NemID

About NemID

NemID is a collaboration between the Danish banks and the Danish public sector. This alliance forms a countrywide solution and provides a secure login mechanism for websites wanting to utilize the free-of-charge digital ID for all citizens in Denmark. As of January 2020, a total of five million Danish citizens have ordered a NemID. NemID is run by Nets DanID.

Establishment

This process description shows the interaction between the customer, Nets DanID and Signicat Operations when developing and establishing a web application using NemID. The process contains descriptions of all the players’ tasks.

Signicat will be happy to assist you in ordering and setting up NemID.

The documentation from Nets DanID referred to in this process description is mainly in Danish. For a complete NemID documentation package in English, see The NemID Service Provider Package (external link).

For more information about how to become a NemID customer, see Guide: Order NemID Service Provider (external link).

Process overview

  1. Customer signs agreement with Signicat AS
  2. Customer signs agreements with Nets DanID
  3. Customer develops technical integration with Id.signicat
  4. Customer orders access to the test environment
  5. Customer performs acceptance test in test environment
  6. Customer orders VOCES and access to production environment
  7. Signicat configures customer integration in production environment
  8. Customer performs the acceptance test in production environment

1. Customer signs agreement with Signicat AS

The customer signs an agreement with Signicat AS. This agreement specifies, among others:

  • the Service Level (SLA) between the customer and Signicat AS
  • the number of ID methods (authentication, signing, verification, etc)
  • the number of ID solutions (NemID, Net-ID, BankID, etc)
  • the number of graphical profiles the customer needs

2. Customer signs agreements with Nets DanID

The customer signs the following agreements with Nets DanID:

  • A NemID service provider agreement.
  • If the customer needs to receive CPR numbers (Danish national identification numbers) of the end-users, an agreement to use the PID/CPR service must also be signed. There are two different modes of PID-CPR access:
    • Match: This mode requires the end-user to type his or her CPR number in your web application, and also requires the user’s explicit consent. The CPR number and PID-number (retrieved from the users NemID login) is transmitted to and matched in the PID/CPR service. A simple true/false is returned to the web application.
    • Lookup: From the end-user’s NemID login the PID-number is retrieved and transmitted to the PID/CPR service. The PID/CPR service returns the corresponding CPR number to the web application. The user is not involved in the retrieval in any way.
      NB! This option is only available for public enterprises and authorities.

To see more information about agreements, download and fill in the agreement forms, see NemID medarbejdersignatur.

3. Customer develops technical integration with Id.signicat

NB! This step only applies to new customers of Signicat or existing customers without integration to Id.signicat.

When the relevant agreements with Signicat and Nets DanID are signed, the customer should begin developing a standard technical integration with Id.signicat. This includes:

  • Technical development with one of the Signicat client kits
  • Establishing one or more graphical profiles
  • Testing the integration

4. Customer orders access to the test environment

4.1 Signicat sets up test environment

Signicat will set up a test environment with Signicat’s pre-production VOCES unless otherwise specified. No customer action is needed for this step.

4.2 Customer orders test users

This step is performed after 4.1. Do the following:

  • For each test user, the customer must enter a series of information (e.g. CPR number, name, address, etc.) in the order form. For more information about how to use the test tools, see the guideline Vejledning i brug af test tools.

5. Customer performs acceptance test in the test environment

The test should cover all aspects of the customer NemID integration in Signicat’s test environment, i.e.:

  • Authentication/signature with valid test certificates
  • Authentication/signature with revoked test certificates
  • Authentication/signature with locked test certificates

You can find an extensive guide on testing your NemID integration on Guide: Test og implementering af NemID (external link).

6. Customer orders VOCES and access to the production environment

All companies in Denmark are eligible to issue a Virksomhedssignatur (VOCES). If you do not have an entry in the Danish company register (CVR), it is still possible to get access to NemID. Contact Signicat for more information if this is the case.

Your NemID Administrator must issue and order the VOCES certificate. The customer agreement is a matter strictly between Nets DanID and the customer, hence Signicat cannot place the order on the customer’s behalf.

If you do not know who your NemID administrator is, follow this recipe (external link).

NB! If the customer already has a VOCES certificate that is used somewhere else, it cannot be reused. The reason for this is that Signicat would have no way of guaranteeing the integrity of the certificate.

Important tasks in this step:

  1. The NemID administrator orders a VOCES certificate for the production environment. This is done by following the guide Order NemID Service Provider (external link). When filling out the order form, the NemID administrator must list the Signicat onboarding manager as the technical contact person.
  2. The technical contact person receives an email with the activation link to the VOCES certificate.
  3. The NemID administrator must send a temporary access code to the technical contact person via a secure channel. For instructions on how to acquire this code, follow steps 4 and 5 on the NemID VOCES renewal page.

