​An identification through E-Ident can be performed using the SAML v1.1 identification protocol. This page outlines the identification process, the identification parameters, single sign-on (SSO) functionality and how to perform a log out.

Content on this page

SAML v1.1 identification

The figure below illustrates the identification sequence for an E-Ident customer using SAML v1.1.



  1. The end user accesses the E-Ident customer site with a request to log on. 
  2. The end user browser is redirected to E-Ident to begin identification. Sample identification request:​/its/index.html?mid=<value>&TARGET=<value>   
    Read more about the mandatory and optional identification request parameters.
  3. End user identification is initiated towards a selected eID. The end user supplies his/her credentials.
  4. E-Ident redirects the end user to the E-Ident customer's artifact resolver URL with the ArtifactID. The artificat resolver URL is defined upon customer registration.
  5. The customer sends a request directly to E-Ident to retrieve the user info based on the ArtifactID. E-Ident returns the SAML assertion containing all information about the user.
    Read more about the content of the SAML assertion.

Identification request parameters

The different identification request parameters are divided in these sections:


​mid​Customer identifier. This is an ID assigned to the customer upon configuration and must be used in subsequent requests to E-Ident.​NA
​TARGET​Data sent back to the artifact receiver after identification. Customers can use this to carry session specific data tokens such as name or URL of resource user intended to access, or a session ID. 

​Parameter name must be in upper case.

URL encode following parameters: [? | & | #]



​The additional info parameter can be used by any customer to enter their own information. The parameter value will be returned as it was entered in the corresponding claim in the ID Token or attribute in the SAML assertion.

In addition, the information is added to E-Ident statistics and may be returned to the customers as part of statistics. The last part must be agreed with Nets in each case.



Max length: 50 characters

​deflect​Where the artifact receiver should be opened. Options are to keep it in iframe (_self) or take over the page (_top).

Valid values: [_top, _self]

Default: _top

​forcepkivendorA comma separated list of eIDs. The list limits the eIDs made available to the end user for identification. See the next table for a mapping between eID and the constraint.​

​One or more of:

no_bankid, no_bidmobno_buypass, dk_nemid_js, dk_nemid-opensign, mitid, mitid:mitid_erhverv, se_bankid, passport_reader, mobile_id, smart_id, verimi, nets_sms


The language used to provide user with information during identification. If not provided, then E-Ident uses the language specified by the web browser.

If no supported languages are available in the browser, or the parameter, then English is used by default.

​Supported language codes:

Supported language codes:

[nb-NO |  nn-NO | en-GB |  da-DK  sv-SE | fi-FI | sv-FI]

​start​A customer URL that points to a start page. The start page is used as an exit strategy for users that opt out of the identification sequence (for example, choosing to cancel the identification process midway or after a status message is displayed by E-Ident).

Note:  The start URL is not used if a status URL is provided.

Format: URL

Range: only URLs to trusted domains are allowed by E-Ident.

Trusted domains are a part of the customer configuration setup. 

This parameter overrides the URL issued to E-Ident during configuration.


​The URL is used to provide end users with clear messages in cases where an unexpected event occurs. Unexpected events can be errors during identification, change of status, or other relevant information not associated with a successful identification. E-Ident always appends a status code to the provided URL, so this URL must allow a status code to be appended to it.

Example: If the event uid.expired occurs, and the URL is defined as being https://customer/statusurl.html?su= (notice how this URL works well with the appended status code), then the actual URL requested will be https://customer/statusurl.html?su=uid.expired

​Format: URL

Range: only URLs to trusted domains are allowed by E-Ident

Trusted domains are a part of the customer configuration setup. 

This parameter overrides the URL issued to E-Ident during configuration.

​styleA customer with a specific typographic, layout, or colour scheme can provide a URL to a CSS style sheet. If provided, the given style sheet will be used when rendering web pages in a browser.

Note: style is ignored if the wi parameter is set to “n” or not used.

​Format: URL

Range: only URLs to trusted domains are allowed by E-Ident.

