link

# NemID

# About NemID

NemID is a collaboration between the Danish banks and the Danish public sector. This alliance forms a countrywide solution and provides a secure login mechanism for websites wanting to use the free-of-charge digital ID for all citizens in Denmark. As of January 2020, a total of five million Danish citizens have ordered a NemID. NemID is run by Nets DanID.

# Demo

If you want to see how NemID works, you can use Signicat's demo service.

# Method names in authentication URLs

When you want to redirect the end-user so they can authenticate, you have to include the name of the relevant method in the redirect URL. The tables below show which method names are available for NemID. For further information about the authentication URL, see the Authentication API.

# Authentication and digital onboarding

Method name Description
nemid NemID key card (bank stored certificate, employee and person signature)
nemid-moces NemID key card (bank stored certificate, employee signature only)
nemid-erhverv NemID key card (bank stored certificate for business owners)
nemid-codefile NemID code file (locally stored employee certificate)

# Authentication-based signing

Method name Description
nemid NemID keycard
nemid-codefile NemID code file

# Third-party signing

Method name Description
nemid-sign NemID keycard
nemid-codefile-sign NemID code file

# How to get started with NemID

This process description shows the interaction between the customer, Nets DanID and Signicat Operations when developing and establishing a web application using NemID. The process contains descriptions of all the players’ tasks.

Signicat will be happy to assist you in ordering and setting up NemID.

The documentation from Nets DanID referred to in this process description is mainly in Danish. For a complete NemID documentation package in English, see the NemID Service Provider Package (opens new window).

For more information about how to become a NemID customer, see Guide: Order NemID Service Provider (opens new window).

# Integrating with NemID through Signicat

The integration is done via the same API as Signicat's other ID methods. For more information, see Getting started with authentication. Through the single point of integration, you will get access to Signicat's wide portfolio of integrated ID methods.

For a response example from a typical NemID authentication, see the OIDC response examples page.

# Process overview

  1. Customer signs agreement with Signicat AS
  2. Customer signs agreements with Nets DanID
  3. Customer develops technical integration with id.signicat
  4. Customer orders access to the test environment
  5. Customer performs acceptance test in test environment
  6. Customer orders VOCES and access to production environment
  7. Signicat configures customer integration in production environment
  8. Customer performs the acceptance test in production environment

click-to-zoom

# 1. Customer signs agreement with Signicat AS

The customer signs an agreement with Signicat AS. This agreement specifies, among others:

  • the Service Level (SLA) between the customer and Signicat AS
  • the number of ID methods (authentication, signing, verification, etc.)
  • the number of ID solutions (NemID, Net-ID, BankID, etc.)
  • the number of graphical profiles the customer needs

# 2. Customer signs agreements with Nets DanID

The customer signs the following agreements with Nets DanID:

  • A NemID service provider agreement.
  • If the customer needs to receive CPR numbers (Danish national identification numbers) of the end-users, an agreement to use the PID/CPR service must also be signed. There are two different modes of PID-CPR access:
    • Match: This mode requires the end-user to type their CPR number in your web application and also requires the user’s explicit consent. The CPR number and PID-number (retrieved from the users NemID login) is transmitted to and matched in the PID/CPR service. A simple true/false is returned to the web application.
    • Lookup: From the end-user’s NemID login the PID-number is retrieved and transmitted to the PID/CPR service. The PID/CPR service returns the corresponding CPR number to the web application. The user is not involved in the retrieval in any way. This option is only available for public enterprises and authorities.

To see more information about agreements, download and fill in the agreement forms, see NemID medarbejdersignatur (opens new window).

# 3. Customer develops technical integration with id.signicat

Note

This step only applies to new customers of Signicat or existing customers without integration to id.signicat.

When the relevant agreements with Signicat and Nets DanID are signed, the customer should begin developing a standard technical integration with id.signicat. This includes:

  • Technical development with one of the Signicat client kits
  • Establishing one or more graphical profiles
  • Testing the integration

# 4.Customer orders access to the test environment

# 4.1 Signicat sets up test environment

Signicat will set up a test environment with Signicat's pre-production VOCES unless otherwise specified. No customer action is needed for this step.

