Norwegian BankID

Page contents

• About Norwegian BankID
  • BankID's product types
  • BankID app
• Demo
• Method names in authentication URLs
  • Authentication and digital onboarding
  • Third-party signing
• Digital onboarding
  • Use case
  • Screenshots
• Authentication
  • Use case
  • Screenshots
  • Result
  • BankID Biometric
  • BankID AML
• Electronic signatures
  • Use case
  • Screenshots
  • Result
  • How to integrate Consent Signature with Norwegian BankID from a native app
• How to get started with Norwegian BankID
  • Obtain Merchant Certificate
  • Business certificate information
  • User certificate types
• User information
• Test information
  • Test BankID for merchants (BrukerstedsBankID)
  • Installation
  • Test BankID for end-users
• OIDC response examples
  • BankID High
  • BankID Biometric
  • More OIDC response examples

About Norwegian BankID

Norwegian BankID is an electronic identity scheme in Norway that can be used for digital onboarding, authentication and electronic signing of documents. BankID is based on a coordinated infrastructure that is developed by the banks through BankID Bankaxept AS, under the direction of Finansnæringens Hovedorganisasjon and Sparebankforeningen.

Signicat is the leading provider of Norwegian BankID in Norway. We deliver BankID to banks, consumer finance firms, insurance companies, government services as well as small and medium business segments. More than 80 % of the total Norwegian population has a Norwegian BankID.

BankID changes

BankID is currently implementing changes to their BankID solution. The main changes are that they are moving towards a more app-based solution and that they offer a new BankID product type, BankID Biometric. BankID Biometric provides a simpler user experience at the cost of a lower level of assurance.

BankID's product types

Here is an overview of the product types that BankID offers:

Name	Description	Level of Assurance
BankID High	This is a rebrand of the regular BankID.	High
BankID Biometric	This new product allows end-users to identify themselves with biometrics. It requires the BankID app installed on a mobile device.	Substantial
BankID on Mobile	This is the same product as before. Note: BankID on Mobile will gradually be phased out by BankID. It's expected to live until 2024.	High

Level of assurance (eIDAS)

The eIDAS Regulation (opens new window) has established three assurance levels for electronic identification, namely "low", "substantial" and "high", where "high" is the highest level of assurance. The LoA levels in the above table is self-proclaimed by Norwegian BankID. Thus, if you need more information about the level of assurance used by BankID, please contact BankID. (opens new window)

A lower level of assurance results in the user not being able to perform certain actions which require a higher level of assurance. Scenarios where the user will need a higher level of assurance can be:

• When providing health information or similar person-sensitive information.
• When onboarding users (KYC).

BankID app

End-users can use the BankID app as an authenticator instead of code devices and BankID OTP (one-time password). The app can be used with both BankID High and BankID Biometric (mandatory). The users can download the BankID app for free from App Store or Google Play Store. Once installed, the user activates the app by following the instructions in the app.

Screen example (click the arrow)

This app includes ID verification by reading ID cards and passports. This will be useful when the Norwegian AML regulation is changed to allow users onboarding remotely.

Demo

If you want to see how Norwegian BankID works, you can use Signicat's demo site (opens new window).

Note

You will need to use a test user for the demo. For more information, refer to Test BankID for end-users.

Try it

See how Norwegian BankID looks using our demo site

Method names in authentication URLs

When you want to redirect the end-user so they can authenticate, you have to include the name of the relevant method in the redirect URL. The tables below show which method names are available for Norwegian BankID. For further information about the authentication URL, see the Authentication API. See also the Demo service page for an overview of available methods.

Authentication and digital onboarding

Method name	Description
nbid	Norwegian BankID High
nbid-biometric	Norwegian BankID Biometric
nbid-nossn	Norwegian BankID without national identity number
nbid-aml	Norwegian BankID with anti money laundering data

Only nbid can be used for authentication-based signing.

