

Note:  The start URL is not used if a status URL is provided.

Format: URL

Range: only URLs to trusted domains are allowed by E-Ident.

Trusted domains are a part of the customer configuration setup. 

This parameter overrides the URL issued to E-Ident during configuration.

status

The URL is used to provide end users with clear messages in cases where an unexpected event occurs. Unexpected events can be errors during identification, change of status, or other relevant information not associated with a successful identification. E-Ident always appends a status code to the provided URL, so this URL must allow a status code to be appended to it.

Example: If the event uid.expired occurs, and the URL is defined as being https://customer/statusurl.html?su= (notice how this URL works well with the appended status code), then the actual URL requested will be https://customer/statusurl.html?su=uid.expired

Format: URL

Range: only URLs to trusted domains are allowed by E-Ident

Trusted domains are a part of the customer configuration setup. 

This parameter overrides the URL issued to E-Ident during configuration.

styleA customer with a specific typographic, layout, or colour scheme can provide a URL to a CSS style sheet. If provided, the given style sheet will be used when rendering web pages in a browser.

Note: style is ignored if the wi parameter is set to “n” or not used.

Format: URL

Range: only URLs to trusted domains are allowed by E-Ident.

Trusted domains are a part of the customer configuration setup. 

This parameter overrides the URL issued to E-Ident during configuration.

wi

The wi parameter is used to indicate that the user interface shall be embedded UI.

Note: The wi parameter may also be set to n to indicate standalone UI. However, as this is default UI option it is not necessary to use the wi parameter.

Valid values: [ r ]

Mapping of eID to forcepkivendor parameters:

eIDforcepkivendor parameter
BankID (NO)no_bankid
BankID (SE)se_bankid
BankID on mobile (NO)no_bidmob
Buypass (NO) no_buypass
MitID (DK)mitid and/or mitid:mitid_erhverv
Mobile-ID
mobile_id
NemID with key card - Java script client (DK)dk_nemid_js
NemID with key file - codefile client (DK)dk_nemid-opensign
Nets Passport Reader
passport_reader
Smart-ID 
smart_id
Verimiverimi

Optional eID specific parameters​​

NameDescriptionConstraintseID
aal_value

​Specifies the requested Authentication Assurance Level.

One of:

[ low | substantial | high ]

MitID (DK)
​action_context    
Specifies the action context for identification 
​One of: [LOG_ON | APPROVE | CONFIRM |ACCEPT | SIGN
​MitID (DK)(Currently supported)​
acr_values

​Used to set the minimum level of assurance for the identification.

Valid values:
urn:eident:acrp:level:high| urn:eident:acrp:level:substantial| urn:eident:acrp:level:low

BankID (NO), BankID (SE), MitID DK, Finnish Bank ID (FI), Mobile-ID, Nets One Time Code, Buypass, Verimi, Passport Reader

​amr_values
​Used to set the authentication method for the identification.
Valid values:
See the eID specific page.
Verimi

BankID (NO)

autostart

​Used to inform the service if it shall try to start the eID client automatically. (If the end user is using the device where the eID client is located)

Values:​

 [true | false]

​BankID (SE)
​celnr8

​8-digit mobile/cell number for BankID on mobile (NO).

Encoding: Base64BankID on mobile (NO)
dob6

​6-digit date of birth for BankID on mobile (NO).

Encoding: Base64BankID on mobile (NO)
loa_value

​​Specifies the requested Level of Assurance.

One of:

[ low | substantial | high ]

MitID (DK)​
​login_hint
​A pre-selected user ID to improve user experience and reduce number of steps for a user.
​See login_hint description on the eID specific pages.
​BankID (NO), BankID (SE), MitID (DK), Mobile-ID, Smart-ID and Verimi
mobileid_display_te-xt_format

​This parameter indicates the format to use for the display text. GSM-7 is default. UCS-2 supports all Cyrrillic characters.


Valid values:​

  • UCS-2: 20 characters
  • GSM-7: 40 characters (default)

Mobile-ID
nemid_clientmode

​The NemID JS client can either be shown in a standard or in a limited mode. The standard mode includes administration possibilities for the end user like activation for new end user.

Some customers might notice that the content of their iFrame is moved slightly when pressing the question mark button in the NemID client. This could be prevented by using this parameter with “limited” as the value.

Value:

[standard | limited]


 Default:

standard
NemID JS (DK)
presetid

​A pre-selected user ID to improve user experience and reduce number of steps for a user.

 

​See presetid description on the eID specific pages.​
BankID (NO), BankID (SE), MitID (DK) and Verimi
referenc​e_text

​Reference text displayed during MitID identification. The text is displayed in the MitID client or in the MitID app.