# 4.2 Customer orders test users

This step is performed after 4.1. Do the following:

For each test user, the customer must enter a series of information (e.g. CPR number, name, address, etc.) in the order form. For more information about how to use the test tools, see the guideline Vejledning i brug af test tools (opens new window).

# 5. Customer performs acceptance test in the test environment

The test should cover all aspects of the customer NemID integration in Signicat's test environment, i.e.:

  • Authentication/signature with valid test certificates
  • Authentication/signature with revoked test certificates
  • Authentication/signature with locked test certificates

You can find an extensive guide on testing your NemID integration here: Guide: Test og implementering af NemID (opens new window).

# 6. Customer orders VOCES and access to the production environment

All companies in Denmark are eligible to issue a Virksomhedssignatur (VOCES). If you do not have an entry in the Danish company register (CVR), it is still possible to get access to NemID. Contact Signicat for more information if this is the case.

Your NemID Administrator must issue and order the VOCES certificate. The customer agreement is a matter strictly between Nets DanID and the customer, hence Signicat cannot place the order on the customer’s behalf.

If you do not know who your NemID administrator is, follow this recipe (opens new window).

Note

If the customer already has a VOCES certificate that is used somewhere else, it cannot be reused. The reason for this is that Signicat would have no way of guaranteeing the integrity of the certificate.

Important tasks in this step:

  1. The NemID administrator orders a VOCES certificate for the production environment. This is done by following the guide Order NemID Service Provider (opens new window). When filling out the order form, the NemID administrator must list the Signicat onboarding manager as the technical contact person.
  2. The technical contact person receives an email with the activation link to the VOCES certificate.
  3. The NemID administrator must send a temporary access code to the technical contact person via a secure channel. For instructions on how to acquire this code, follow steps 4 and 5 in the below section (Renewal of VOCES).
# Renewal of VOCES

This topic describes how to renew the NemID VOCES certificate. Only your NemID Administrator can do this.

Note

When renewing the VOCES certificate, you should not order a new certificate, since it may cause problems.

  1. Open https://www.medarbejdersignatur.dk/ (opens new window) and select Log på selvbetjening (Log in to self-service).

click-to-zoom

  1. From the left-menu, select Øvrige signaturer > Administrér virksomhetssignatur (Other signatures > Administrate business signature).

click-to-zoom

Ensure that Teknisk kontaktperson is your technical contact person in Signicat.

To proceed, select Vis detaljer (Show details).

  1. To order a renewal of the certificate, select Bestil genudstedelse (Order renewal).

click-to-zoom

An e-mail is sent to the technical contact person in Signicat with the appropriate information.

  1. The technical contact person in Signicat needs a temporary access code to retrieve the new certificate. Select Vis ny midlertidig adgangskode (show new temporary access code).

click-to-zoom

  1. You can now view the temporary access code.

click-to-zoom

  1. Send this access code via SMS or another secure communication channel to the technical contact person in Signicat. When this is done, the technical contact person will download and install the certificate.

# 7. Signicat configures the customer's integration in the production environment

Important tasks in this step:

  • Signicat receives the email containing the activation link and the activation PIN code for the VOCES certificate for production, from Nets DanID or the customer (according to customer’s contract with Nets DanID)
  • Signicat downloads and activates the VOCES certificate for production, using the activation link and PIN code.
  • Signicat establishes the customer configuration for the NemID integration in Signicat's production environment and installs the VOCES certificate.

# 8. Customer performs the acceptance test in the production environment

The test should cover all aspects of the NemID integration for the customer in Signicat's production environment.

# Certificates

# Merchant certificate

A merchant certificate (signature) represents your business and is used by the web application to communicate securely on your behalf. Merchant certificates for NemID are called VOCES (“Virksomheds OCES” or “Virksomhedssignatur”). There are different merchant certificates for the pre-production and production environment.

Merchant certificates for the pre-production environment are free while there is a fee for the production merchant certificate.