7. Signicat configures the customer’s integration in the production environment

Important tasks in this step:

  • Signicat receives the email containing the activation link and the activation PIN code for the VOCES certificate for production, from Nets DanID or the customer (according to customer’s contract with Nets DanID)
  • Signicat downloads and activates the VOCES certificate for production, using the activation link and PIN code.
  • Signicat establishes the customer configuration for the NemID integration in Signicat’s production environment, and installs the VOCES certificate.

8. Customer performs the acceptance test in the production environment

The test should cover all aspects of the NemID integration for the customer in Signicat’s production environment.

Certificates

Merchant certificate

A merchant certificate (signature) represents your business and is used by the web application to communicate securely on your behalf. Merchant certificates for NemID are called VOCES (“Virksomheds OCES” or “Virksomhedssignatur”). There are different merchant certificates for the pre-production and production environment.

Merchant certificates for the pre-production environment are free while there is a fee for the production merchant certificate.

For an order form, see NemID customer certificate (external link).

Employee certificate

An employee signature is a personal certificate, but it is associated with your company. With an employee signature, you may sign on behalf of your company.

To order a NIMID employee certificate, see NemID Medarbejdersignatur (external link).

Personal certificate

NemID is the new Danish eID solution for use on both public and private services on the web.

End-users may order their personal digital signature on the NemID page (external link).

Production environment

In order to go into production with NemID, your company will need the following:

  • A service provider agreement with Nets DanID
  • An agreement to use the PID-CPR service (optional, but necessary if you need to receive CPR numbers from the users).
  • Agreement to use their production environment.
  • A VOCES merchant certificate for production.

VOCES merchant certificate for production

For a VOCES order form, see NemID medarbejdersignatur.

You need to specify:

  • CPR number of the merchant
  • Name/friendly name of the application (service name, department name, etc)
  • Technical contact person (name and email address)
  • Granted person (name and email address)
  • Email address associated with the VOCES certificate (merchant, department, etc email address )
  • Comments

Typical login and signature screenshots

This page contains screenshots of a typical login session and signature session. The actual screens may have a different graphical profile in your setup.

The graphical interface in Signicat’s NemID product consists of the standard NemID applet as it is delivered from Nets DanID, plus a “CPR step” that Signicat has developed. The standard NemID steps are shown in paragraphs 1-3 on this page, while the CPR step is described in paragraph 4.

Login session

The pictures below illustrate the login/authentication process with NemID.

1. Provide user ID and secret code

The user provides his/her user ID and secret code. The user ID may be the user’s CPR number, a unique NemID number, or username chosen by the user him-/herself. Such a username may be created on the first use of NemID.

2. Provide one-time key

The user provides a one-time code from his/her code card.

3. Process users input data

NemID processes the input data from the user.

4. Provide CPR number

The standard NemID applet returns only a number called PID to the merchant, and not the CPR number, which is needed in most cases. The PID is a number that identifies the end-user uniquely. It is internal and specific to the NemID systems.

In order to retrieve the user’s CPR number, Nets DanID’s PID-to-CPR service must be used. The PID-to-CPR service has two different modes: lookup and match:

  • Lookup mode, the CPR number will be extracted by the service using the PID as the key (requires no user interaction).
  • Match mode, the end-user has to enter his/her CPR number. The number entered by the user will be matched against the CPR number that is extracted by the PID-to-CPR service. If the CPR numbers are equal, the user can continue.

Danish legislation has determined that only public merchants are allowed to use the PID-to-CPR service in lookup mode. Private merchants have to use the PID-to-CPR service in match mode.

Signicat’s graphical interface to the PID-to-CPR service is shown in the picture below.

It enables the user to enter the CPR number, then matches it against the PID-to-CPR service. This step is invisible if PID-to-CPR service is configured to run in lookup mode.

Ultimately, the user is allowed to store the CPR number in Signicat’s system. If the user chooses to store the CPR, he/she will avoid this step in the future.

Signicat stores the CPR numbers as long as the user is active, but if the user stops using the service for a while, the CPR number will be deleted after a certain time. A batch job runs every night and deletes all CPR numbers that have been unused for 3 months or more. The limit of 3 months is consistent with the Norwegian legislation.