Trusted domains are a part of the customer configuration setup. 

This parameter overrides the URL issued to E-Ident during configuration.


The wi parameter is used to indicate that the user interface shall be embedded UI.

Note: The wi parameter may also be set to n to indicate standalone UI. However, as this is default UI option it is not necessary to use the wi parameter.

​Valid values: [ r ]

Mapping of eID to forcepkivendor parameters:

​eID​forcepkivendor parameter
​BankID (NO)no_bankid
BankID (SE)se_bankid
BankID on mobile (NO)no_bidmob
​Buypass (NO) ​no_buypass
​MitID (DK)mitid and/or mitid:mitid_erhverv
NemID with key card - Java script client (DK)dk_nemid_js
NemID with key file - codefile client (DK)dk_nemid-opensign
​Nets Passport Reader

Optional eID specific parameters​​


​Specifies the requested Authentication Assurance Level.

One of:

[ low | substantial | high ]

​MitID (DK)

​Used to set the minimum level of assurance for the identification.

​Valid values:

See the eID specific page.


BankID (NO)


​Used to inform the service if it shall try to start the eID client automatically. (If the end user is using the device where the eID client is located)


 [true | false]

​​BankID (SE)

​8-digit mobile/cell number for BankID on mobile (NO).

​Encoding: Base64​BankID on mobile (NO)

​6-digit date of birth for BankID on mobile (NO).

​Encoding: Base64​BankID on mobile (NO)

​​Specifies the requested Level of Assurance.

One of:

[ low | substantial | high ]

MitID (DK)​

​This parameter indicates the format to use for the display text. GSM-7 is default. UCS-2 supports all Cyrrillic characters.

Valid values:​

  • UCS-2: 20 characters
  • GSM-7: 40 characters (default)


​The NemID JS client can either be shown in a standard or in a limited mode. The standard mode includes administration possibilities for the end user like activation for new end user.

Some customers might notice that the content of their iFrame is moved slightly when pressing the question mark button in the NemID client. This could be prevented by using this parameter with “limited” as the value.


[standard | limited]


​NemID JS (DK)

​A pre-selected user ID to improve user experience and reduce number of steps for a user.


​​See presetid description on the eID specific pages.​
​BankID (NO), BankID (SE), MitID (DK) and Verimi

​Reference text displayed during MitID identification. The text is displayed in the MitID client or in the MitID app.

​All characters allowed except: %<

Max limit: 130

​MitID (DK)

​For NemID:

This parameter is used to initiate the Private NemID - on behalf of companies function. In addition, if using NemID MOCES, the organisation number in the user's certificate will be returned explicitly. 



​NemID (DK)
Controls retrieval of SSN for customers that have SSN access. For BankID (NO), BankID on mobile (NO) and NemID, the SSN will be returned if the parameter is not provided. For the other eIDs, SSN will not be returned if the parameter is not provided.
​BankID (NO),  BankID on mobile (NO), MitID (DK), NemID (DK), Mobile-ID and Smart-ID.

​This parameter can be used to decide which text to display to the user and it may give him possibilities to choice a verification code. 

​Valid values:
See the eID specific page.

Text to be displayed in the Smart-ID user app.

​Max length:
60 characters

​Text to be displayed in the Smart-ID user app. 

​Max length:
200 characters

​Transaction text displayed in the end user's app or phone: 
  • NemID code app
  • Mobile-ID (SIM card based
​Characters max length:
  • 20 / 40 (Mobile-ID)
  • 100 (NemID JS)
​NemID JS (DK)​​ and Mobile-ID

SAML Assertion

The following table lists all available assertion attributes that may be returned in a SAML response. Not all attributes are available in all SAML responses. See the list of returned attributes below. The attributes is specific for the eID providers.

Attribute ​​Description/Usage ​eID provider​

​Authentication Assurance Level

​One of
​MitID (DK)

​The level of assurance for the specific identification.


BankID (NO)


The value of the additional info parameter if used.