For an order form, see NemID customer certificate (opens new window).

# Employee certificate

An employee signature is a personal certificate, but it is associated with your company. With an employee signature, you may sign on behalf of your company.

To order a NemID employee certificate, see NemID Medarbejdersignatur (opens new window).

# Personal certificate

NemID is the new Danish eID solution for use on both public and private services on the web.

End-users may order their personal digital signature on the NemID page (opens new window).

# Production environment

In order to go into production with NemID, your company will need the following:

  • A service provider agreement with Nets DanID
  • An agreement to use the PID-CPR service (optional, but necessary if you need to receive CPR numbers from the users).
  • Agreement to use their production environment.
  • A VOCES merchant certificate for production.

# VOCES merchant certificate for production

For a VOCES order form, see NemID medarbejdersignatur (opens new window).

You need to specify:

  • CVR number of the merchant
  • Name/friendly name of the application (service name, department name, etc.)
  • Technical contact person (name and email address)
  • Granted person (name and email address)
  • Email address associated with the VOCES certificate (merchant, department, email address)
  • Comments

# Typical login and signature screenshots

This page contains screenshots of a typical login session and signature session. The actual screens may have a different graphical profile in your setup.

The graphical interface in Signicat's NemID product consists of the standard NemID applet as it is delivered from Nets DanID, plus a “CPR step” that Signicat has developed. The standard NemID steps are shown in paragraphs 1-3 on this page, while the CPR step is described in paragraph 4.

# Login session

The pictures below illustrate the login/authentication process with NemID.

# 1. Provide user ID and secret code

The user provides his/her user ID and secret code. The user ID may be the user’s CPR number, a unique NemID number or username chosen by the user themselves. Such a username may be created on the first use of NemID.

click-to-zoom

# 2. Provide one-time key

The user provides a one-time code from his/her code card.

click-to-zoom

# 3. Process user's input data

NemID processes the input data from the user.

click-to-zoom

# 4. Provide CPR number

The standard NemID applet returns only a number called PID to the merchant and not the CPR number, which is needed in most cases. The PID is a number that identifies the end-user uniquely. It is internal and specific to the NemID systems.

In order to retrieve the user’s CPR number, Nets DanID’s PID-to-CPR service must be used. The PID-to-CPR service has two different modes: lookup and match:

  • Lookup mode, the CPR number will be extracted by the service using the PID as the key (requires no user interaction).
  • Match mode, the end-user has to enter his/her CPR number. The number entered by the user will be matched against the CPR number that is extracted by the PID-to-CPR service. If the CPR numbers are equal, the user can continue.

Danish legislation has determined that only public merchants are allowed to use the PID-to-CPR service in lookup mode. Private merchants have to use the PID-to-CPR service in match mode.

Signicat's graphical interface to the PID-to-CPR service is shown in the picture below.

click-to-zoom

It enables the user to enter the CPR number, then matches it against the PID-to-CPR service. This step is invisible if PID-to-CPR service is configured to run in lookup mode.

Ultimately, the user is allowed to store the CPR number in Signicat's system. If the user chooses to store the CPR, he/she will avoid this step in the future.

Signicat stores the CPR numbers as long as the user is active, but if the user stops using the service for a while, the CPR number will be deleted after a certain time. A batch job runs every night and deletes all CPR numbers that have been unused for 3 months or more. The limit of 3 months is consistent with the Norwegian legislation.

# Signature session

The process below illustrates a very basic process of how to sign a PDF document with NemID. With id.signicat, the graphical design can be customised so that the signing process appears to be a part of the merchant’s web application. The process contains the following steps:

  1. Select the PDF document that should be signed. This depends on how the application is designed.
  2. Open and read the PDF document, select “Fortsæt” (Continue).
  3. Confirm that you have read and understood the contents of the document, using your NemID userid and password.
  4. Confirm the signature with the requested one-time code from your code card.
  5. Provide your CPR number
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide

The PDF document is now signed.

# Creating a simple signing order with one subject

# Using C#

This example has been updated for compatibility with DocumentService-v3.