All characters allowed except: %<

Max limit: 130

MitID (DK)
returnorg

For NemID:

This parameter is used to initiate the Private NemID - on behalf of companies function. In addition, if using NemID MOCES, the organisation number in the user's certificate will be returned explicitly. 

Values:

 [truefalse]

NemID (DK)
returnssn
Controls retrieval of SSN for customers that have SSN access. For BankID (NO), BankID on mobile (NO) and NemID, the SSN will be returned if the parameter is not provided. For the other eIDs, SSN will not be returned if the parameter is not provided.
​Values: 
[true|false]
BankID (NO),  BankID on mobile (NO), MitID (DK), NemID (DK), Mobile-ID and Smart-ID.
smartid_allowed-InteractionsOrderType

​This parameter can be used to decide which text to display to the user and it may give him possibilities to choice a verification code. 


Valid values:
See the eID specific page.
Smart-ID
smartid_displayText60

Text to be displayed in the Smart-ID user app.


Max length:
60 characters
Mobile-ID
smartid_displayText200

​Text to be displayed in the Smart-ID user app. 


Max length:
200 characters

Mobile-ID
transactiontext
Transaction text displayed in the end user's app or phone: 
  • NemID code app
  • Mobile-ID (SIM card based
Characters max length:
  • 20 / 40 (Mobile-ID)
  • 100 (NemID JS)
NemID JS (DK)​​ and Mobile-ID

SAML Assertion

The following table lists all available assertion attributes that may be returned in a SAML response. Not all attributes are available in all SAML responses. See the list of returned attributes below. The attributes is specific for the eID providers.

Attribute ​Description/Usage ​eID provider​
AAL

​Authentication Assurance Level

​One of
  • https://data.gov.dk/concept/core/nsis/Low
  • https://data.gov.dk/concept/core/nsis/Substantial
  • https://data.gov.dk/concept/core/nsis/High
MitID (DK)
​ACTION_CONTEXT
​Specifies the action context for identification
​MitID (DK)
(Currently supported)
ACR

​The level of assurance for the specific identification.

Possible values are listed on the eID pages, 
which will be one of:
[ urn:eident:cert:eidas:high| 
urn:eident:cert:eidas:substantial| 
urn:eident:cert:eidas:low ]

​AMR
​Auth Method Ref. JSON array of strings that are identifiers for authentication methods used in the authentication.
Valid values:
See the eID specific page for Verimi and BankID (NO)

ADDITIONAL_INFO

The value of the additional info parameter if used.

ALL
AUTHFILESURL​A URL to download authentication files. Read more about the authentication files. Nets Passport Reader
AUTHORIZED_TO_REPRESENT

​The organisation number (Danish CVR number) the user has selected and is authorised to represent. 

The user can select a company when using the Private NemID - on behalf of companies​ or Private MitID - on behalf of companies ​functions.

NemID (DK) POCES users and MitID (DK)​
C​Country code​ALL (where available).​
CERTIFICATE​The  X509 certificate of the identified end user.​ALL (where available)
CERTPOLICYOID​A policy identifier for the end user certificate.​ALL​
CN​Common Name from end user certificate.​ALL​
DK_SSN​Danish SSN.​NemID (DK)​ and MitID (DK)
DN ​Distinguished Name from end user certificate.​ALL​
DOB​Date of birth where available​
FIRSTNAME​End user first name (from certificate).​ALL (where available).​
FULLNAME​Name of identified user.ALL (where available)
GIVENNAME​End user given name (from certificate)​ALL (where available).​
IAL

​Identity Assurance Level

​One of
  • https://data.gov.dk/concept/core/nsis/Low
  • https://data.gov.dk/concept/core/nsis/Substantial
  • https://data.gov.dk/concept/core/nsis/High
MitID (DK)
IDENTITY_TYPE
Type of identification
Possible values are:
  • private
  • professional
Professional indicates Erhverv user
MitID (DK)
IDPROVIDER​The ID provider used for identification.​ALL. See valid values in a table below this table.​
LOA

​Level of Assurance

​One of
  • https://data.gov.dk/concept/core/nsis/Low
  • https://data.gov.dk/concept/core/nsis/Substantial
  • https://data.gov.dk/concept/core/nsis/High
MitID (DK)
MITID_AMR

​The list of authenticators used to achieve the resulting level of assurance for a MitID identification.