Third-party signing

Method name	Description
nbid-sign Recommended	BankID signing which results in a document containing data for long term validation. Can be packaged to a PAdES document (a signed PDF document) after signing.
nbid-sign	Regular Norwegian BankID signing
nbid-nossn-sign	Norwegian BankID signing without national identity number

Digital onboarding

Norwegian BankID can be used for digital onboarding of a user, through user identification. The ID method can be used as a stand-alone method or in combination with other services provided by Signicat to assure an identity, like identity paper verification, lookups and video assurance.

Use case

To be able to apply for a loan in Norwegian banks you first have to register and become a customer of a bank. During this digital onboarding process, you can choose to use Norwegian BankID, among others, as an ID method to register as a user for the first time.

Screenshots

Authentication

When the user has completed the digital onboarding process, as mentioned above, Norwegian BankID can be used for authentication to connect by verifying an existing user’s identity. Getting started guides for authentication with the different authentication protocols can be found here.

The authentication will result in a type of response that depends on the type of authentication protocol used. See the Result section for an example.

Use case

As a registered customer in a bank, you can apply for a loan. To be able to log in to your bank, you have to authenticate to prove your identity. Norwegian BankID can be used for authentication, in the same way as it can be used for registering as a new customer.

Screenshots

Result

An example of an OpenID Connect response when Norwegian BankID is used for authentication can be found here.

An example of a SAML 1.1 response when Norwegian BankID is used for authentication can be found here.

BankID Biometric

BankID Biometric allows users to identify themselves with the use of biometrics. It provides a simpler user experience than BankID High (described above) and BankID on Mobile at the cost of a lower level of assurance, substantial.

When a user tries to authenticate with BankID Biometric, they must first enter their national identity number ("Fødselsnummer"). They are then prompted to confirm/continue their login on their BankID app on their mobile device, and are asked to authenticate with one of the following biometrics (depending on how their mobile device is configured):

• Face recognition
• Fingerprint
• PIN

Here is a user flow screen example from an iPhone:

In the above example, you will not see the last biometrics step as is is not allowed to capture iPhone's FaceID.

BankID AML

BankID includes an API toolkit called BankID AML, whose main aim is to help merchants counter money laundering and terror financing, as well as comply with AML legislation. This API can also be used if you integrate with Signicat's identity hub. Bear in mind, however, that if you are accessing the API through Signicat it can only be used to gather information about individual persons, not organisations. When using Signicat, BankID AML works like this:

1. Signicat gathers the following information from the BankID authentication process: national identification number, name and nationality.

2. Signicat passes the name and national identification number to the AML service. The AML service uses two different endpoints: one for address and one for pep-sanctions from the EU and the UN. The source for the address information is usually Bisnode, unless the merchant has been onboarded with the Norwegian national population register (Folkeregisteret).

3. The AML service sends a response containing the following information: The home address of that person, if there are any matches. PEP sanctions, if applicable.

4. Signicat takes the response from the AML service and returns all the received information as an attribute in its response.

It is important to point out that BankID AML is only conceived as part of the BankID authentication process, not as an independent API or microservice. If the merchant requests the activation of the BankID AML service, the service will be provided for every BankID authentication that is carried out.

Electronic signatures

For electronic signing of documents Norwegian BankID can be used in two ways; Authentication-based signing or third-party signing.

The first alternative, authentication-based signing, is Signicat's own signing solution, which supports the use of any type of authentication method provided by Signicat. Norwegian BankID as an authentication method is used for this alternative, where the authentication result is reused for signing. It will ensure a unified output format in accordance with EU specifications, as well as a scalable, responsive flow supporting about any modern device standards and window sizes.

The second alternative is to perform native signing with Norwegian BankID as a third-party method. Here, Norwegian BankID’s native signing support is used for signing. It will not follow the same output formats and cannot be guaranteed to support responsive flows, nor necessarily support all of the same signing functionality as the authentication-based alternative.

The signing result will, in either of the alternatives chosen for signing, result in a PAdES (PDF Advanced Electronic Signature) consisting of one or more signed documents (XAdES, implemented as LTV-SDO). See the Result section for signing result examples.

For more information about getting started with electronic signatures, the different signing methods and more, see our electronic signature documentation.