Signature session

The process below illustrates a very basic process of how to sign a PDF document with NemID. With Id.Signicat, the graphical design can be customized so that the signature process appears to be a part of the merchant’s web application. The process contains the following steps:

  1. Select the PDF document that should be signed. This depends on how the application is designed.
  2. Open and read the PDF document, select “Fortsæt” (Continue).
  3. Confirm that you have read and understood the contents of the document, using your NemID userid and password.
  4. Confirm the signature with the requested one-time code from your code card.
  5. Provide your CPR number

The PDF document is now signed.

Step 1: Select PDF document

Step 2: Open and read the PDF document

Step 3: Confirm that you have read the document

Step 4: Enter the requested OTP code

Step 5: Provide your CPR number

Creating a simple signing order with one subject

The C# example has been updated for compatibility with DocumentService-v3.

// Use the DocumentService to create a signing order request.
// A signing order may contain several documents, tasks and subjects (people).
// This is a simple example where one subject must sign one document
// and where the result is a plain NemID SDO (Signed Document Object)
[TestMethod]
public void How_to_create_a_simple_document_order_with_one_subject_and_one_document_using_Danish_NemID()
{
    // The document id is what you get in response when uploading a document to the SDS
    string documentId = "04092013551868wie4tdlw9n8e6s834f3iwm92yq5i8d3gkgqit3vpm6ed";
    var request = new createrequestrequest
    {
        password = "Bond007",
        service = "demo",
        request = new request[]
         {
             new request
             {
                 clientreference = "cliref1",
                 language = "da",
                 profile = "demo",
                 document = new document[]
                 {
                     new sdsdocument
                     {
                         id = "doc_1",
                         refsdsid = documentId,
                         description = "Terms and conditions"
                     }
                 },
                 subject = new subject[]
                 {
                     new subject
                     {
                         id = "subj_1",
                         nationalid = "1909740939"
                     }
                 },
                 task = new task[]
                 {
                     new task
                     {
                         id = "task_1",
                         subjectref = "subj_1",
                         bundleSpecified = true,
                         bundle = false,
                         documentaction = new documentaction[]
                         {
                              new documentaction
                              {
                                  type = documentactiontype.sign,
                                  documentref = "doc_1"
                              }
                         },
                         signature = new signature[]
                         {
                             new signature
                             {
                                 responsiveSpecified=true,
                                 responsive = true,
                                 method = new method[]
                                 {
                                     new method
                                         {
                                            value = "nemid-sign"
                                         }
                                 }
                             }
                         }
                     }
                 }
             }
         }
    };
    createrequestresponse response;
    using (var client = new DocumentEndPointClient())
    {
        response = client.createRequest(request);
    }
    String signHereUrl =
        String.Format("https://preprod.signicat.com/std/docaction/demo?request_id={0}&task_id={1}", response.requestid[0], request.request[0].task[0].id);
    Console.WriteLine(signHereUrl);
    Assert.IsNotNull(response);
    Assert.IsNull(response.artifact);
    Assert.IsNotNull(response.requestid);
}
// Use the DocumentService to create a signing order request.
// A signing order may contain several documents, tasks and subjects (people).
// This is a simple example where one subject must sign one document
// and where the result is a plain NemID SDO (Signed Document Object)
[TestMethod]
public void How_to_create_a_simple_document_order_with_one_subject_and_one_document_using_Danish_NemID()
{
    // The document id is what you get in response when uploading a document to the SDS
    string documentId = "04092013551868wie4tdlw9n8e6s834f3iwm92yq5i8d3gkgqit3vpm6ed";
    var request = new createrequestrequest
    {
        password = "Bond007",
        service = "demo",
        request = new request[]
         {
             new request
             {
                 clientreference = "cliref1",
                 language = "da",
                 profile = "demo",
                 document = new document[]
                 {
                     new sdsdocument
                     {
                         id = "doc_1",
                         refsdsid = documentId,
                         description = "Terms and conditions"
                     }
                 },
                 subject = new subject[]
                 {
                     new subject
                     {
                         id = "subj_1",
                         nationalid = "1909740939"
                     }
                 },
                 task = new task[]
                 {
                     new task
                     {
                         id = "task_1",
                         subjectref = "subj_1",
                         bundleSpecified = true,
                         bundle = false,
                         documentaction = new documentaction[]
                         {
                              new documentaction
                              {
                                  type = documentactiontype.sign,
                                  documentref = "doc_1"
                              }
                         },
                         signature = new signature[]
                         {
                             new signature
                             {
                                 responsiveSpecified=true,
                                 responsive = true,
                                 method = new method[]
                                 {
                                     new method
                                         {
                                            value = "nemid-sign"
                                         }
                                 }
                             }
                         }
                     }
                 }
             }
         }
    };
    createrequestresponse response;
    using (var client = new DocumentEndPointClient())
    {
        response = client.createRequest(request);
    }
    String signHereUrl =
        String.Format("https://preprod.signicat.com/std/docaction/demo?request_id={0}&task_id={1}", response.requestid[0], request.request[0].task[0].id);
    Console.WriteLine(signHereUrl);
    Assert.IsNotNull(response);
    Assert.IsNull(response.artifact);
    Assert.IsNotNull(response.requestid);
}