​Possible values for Mit​ID are:

  • password
  • code_token
  • code_reader
  • code_app
  • code_app_enchanced
  • u2f_token

Possible values for MitID Erhverv are:
  • mitid:password
  • mitid:code_token
  • mitid:code_reader
  • mitid:code_app
  • mitid:code_app_enchanced
  • mitid:u2f_token
 
MitID (DK)​
MITID_UUID

Unique ID for MitID.

MitID (DK)
NEMLOGIN.AGE
Age of Erhverv user
MitID (DK)
NEMLOGIN.CPR_UUID
Unique ID for Erhverv user
MitID (DK)
NEMLOGIN.CVR
Company CVR for Erhverv user
MitID (DK)
NEMLOGIN.DATE_OF_BIRTH
Date of birth for Erhverv user
MitID (DK)​
NEMLOGIN.EMAIL
Email address for Erhverv user​
MitID (DK)​
NEMLOGIN.FAMILY_NAME
Family name for Erhverv user​MitID (DK)​
NEMLOGIN.GIVEN_NAME
Given name for Erhverv user​
MitID (DK)​
NEMLOGIN.IAL

​Identity Assurance Level

​One of
  • https://data.gov.dk/concept/core/nsis/Low
  • https://data.gov.dk/concept/core/nsis/Substantial
  • https://data.gov.dk/concept/core/nsis/High
MitID (DK)
NEMLOGIN.NAME
Full name of Erhverv user
MitID (DK)
NEMLOGIN.NEMID.RID
Employee certificate RID from NemID migration (or assigned)
MitID (DK)
NEMLOGIN.ORG_NAME
Company name for Erhverv user
MitID (DK)
NEMLOGIN.P_NUMBER
Company P number for Erhverv user​MitID (DK)​
NEMLOGIN.PERSISTENT
_PROFESSIONAL_ID
MitID Erhverv’s Global UUID/ID from EIA MitIDMitID Erhverv’s Global UUID/ID from EIA
MitID (DK)​
NEMLOGIN.SE_NUMBER
Company SE number for Erhverv user
MitID (DK)
NOTAFTER​Certificate validity end time.​ALL (where available)
NOTBEFORE​Certificate validity begin time.​ALL (where available)
NO_CEL8​8-digit mobile/cell number (provided by merchant or user).​Norwegian BankID Mobile.​​
NO_BID_PID​Norwegian BankID PID​Norwegian BankID​
NO_DOB6​6-digit date of birth (provided by merchant or user)​Norwegian BankID Mobile​
NO_SSN​Norwegian SSN.​Norwegian BankID.​
ORGANISATION_NAME

For Private NemID and Private MitID:​

The name of the organisation the user logs in on behalf of.​

Applicable eID:
NemID (DK) and MitID (DK)
ORGANISATION_NUMBER​​

For NemID:

​The organisation number either from a NemID MOCES certificate or the organisation number received when using the Private NemID - on behalf of companies​ ​function. 

Note: When a NemID MOCES is used to login, the authorized_to_represent claim will be empty. This as no validation of user rights on behalf of company has been performed. The organisation number is fetched from the user's certificate. 

For MitID:

The organisation number received when using the Private MitID - on behalf of companies function.

Applicable eID:
NemID (DK) - MOCES and POCES users​ and MitID (DK) 
​REFERENCE_TEXT
​Reference text from MitID and/or Erhverv transaction
​​MitID (DK)
SE_SSN​Swedish SSN​
Swedish BankID​
SMARTID_INTER-ACTION_FLOW_USED

​This value returns information about the type of Smart-ID interaction flow that was used. This can be one of:

  • displayTextAndPIN
  • verificationCodeChoice
  • confirmationMessage
  • confirmationMessageAndVerificationCodeChoice

Smart-ID
SURNAME​

End user surname (from certificate).​ALL (where available).​​
​DOCUMENTNUMBER
​The Document Number
Verimi IDCard
Nets Passport Reader
​DOCUMENTTYPE
​The Document Type
​Verimi IDCard
Nets Passport Reader
​PLACEOFBIRTH
​Place of Birth
​Verimi IDCard
Nets Passport Reader
​DATEOFEXPIRY
​Date of Expiry of the document
​Verimi IDCard
Nets Passport Reader
​CITIZENSHIP
​Citizenship of the end user
​Verimi IDCard
​ISSUE_DATE
​The Document issue date
Verimi IDCard​
​ISSUING_AUTHORITY
​The Document issuing authority
​Verimi IDCard
​VERIFICATION_METHOD
​Verification Method
​Verimi IDCard
​VERIFICATION_DATE
​Date of verification
​Verimi IDCard​