Use case

With Signicat's electronic signature solution, you can sign (as well as view or upload) one ore more documents, for example loan applications, contracts etc. with Norwegian BankID. Signing with authentication-based signing will allow you to sign all the documents at once, while the third-party signing will require you to sign the documents one at the time. See the Screenshots section below for an example.

Screenshots

The screenshots illustrate the flow when Norwegian BankID is used for authentication-based signing. There are two documents for signing, "Letter of intent" and "Contract details", as well as one document for view only, "Information about Signicat".

Result

The signing result will result in a PAdES (PDF Advanced Electronic Signature) consisting of one or more signed documents (XAdES as LTV-SDOs).

For an example of an LTV-SDO, as a signing result with authentication-based signing and Norwegian BankID as signature method, see here.

For an example of a PAdES, as a signing result with authentication-based signing and Norwegian BankID as signature method, see here.

How to integrate Consent Signature with Norwegian BankID from a native app

If you are building your own browserless native app and want to use mobile text-only signing, or Consent Signature, via Signicat, you can do this using our OpenID Connect (OIDC) API as a mediator. Refer to our documentation on Consent Signature for detailed information on how to integrate Consent Signature.

How to get started with Norwegian BankID

To get started with Norwegian BankID you have to obtain a Merchant Certificate for Norwegian BankID (or use the Shared merchant certificate for Norwegian BankID).

Obtain Merchant Certificate

1. Information needed from the merchant:
   • Organisation number
   • Contact information of a contact person at the merchant – name, mail and mobile.
   • Contact information of the signer at the merchant – name, mail and mobile. This must be someone with procuration and be able to electronically sign with Norwegian BankID, if not an authorisation must be provided.
   • Contact information of receivers of operations related information from BankID Norway – name, mail and mobile (up to 2 persons).
   • Contact information for those who have the permit to revoke/block the certificate – name, mail and mobile (up to 2 persons).
   • “Firmaattest”. The merchant with procuration can get this document from Altinn.no.
   • Legal basis for getting the fødselsnummer (national identification number), if the merchant is going to obtain the fødselsnummer.
   • The merchant name that will be visible in the BankID client.
   • Production URL.
2. Signicat will fill in the rest of the needed information for the agreement and send it to the merchant.
3. The agreement will be signed electronically.

Business certificate information

"BrukerstedsBankID" is a business certificate that can represent a company or an organisation. A business certificate is intended to ensure communication to and from companies and organisations. It is not stored any personal information or personal identification in a business certificate.

The BrukerstedsBankID certificate will be stored in your system or in the system of a service provider like Signicat AS. A BrukerstedsBankID can be copied to other computers that you want to use.

For pre-production

BrukerstedsBankID certificate for pre-production will usually Signicat's test merchant certificate for use in Signicat test environments. It may only be used to authenticate test users (not real live persons). For production

BrukerstedsBankID certificate for production represents your business in the BankID and Signicat production environments. This certificate will be issued by your bank, after you have performed the Merchant test and have sent a signed test declaration to the bank. It may only be used to authenticate real live persons (not test users).

User certificate types

User certificates are “Banklagret”, which means that they are stored centrally in the bank. It is possible to use a “Banklagret” BankID from any computer. PersonBankID is defined by BankID as a type of a client certificate. It is a personal BankID which can be used both for authentication and signature.

certificate policies

An issued certificate contains a reference to a certificate policy used when issuing the certificate. The reference is in the form of an OID located in the certificate policies extension. BankID has defined different policies for different types of subscribers:

Reference (OID)	Certificate type
2.16.578.1.16.1.9.1	Bank-stored end-user PERSONAL certificate
2.16.578.1.16.1.11.2.1	Bank-stored end-user EMPLOYEE certificate
2.16.578.1.16.1.12.1.1	Bank-stored end-user Qualified PERSONAL certificate
2.16.578.1.16.1.13.1.1	Bank-stored end-user Qualified EMPLOYEE certificate
2.16.578.1.16.1.12.2.1	BankID on Mobile end-user Qualified PERSONAL certificate
2.16.578.1.16.1.6.1.1	Merchant soft certificate
2.16.578.1.16.1.6.2.1	Merchant HSM certificate

User information

The user information available after a successful authentication may differ slightly between different issuers. Important parameters are:

• Fødselsnummer
• Name, full name or plain-name
• Birth date
• Valid from
• Valid to
• Issued by
• PID, unique ID specific to Norwegian BankID

The user information available after a digital signature is the same as for an authentication. The signed document contains the digital signature produced by the user when they signed the document. This is sufficient for proving that the user actually signed the document.