​AUTHFILESURL​​A URL to download authentication files. Read more about the authentication files. ​Nets Passport Reader

​The organisation number (Danish CVR number) the user has selected and is authorised to represent. 

The user can select a company when using the Private NemID - on behalf of companies​ or Private MitID - on behalf of companies ​functions.

NemID (DK) POCES users and MitID (DK)
C​Country code​ALL (where available).​
CERTIFICATE​The  X509 certificate of the identified end user.​ALL (where available)
CERTPOLICYOID​A policy identifier for the end user certificate.​ALL​
CN​Common Name from end user certificate.​ALL​
DK_SSN​Danish SSN.​NemID (DK)​ and MitID (DK)
DN ​Distinguished Name from end user certificate.​ALL​
DOB​Date of birth where available​
FIRSTNAME​End user first name (from certificate).​ALL (where available).​
FULLNAME​Name of identified user.ALL (where available)
GIVENNAME​End user given name (from certificate)​ALL (where available).​

​Identity Assurance Level

​One of
​MitID (DK)
​Type of identification
Possible values are:
  • private
  • professional
Professional indicates Erhverv user
​MitID (DK)
IDPROVIDER​The ID provider used for identification.​ALL. See valid values in a table below this table.​

​Level of Assurance

​One of
​MitID (DK)

​The list of authenticators used to achieve the resulting level of assurance for a MitID identification.

​Possible values are:

  • mitid.password
  • mitid.code_token
  • mitid.code_reader
  • mitid.code_app
  • mitid.code_app_enchanced
  • mitid.u2f_token
MitID (DK)​

​Unique ID for MitID.

​MitID (DK)
​Age of Erhverv user
​MitID (DK)
​Unique ID for Erhverv user
​MitID (DK)
​Company CVR for Erhverv user
​MitID (DK)
​Date of birth for Erhverv user
MitID (DK)​
Email address for Erhverv user​
MitID (DK)​
Family name for Erhverv user​MitID (DK)​
Given name for Erhverv user​
MitID (DK)​

​Identity Assurance Level

​One of
​MitID (DK)
​Full name of Erhverv user
​MitID (DK)
​Employee certificate RID from NemID migration (or assigned)
​MitID (DK)
​Company name for Erhverv user
​MitID (DK)
Company P number for Erhverv user​MitID (DK)​
MitID Erhverv’s Global UUID/ID from EIA MitIDMitID Erhverv’s Global UUID/ID from EIA
MitID (DK)​
​Company SE number for Erhverv user
​MitID (DK)
NOTAFTER​Certificate validity end time.​ALL (where available)
NOTBEFORE​Certificate validity begin time.​ALL (where available)
NO_CEL8​8-digit mobile/cell number (provided by merchant or user).​Norwegian BankID Mobile.​​
NO_BID_PID​Norwegian BankID PID​Norwegian BankID​
NO_DOB6​6-digit date of birth (provided by merchant or user)​Norwegian BankID Mobile​
NO_SSN​Norwegian SSN.​Norwegian BankID.​

For Private NemID and Private MitID:​

The name of the organisation the user logs in on behalf of.​

​Applicable eID:
NemID (DK) and MitID (DK)

For NemID:

​The organisation number either from a NemID MOCES certificate or the organisation number received when using the Private NemID - on behalf of companies​ ​function. 

Note: When a NemID MOCES is used to login, the authorized_to_represent claim will be empty. This as no validation of user rights on behalf of company has been performed. The organisation number is fetched from the user's certificate. 

For MitID:

The organisation number received when using the Private MitID - on behalf of companies function.