The following table gives the valid values for the IDPROVIDER attribute: 

eID providerIDPROVIDER value​
BankID (NO)
no_bankid​
BankID (SE)
se_bankid
BankID on mobile (NO)​no_bidmob​
Buypass (NO)
no_buypass
MitID (DK)
mitid
Mobile-ID
mobile_id
NemID JS client (DK)​dk_nemid_js​
NemID CodeFile client (DK)​dk_nemid-opensign​
Nets Passport Reader
passport_reader
Smart-ID
smart_id
Verimiverimi

Example SAML response

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
                  xmlns:ns1="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#"
                  xmlns:ns3="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"
                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <soapenv:Header/>
    <soapenv:Body>
        <ns1:Response xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
                      InResponseTo="76C4438E7CCFBA0E03B12014F6C99DF88CD08C33" IssueInstant="2019-01-03T14:27:50.906Z"
                      MajorVersion="1" MinorVersion="1" ResponseID="TI2-47A7F798E258169482197E2E7266DAAA0671D9AF">
            <ns1:Status>
                <ns1:StatusCode Value="ns1:Success"/>
            </ns1:Status>
            <ns3:Assertion AssertionID="TI2-878D39A6C769451CE67D4066603A6D87370A258D"
                           IssueInstant="2019-01-03T14:27:50.911Z" Issuer="https://www.ident-preprod1.nets.eu/saml1resp/"
                           MajorVersion="1" MinorVersion="1">
                <ns3:Conditions NotBefore="2019-01-03T15:27:50.000Z" NotOnOrAfter="2019-01-03T14:57:50.000Z"/>
                <ns3:AuthenticationStatement AuthenticationInstant="2019-01-03T14:27:50.911Z"
                                             AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
                    <ns3:Subject>
                        <ns3:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=Nilsen\, Åse,O=BankID - TestBank1,C=NO,SERIALNUMBER=9578-6000-4-201090</ns3:NameIdentifier>
                        <ns3:SubjectConfirmation>
                            <ns3:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ns3:ConfirmationMethod>
                        </ns3:SubjectConfirmation>
                    </ns3:Subject>
                </ns3:AuthenticationStatement>
                <ns3:AttributeStatement>
                    <ns3:Subject>
                        <ns3:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
                            CN=Nilsen\, Åse,O=BankID - TestBank1,C=NO,SERIALNUMBER=9578-6000-4-201090
                        </ns3:NameIdentifier>
                        <ns3:SubjectConfirmation>
                            <ns3:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ns3:ConfirmationMethod>
                        </ns3:SubjectConfirmation>
                    </ns3:Subject>
                    <ns3:Attribute AttributeName="IDPROVIDER" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">no_bankid</ns3:AttributeValue>
                    </ns3:Attribute>
                    <ns3:Attribute AttributeName="DOB" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">02.10.1958</ns3:AttributeValue>
                    </ns3:Attribute>
                    <ns3:Attribute AttributeName="DN" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">CN=Nilsen\, Åse,O=BankID - TestBank1,C=NO,SERIALNUMBER=9578-6000-4-201090</ns3:AttributeValue>
                    </ns3:Attribute>
                    <ns3:Attribute AttributeName="CN" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">Nilsen, Åse</ns3:AttributeValue>
                    </ns3:Attribute>
                    <ns3:Attribute AttributeName="NO_BID_PID" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">9578-6000-4-201090</ns3:AttributeValue>
                    </ns3:Attribute>
                    <ns3:Attribute AttributeName="CERTPOLICYOID" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">2.16.578.1.16.1.12.1.1</ns3:AttributeValue>