// Use the DocumentService to create a signing order request.
// A signing order may contain several documents, tasks and subjects (people).
// This is a simple example where one subject must sign one document
// and where the result is a plain NemID SDO (Signed Data Object)
[TestMethod]
public void How_to_create_a_simple_document_order_with_one_subject_and_one_document_using_Danish_NemID()
{
    // The document id is what you get in response when uploading a document to the SDS
    string documentId = "04092013551868wie4tdlw9n8e6s834f3iwm92yq5i8d3gkgqit3vpm6ed";
    var request = new createrequestrequest
    {
        password = "Bond007",
        service = "demo",
        request = new request[]
         {
             new request
             {
                 clientreference = "cliref1",
                 language = "da",
                 profile = "demo",
                 document = new document[]
                 {
                     new sdsdocument
                     {
                         id = "doc_1",
                         refsdsid = documentId,
                         description = "Terms and conditions"
                     }
                 },
                 subject = new subject[]
                 {
                     new subject
                     {
                         id = "subj_1",
                         nationalid = "1909740939"
                     }
                 },
                 task = new task[]
                 {
                     new task
                     {
                         id = "task_1",
                         subjectref = "subj_1",
                         bundleSpecified = true,
                         bundle = false,
                         documentaction = new documentaction[]
                         {
                              new documentaction
                              {
                                  type = documentactiontype.sign,
                                  documentref = "doc_1"
                              }
                         },
                         signature = new signature[]
                         {
                             new signature
                             {
                                 responsiveSpecified=true,
                                 responsive = true,
                                 method = new method[]
                                 {
                                     new method
                                         {
                                            value = "nemid-sign"
                                         }
                                 }
                             }
                         }
                     }
                 }
             }
         }
    };
    createrequestresponse response;
    using (var client = new DocumentEndPointClient())
    {
        response = client.createRequest(request);
    }
    String signHereUrl =
        String.Format("https://preprod.signicat.com/std/docaction/demo?request_id={0}&task_id={1}", response.requestid[0], request.request[0].task[0].id);
    Console.WriteLine(signHereUrl);
    Assert.IsNotNull(response);
    Assert.IsNull(response.artifact);
    Assert.IsNotNull(response.requestid);
}

# Using Java

// Use the DocumentService to create a signing order request.
// A signing order may contain several documents, tasks and subjects (people).
// This is a simple example where one subject must sign one document
// and where the result is a plain NemID SDO (Signed Data Object)
[TestMethod]
public void How_to_create_a_simple_document_order_with_one_subject_and_one_document_using_Danish_NemID()
{
    // The document id is what you get in response when uploading a document to the SDS
    string documentId = "04092013551868wie4tdlw9n8e6s834f3iwm92yq5i8d3gkgqit3vpm6ed";
    var request = new createrequestrequest
    {
        password = "Bond007",
        service = "demo",
        request = new request[]
         {
             new request
             {
                 clientreference = "cliref1",
                 language = "da",
                 profile = "demo",
                 document = new document[]
                 {
                     new sdsdocument
                     {
                         id = "doc_1",
                         refsdsid = documentId,
                         description = "Terms and conditions"
                     }
                 },
                 subject = new subject[]
                 {
                     new subject
                     {
                         id = "subj_1",
                         nationalid = "1909740939"
                     }
                 },
                 task = new task[]
                 {
                     new task
                     {
                         id = "task_1",
                         subjectref = "subj_1",
                         bundleSpecified = true,
                         bundle = false,
                         documentaction = new documentaction[]
                         {
                              new documentaction
                              {
                                  type = documentactiontype.sign,
                                  documentref = "doc_1"
                              }
                         },
                         signature = new signature[]
                         {
                             new signature
                             {
                                 responsiveSpecified=true,
                                 responsive = true,
                                 method = new method[]
                                 {
                                     new method
                                         {
                                            value = "nemid-sign"
                                         }
                                 }
                             }
                         }
                     }
                 }
             }
         }
    };
    createrequestresponse response;
    using (var client = new DocumentEndPointClient())
    {
        response = client.createRequest(request);
    }
    String signHereUrl =
        String.Format("https://preprod.signicat.com/std/docaction/demo?request_id={0}&task_id={1}", response.requestid[0], request.request[0].task[0].id);
    Console.WriteLine(signHereUrl);
    Assert.IsNotNull(response);
    Assert.IsNull(response.artifact);
    Assert.IsNotNull(response.requestid);
}

# NemID for citizens

NemID offers a free-of-charge secure identification of all Danish citizens, but with a transaction-fee for the merchant. NemID has already to a large extent, replaced the older Danish Digital Signature for citizens and will continue to do so.