The signed documents are represented in a SEID format, which is a Norwegian standard.

Test information

Signicat's test environment preprod.signicat.com is available 24×7 and may be used during your development and test phase. All use of this environment is free.

Test BankID for merchants (BrukerstedsBankID)

Test BankID for merchants (BrukerstedsBankID) will be issued by your bank after you have signed “Avtale om BrukerstedsBankID” (merchant BankID agreement).

Installation

Normally, a person at Signicat Operations will have the role as technical responsible in the BankID agreement. This person will receive instructions from the bank of how to activate the BrukerstedsBankID. When it is activated, it will be installed into the certificate store in Signicat's system and made available for you from your unique customer-specific configuration. When the configuration is set up in test, you may verify your merchant certificate by sending calls to the BankID authentication or signature service, using test users.

Test BankID for end-users

There are two types of BankID for end-users: PersonBankID and AnsattBankID. Both types are stored in the banking system, which means that there is no need for any certificate installation on the client. Access only requires that you have the fødselsnummer, security code (sikkerhetskode) and a secret password.

You may order your own BankID test users by sending an email to support@signicat.com and specifying name and fødselsnummer for each test user. Signicat will forward this order to BankID Norway and return the test users to you as soon as they are available.

The file must be in text format as below:

[valid personal identification number], Signicat, LastName, FirstName

Test users

National ID	Provider	Last name	First name	One-time password	Password
11113306361	Signicat	Johnson	John	otp	qwer1234
29090816894	Signicat	Williams	Ellie	otp	qwer1234
10103933108	Signicat	Nordmann	Ola	otp	qwer1234

"Fødselsnummer" (personal ID) must follow a valid syntax. It is possible to use an online generator to ensure validity, like the following site (click “vis liste”). One-time password and Password is the same for all users in pre-production.

OIDC response examples

Here are some OIDC response examples for BankID High and BankID Biometric.

BankID High

Here is an example of how to use the access token to return a JSON response containing the end-user's information:

UserInfo request

curl -XGET "https://preprod.signicat.com/oidc/userinfo" -H "Authorization: Bearer ACCESS_TOKEN"

UserInfo response

{
    "birthdate":"1990-10-10",
    "given_name":"Ginny",
    "name":"Weasley, Ginny",
    "family_name":"Weasley",
    "sub":"lfGdi39wjRn44ZQbwsPFxF5SLcKsytJy"
}

BankID Biometric

ID token response

The claims nbid_acr or nbid_amr show if the transaction is completed with BankID High (BID), BankID on Mobile (BIM) or Biometric (BIS):

{
  "acr": "urn:signicat:oidc:method:nbid-biometric",
  "sub": "pc_Chm_FISDkwcSSryfWTpHgK3G6pax4",
  "aud": "demo-preprod",
  "nbf": 1677057181,
  "amr": "urn:signicat:names:SAML:2.0:ac:nbid-oidc",
  "auth_time": 1677057172,
  "nbid_amr": "BIS",
  "iss": "https://preprod.signicat.com/oidc",
  "exp": 1677060781,
  "iat": 1677057181,
  "nbid_acr": "urn:bankid:bis;LOA=3"
}

UserInfo response

{
    "sub": "CFDYK4HTswyUv_irCNmHzKB4Gf_bdDf5",
    "birthdate": "1990-02-17",
    "name": "Karpedamsvik, Anders Test",
    "signicat.national_id": "1702901234",
    "given_name": "Anders Test",
    "locale": "NO",
    "signicat.certificate_unique_id": "9578-6000-4-74120",
    "family_name": "Karpedamsvik"
}

More OIDC response examples

For more BankID response examples, also including defined scopes, see the OIDC response examples page.