                    </ns3:Attribute>
                    <ns3:Attribute AttributeName="NO_SSN" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">02105892090</ns3:AttributeValue>
                    </ns3:Attribute>
                    <ns3:Attribute AttributeName="CERTIFICATE" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">
                            MIIFaTCCA1GgAwIBAgIDCxjZMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNVBAYTAk5PMRUwEwYDVQQKDAxUZXN0QmFuazEgQVMxEjAQBgNVBAsMCTEyMzQ1Njc4OTEjMCEGA1UEAwwaQmFua0lEIFRlc3RCYW5rMSBCYW5rIENBIDIwHhcNMTcxMDEwMTA1MjUwWhcNMTkxMDEwMTA1MjUwWjBeMRswGQYDVQQFExI5NTc4LTYwMDAtNC0yMDEwOTAxCzAJBgNVBAYTAk5PMRswGQYDVQQKDBJCYW5rSUQgLSBUZXN0QmFuazExFTATBgNVBAMMDE5pbHNlbiwgw4VzZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAODf+meT3z3qZOjjMZobh6XMd2C7zS5nTm742Af/3MNxTji2X9f0d7hhvc3RHuq50kiTSz99yGPha2TKGzr2ApuXWplkIZhhShxImlelsRROqOSiICYiNhM/pzxEldq7jkP+tIqpPDy4tM7baNFp+uV6G0DdJJO0QbB9mXTJ1wevmYC+qIJKhl3D1XCMDtkS8V+d0rCplPYEdQx0582OlArG94JcLRBOaAI5Qfn3XWWVNhlZd2b3xbXiLmj9UepOomW+kJrzAWmD/aRXa0hIUW7W+zLpM2AVGUbl9useJTpNFliqvMDSPgf3OVSQ1BqI9VSwDBzJzR28RdzUhcrY+gECAwEAAaOCAS8wggErMBYGA1UdIAQPMA0wCwYJYIRCARABDAEBMCgGA1UdCQQhMB8wHQYIKwYBBQUHCQExERgPMTk1ODEwMDIwMDAwMDBaMBMGB2CEQgEQAgEECDAGBAQ5OTgwMBQGB2CEQgEQAgIECTAHBAVCSU5BUzA5BggrBgEFBQcBAQQtMCswKQYIKwYBBQUHMAGGHWh0dHBzOi8vdmEtcHJlcHJvZDEuYmFua2lkLm5vMDEGCCsGAQUFBwEDBCUwIzAIBgYEAI5GAQEwFwYGBACORgECMA0TA05PSwIDAYagAgEAMA4GA1UdDwEB/wQEAwIDiDAfBgNVHSMEGDAWgBSx5ynedCftwfjDGbgmb15zO14m/jAdBgNVHQ4EFgQUlRl4WJDdJA5PFwftO6HQn5nDX1EwDQYJKoZIhvcNAQELBQADggIBADjkWp+KfciWYBHuDBonqpzAtymIuBfVGILLAwHqlg8moI2ujraVJNjWQk56i2CDUAW6zlAdGoErM90OyxoDBo/Fea3pzMhWYL0U0yaW93Y3dw4e6gbo10mcULJtoLnBAqpz3gSJo4VBcjP0rEvCndl1HEyCT3fkHYccx6FSgMPdyzLlM46lZkOEvQqdraokNMlYBruERNpegee51uCMCcpH/a1X/0ziZGiNkQCo+1X8pGf8axt3XC3/ASssrFLlfvCpZv/vOzGA8Jeva5FoZovsiVuwtv6e0rzaZm8FQB4xhzt2JwEm9TQCqehh6TrOp0Zx5xhVV0UCbUwRdgF2SCe37jX3U238AMPIN8nr6fv2rp3Sk7Rkc6TEkXXve69ph0vAVl/1FDO2KcDegvFkGogRK/p08f2+NFOtT+pzNhunHZcTL/gW2ScUE4Md5KVkF59Bha4BP6z9Fq4wEe/gnmcKhBmsfA9uKym559BvSS6HDeYGQ3+0WLjhVn0/h+I/9lSgLBjbEm927O3QW75QrOgd90Mrx1N6UUaMH/ATFZKY2VauziQT2XBT0SXnpI+iGbdcVsVHj8h08GuLIUTZrflrvsHVavPOl11rbO0n3n9twmZtWz5F672ynZwlDC966uH+3h1l24LI5uw3Z7LbqKDWVRvdV2veq5rSa0xuXEX2
                        </ns3:AttributeValue>
                    </ns3:Attribute>
                </ns3:AttributeStatement>
            </ns3:Assertion>
        </ns1:Response>
    </soapenv:Body>
</soapenv:Envelope>

Single sign-on (SSO)

Single sign-on allowed registered customer sites in a cluster to share asserted end user attributes without requiring the end users to identify themselves again. A SSO enable identification is transparent to the customer and requires no special treatment in the customer application. The request and valid parameters are identical to those in an ordinary identification request.

Log out​​

An end user session can be terminated using the log out functionality.

  1. Invoke a log out by calling https://www.ident-preprod1.nets.eu​/gls/logout.html
    Read more about the log out parameters.
  2. E-Ident will call the customers's log out URL provided upon registration. This allows the customers web site to clean any session context data for the end user.

Log out parameters

ParameterDescriptionConstraints
deflect

Where the nexturl should be opened. Options are to keep it in iframe (_self) or take over the page (_top).

Required: no​

Valid values: [_top, _self]

Default: _top

midMerchant identifier. This is an ID assigned to the customer upon configuration and must be used in subsequent requests to E-Ident.Required: yes
nexturl

After log out, the End user will be directed to the URL pointed to by the nexturl parameter.

If not provided, E-Ident presents the user with a generic log out page.

Required: no
Format: URL