The NemID ID solution guarantees the identification of the sender and receiver of information and ensures secure encryption of personal internet transactions and emails. NemID can be used from any computer regardless of where in the world the user is, as long as the user has the code card.

The Signicat integration can include a lookup in the “PID/CPR service”, which returns the CPR number of the end-user. Contact Signicat for establishing an agreement for the use of NemID.

# NemID Employee signature

NemID Employee signature targets private enterprises as well as government agencies and authorities.

NemID Employee signature is available to all Danish enterprises having a Danish CVR number. Though the first 3 NemID Employee Signatures are free of charge, adding more options and complexity will result in a fee to Nets DanID.

NemID Employee signature is a personal signature, and it identifies you as an employee in a specific enterprise.

To be able to use this infrastructure (e.g. verifying a login or checking the validity of email signing/encryption) an agreement/contract must be made between you, the customer and Nets DanID.

# Using your private NemID to log in to business portals

This is a special use case where a private person can use his/her private NemID to login to business portals representing his/her company. This means the person does not need to create a separate employee certificate and negotiate roles with the service provider.

This login mostly applies to one-person businesses (enkeltmandsviksomheder).

The purpose of setting up NemID for business owners is that you can use your private NemID to represent your company. However, if you have no role in any business, the login will fail.

To avoid confusion, we recommend that you set up separate menu options to log in as a private person, as an employee or as a business owner.

In this example, a person has logged in with their private NemID. They have the option to continue either as a private person (Tajs Jensen) or as a business owner (here indicated with the CVR number):

click-to-zoom

# How this is configured (behind the scenes)

The authentication method name is nemid-erhverv (see Method names). This method is set up to accept person certificates (POCES) only. It will reject attempted logins with employee certificates (MOCES). The method is also configured to perform a lookup with virk.dk (opens new window) based on the national identity number (CPR number) from a successful response.

# Authentication

All requests must be authenticated by means of an OIDC access token with a scope including organisation number and organisation name. You should supply the token as an Authorisation header of the Bearer type.

# Sample response of a business login

Here is a sample response when using the nemid-erverv method when an ID identity is found:

{
    "sub": "TyKAbnSdf7WkcHkc7VsDi03XfoVP1Z0Q",
    "signicat.organization.number": "23456789",
    "signicat.organization.name": "Jensen Test ApS",
    "name": "Tajs Jensen",
    "signicat.national_id": "0506524267",
    "given_name": "Tajs",
    "locale": "DK",
    "family_name": "Jensen"
}

The first line indicates if it is a successful login.

Line 2 and 3 shows the organisation number and organisation name which indicates this is a business login and not a private login. A private login would not have these two lines (see for example OIDC Response With Danish NemID).

If you do not have a role in any business, the method will return a successful person response without the organisation number and name claims, not an error. In other words, the transaction will just continue as a regular person login.

click-to-zoom

# Signicat's NemID integration

The technical integration with id.signicat will be the same as with the other ID solutions. If you already have an integration with id.signicat, you may also integrate with NemID without any changes, except for the URL your application sends to id.signicat.

This assumes that there is no eID-specific management in your web application.

# Test information

# NemID test environment

Regardless of whether you have already signed a service provider agreement with Nets DanID or are considering becoming a NemID service provider, Nets DanID will need some information about your company in order to give you access to the NemID test environment.

It is a prerequisite for accessing the NemID test environment that you have a test company signature (test VOCES), since a production company signature cannot be used in the test environment. If you already have a test Corporate Signature, you can use it. Alternatively, you may order one from Nets DanID.