​Applicable eID:
NemID (DK) - MOCES and POCES users​ and MitID (DK) 
SE_SSN​Swedish SSN​
Swedish BankID​

​This value returns information about the type of Smart-ID interaction flow that was used. This can be one of:

  • displayTextAndPIN
  • verificationCodeChoice
  • confirmationMessage
  • confirmationMessageAndVerificationCodeChoice

SURNAME​End user surname (from certificate).​ALL (where available).​​

The following table gives the valid values for the IDPROVIDER attribute: 

​eID providerIDPROVIDER value​
BankID (NO)
​BankID (SE)
BankID on mobile (NO)​no_bidmob​
​Buypass (NO)
​MitID (DK)
NemID JS client (DK)​dk_nemid_js​
NemID CodeFile client (DK)​dk_nemid-opensign​
​Nets Passport Reader

Example SAML response

<soapenv:Envelope xmlns:soapenv="" xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
                  xmlns:ns1="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:ns2=""
                  xmlns:ns3="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xs=""
        <ns1:Response xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
                      InResponseTo="76C4438E7CCFBA0E03B12014F6C99DF88CD08C33" IssueInstant="2019-01-03T14:27:50.906Z"
                      MajorVersion="1" MinorVersion="1" ResponseID="TI2-47A7F798E258169482197E2E7266DAAA0671D9AF">
                <ns1:StatusCode Value="ns1:Success"/>
            <ns3:Assertion AssertionID="TI2-878D39A6C769451CE67D4066603A6D87370A258D"
                           IssueInstant="2019-01-03T14:27:50.911Z" Issuer=""
                           MajorVersion="1" MinorVersion="1">
                <ns3:Conditions NotBefore="2019-01-03T15:27:50.000Z" NotOnOrAfter="2019-01-03T14:57:50.000Z"/>
                <ns3:AuthenticationStatement AuthenticationInstant="2019-01-03T14:27:50.911Z"
                        <ns3:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=Nilsen\, Åse,O=BankID - TestBank1,C=NO,SERIALNUMBER=9578-6000-4-201090</ns3:NameIdentifier>
                        <ns3:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
                            CN=Nilsen\, Åse,O=BankID - TestBank1,C=NO,SERIALNUMBER=9578-6000-4-201090
                    <ns3:Attribute AttributeName="IDPROVIDER" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">no_bankid</ns3:AttributeValue>
                    <ns3:Attribute AttributeName="DOB" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">02.10.1958</ns3:AttributeValue>
                    <ns3:Attribute AttributeName="DN" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">CN=Nilsen\, Åse,O=BankID - TestBank1,C=NO,SERIALNUMBER=9578-6000-4-201090</ns3:AttributeValue>
                    <ns3:Attribute AttributeName="CN" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">Nilsen, Åse</ns3:AttributeValue>
                    <ns3:Attribute AttributeName="NO_BID_PID" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">9578-6000-4-201090</ns3:AttributeValue>
                    <ns3:Attribute AttributeName="CERTPOLICYOID" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">2.16.578.</ns3:AttributeValue>
                    <ns3:Attribute AttributeName="NO_SSN" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">02105892090</ns3:AttributeValue>
                    <ns3:Attribute AttributeName="CERTIFICATE" AttributeNamespace="urn:bbs:esec:adames:ti2:saml:1.1:attributeNamespace:uri">
                        <ns3:AttributeValue xsi:type="xs:string">

Single sign-on (SSO)

Single sign-on allowed registered customer sites in a cluster to share asserted end user attributes without requiring the end users to identify themselves again. A SSO enable identification is transparent to the customer and requires no special treatment in the customer application. The request and valid parameters are identical to those in an ordinary identification request.

Log out​​

​An end user session can be terminated using the log out functionality.

  1. Invoke a log out by calling​/gls/logout.html
    Read more about the log out parameters.
  2. E-Ident will call the customers's log out URL provided upon registration. This allows the customers web site to clean any session context data for the end user.

Log out parameters


​Where the nexturl should be opened. Options are to keep it in iframe (_self) or take over the page (_top).

Required: no​

Valid values: [_top, _self]

Default: _top

​mid​Merchant identifier. This is an ID assigned to the customer upon configuration and must be used in subsequent requests to E-Ident.Required: yes

​After log out, the End user will be directed to the URL pointed to by the nexturl parameter.

If not provided, E-Ident presents the user with a generic log out page.

​Required: no
Format: URL