Implementing the NemID solution via TU Example

 

​​​​Introduction to the NemID solution
This is a brief introduction to the NemID solution and the essentiel sub-systems, which interfaces with it. A good starting point when initiating the development of a NemID solution is to use the introduction project TU Example (danish version).

When implementing a NemID solution, a service prodvider's site will be able to offer:

  • Login/signing with NemID OTP (One Time Password)
  • Login/signing with NemID nøglefil
  • Login/signing with Digital Signatur

When using the NemID login/signing mechanism it is possible to:

  • Check the end-user's certificate - whether it matches the user identity in the serviceprovider system (CPR or other selfmade ID) or not. This is done by using the PID/CPR service.
  • Check the end-user's certificate used for login/signing - whether it is revoked or not. This is easily done by using the framework OOAPI which provides the possibility to verify the certificate by OCSP or CRL.
  • Check the end-user's certificate used for login/signing - whether it is expired or not. This is easily done by using the framework OOAPI which provides the possiblity to verify the state of the certificate.

Nets DanID highly recommends the following order in which to use the TU Example project:

  1. Start by downloading the TU Example project, and get it to run locally with Nets DanIDs test certificates. If using the .NET platform see to proceed. If using the Java platorm see to proceed.
  2. After TU Example project is up and running locally with Nets DanIDs test certificates, modify the TU Example project and get it to run locally with your company's own test certificates. If using the .NET platform see on how to proceed. If using the Java platorm see on how to proceed.
  3. After TU Example project is up and running locally with your company's own OCES test certificates (which can be ordered here), modify the TU Example project and get it to run on a test-server with the same test certificates. If using the .NET platform see on how to proceed. If using the Java platorm see on how to proceed.
  4. After TU Example project is up and running on your company's test-server with your company's own test certificates, modify the TU Example project and get it to run on the same test-server but with production certificates . If using the .NET platform see on how to proceed. If using the Java platorm see on how to proceed.

These 4 steps completes the development cycle for the TU Example project. A proof of concept has now been implemented, and is ready to be ported into a real development project.

Login and signing with NemID (Borger)
Examining the most common implementation scenario of a NemID solution (Borger) website in which the end user will use the provided login/sign mechanism (OTP), the user will be prompted for CPR number durring the first login (registration).

After the first login it is now possible to map the previously entered (and now persisted) CPR number to an internal login ID, which is created and maintained by the service provider. For future logins/signings by this user, it will now be possible to verify the CPR number with the certificate's PID number (all NemID (Borger) certificates has a PID number contained within). This verification is done by using the PID/CPR webservice. This webservice is available for all service providers by registration.

One of the primary elements when implementing the NemID (Borger) solution, is the OTP applet. This applet can relative easily be constructed by using the OOAPI framework class OcesAppletElementGenerator. As the class name implies the main purpose of the class is to geneate the applet tag in the login/signing html page.

All prime elements, like generating the applet for login/signing, usage of the PID/CPR service, check certificates validity, etc. are described and exemplified in the introduction project TU Example.

Company certificates (VOCES) used in TU Example project
As mentioned above, we strongly recommend starting the development process of the NemID solution by using the introduction project TU Example as a reference point.

When using the TU Example as reference point certain certificates used in the project might need some explanation. The certificates in the TU Example are needed for the following tasks:

  • one company certificate (VOCES) is needed for identifying the service provider as a client to the Nets DanID PID/CPR service
  • one company certificate (VOCES) is needed for signing the applet parameters to ensure the identification of the service provider

In the TU Example project the same certificate is used for these two tasks. Note however that it is possible to configure the project to use a different certificate for each of these two tasks.

Further inquires as a service provider
If you have been registered as a service provider (TU), you can contact the support function

If you have NOT registered as a service provider, you can do it here (danish version)


Before contacting the support please check the FAQ to see if your issue has been addressed previously.
FAQ for developers (danish version)