# Friendly Name

The Friendly Name field will be displayed in the NemID applet to identify the service provider that the user tries to access. The user would, for example, be able to read, “You are now logging on as Acme Corp” where Acme Corp constitutes the Friendly name. Nets DanID makes a concrete assessment of whether the Friendly name is correct.

# CVR/UID from the test VOCES certificate to test system

Information about CVR/UID in the test VOCES certificate may be found in the certificate details. It contains the field “Subject”, under properties, serial number (serialNumber) and the value for CVR/UID can be read here.

# Service provider package

Once agreements are signed, you must fill in a form for establishing the service provider so that you receive access to the right systems at Nets DanID. You can find this form together with your service provider package, which also provides information and software for use in the testing phase.

# Creating test users

Nets DanID has developed a tool that enables service providers themselves to create the test users they want. With this tool you can create a new test user with a key card and temporary password, see transaction logs for a specific test user as well as the tool automatically ensures that new key cards are granted when there are only 20 keys left on the key card. Below you can see the step-by-step process of how to create a test user.

# 1. Gain access to Nets DanID's developer environment

Access requires whitelisting

Access to Nets DanID's developer environment (opens new window) requires that your company’s IP address(es) are whitelisted by Nets DanID.

If you have an existing provider agreement (tjenesteudbyderaftale) with Nets DanID and you can’t access the page mentioned above, contact NemID Service Provider Support (opens new window) to have your IPs added (max. 10 per company).

If you do not have an existing provider agreement (tjenesteudbyderaftale) with Nets DanID, you may apply and fill in your IP’s on the Nets DanID website (opens new window) (Danish).

# 2. Create a NemID test user

Go to the Nets DanID developer environment (opens new window)(requires whitelisting by Nets DanID).

  • Click “Autofill” to fill all fields with valid test data
  • Change alias (username) and password to whatever you’d like
  • Click “Create new identity” and wait
click-to-zoom

# 3. Get an overview of the user

After clicking Submit, you’re redirected to the overview page — this page should be bookmarked. From here you can issue new OTP cards and find other, useful data about your test user. The username (alias) you created will allow you to look up this page again. The CPR number here will be important for authentication with CPR/PID checks, so make sure you save it.

click-to-zoom

Now click the OTP card link — this will send you to this users’ OTP card page. You’ll want to bookmark this for future use, as the codes here are necessary for NemID authentications.

click-to-zoom

The registration process is now complete! You may now use your new NemID for NemID authentication. Again — remember to save your password, user ID, CPR number and OTP card link. Signicat will not be able to help you recover any data or user, so store the information safely. To reiterate, this is the order in which you will need your test user information when authenticating with NemID:

  • Fill in username and password
  • Refer to your OTP card link to find the serial which corresponds with the number presented in the NemID window
  • Fill in your CPR number if/when prompted

See Nets DanID’s recommended test procedures (opens new window).

# Error codes

See Nets DanID's overview of error codes (opens new window).

# Browser/platform support

For a complete list of supported browsers, visit this NemID page (opens new window) (in Danish).

# Other sources

# Frequently asked questions (FAQ)

# Why does this NemID signature show the user's name as "Pseudonym"?

If a personal NemID certificate is set to show as “pseudonym” instead of the user’s name, it is due to a name not being given when the certificate was created. NemID users are allowed to change this through the self-service portal at www.nemid.nu or alternatively contacting NemID support by phone.

# What happens if I download the VOCES certificate on my machine?

Signicat won’t accept the certificate as Signicat cannot guarantee the VOCES certificate’s integrity and ensure it’s not compromised.

# How can I locate my NemID administrator?

See this page (opens new window) on the Nets website.

# Can't Signicat locate my NemID administrator on my company's behalf?

Only the NemID administrator can issue company-specific VOCES certificates. You should never give anyone outside your company this kind of access.

# Why do I need a VOCES certificate?

The certificate identifies your company towards NemID.

Last updated: 20/09/2023 12:20 UTC