 

NemID for citizens

NemID offers a free-of-charge secure identification of all Danish citizens, but with a transaction-fee for the merchant. NemID has already to a large extent, replaced the older Danish Digital Signature for citizens and will continue to do so.

The NemID ID solution guarantees the identification of the sender and receiver of information, and ensures secure encryption of personal internet transactions and emails. NemID can be used from any computer regardless of where in the world the user is, as long as the user has the code card.

The Signicat integration can include a lookup in the “PID/CPR service”, which returns the CPR number of the end-user. Please contact Signicat for establishing an agreement for the use of NemID.

NemID Employee signature

NemID Employee signature targets private enterprises as well as government agencies and authorities.

NemID Employee signature is available to all Danish enterprises having a Danish CVR number. Though the first 3 NemID Employee Signatures are free of charge, adding more options and complexity will result in a fee to Nets DanID.

NemID Employee signature is a personal signature and it identifies you as an employee in a specific enterprise.

To be able to use this infrastructure (e.g. verifying a login or checking the validity of email signing/encryption) an agreement/contract must be made between you, the customer, and Nets DanID.

Signicat’s NemID integration

The technical integration with Id.signicat will be the same as with the other ID solutions. If you already have an integration with Id.signicat, you may also integrate with NemID without any changes, except for the URL your application sends to Id.signicat.

This assumes that there is no eID-specific management in your web application.

Test information

NemID test environment

Regardless of whether you have already signed a service provider agreement with Nets DanID or are considering becoming a NemID service provider, Nets DanID will need some information about your company in order to give you access to the NemID test environment.

It is a prerequisite for accessing the NemID test environment that you have a test company signature (test VOCES), since a production company signature cannot be used in the test environment. If you already have a test Corporate Signature, you can use it. Alternatively, you may order one from Nets DanID.

Friendly Name

The Friendly Name field will be displayed in the NemID applet to identify the service provider that the user tries to access. The user would, for example, be able to read, “You are now logging on as Acme Corp” where Acme Corp constitutes the Friendly name. Note: Nets DanID makes a concrete assessment of whether the Friendly name is correct.

CVR/UID from the test VOCES certificate to test system

Information about CVR/UID in the test VOCES certificate may be found in the certificate details. It contains the field “Subject”, under properties, serial number (serialNumber) and the value for CVR/UID can be read here.

Service provider package

Once agreements are signed, you must fill out a form for establishing the service provider so that you receive access to the right systems at Nets DanID. You can find this form together with your service provider package, which also provides information and software for use in the testing phase.

Creating test users

Nets DanID has developed a tool that enables service providers themselves to create the test users they want. With this tool you can create a new test user with a key card and temporary password, see transaction logs for a specific test user as well as the tool automatically ensures that new key cards are granted when there are only 20 keys left on the key card. Below you can see the step-by-step process of how to create a test user.

1. Gain access to Nets DanID’s developer environment – https://appletk.danid.dk/developers/

To obtain test users, it’s a requirement that your company’s IP address(es) are whitelisted by Nets DanID.

Access requires a provider agreement (tjenesteudbyderaftale) with Nets DanID. If you don’t have this, you may apply and fill in your IP’s here: https://www.nets.eu/dk-da/l%C3%B8sninger/nemid/nemid-tjenesteudbyder/Pages/bestil.aspx (Danish).

If you have an existing provider agreement (tjenesteudbyderaftale) with Nets DanID and you can’t access the page mentioned above, please contact NemID Service Provider Support at https://www.nets.eu/dk-da/kundeservice/nemid-tjenesteudbyder/Pages/Contact-NemID-serviceprovider-support.aspx to have your IPs added (max. 10 per company).

2. Create a NemID test user

Go to https://appletk.danid.dk/developers/

  • Click “Autofill” to fill all fields with valid test data
  • Change alias (username) and password to whatever you’d like
  • Click “Create new identity” and wait

3. Get an overview of the user

After clicking Submit, you’re redirected to the overview page — this page should be bookmarked. From here you can issue new OTP cards and find other, useful data about your test user. The username (alias) you created will allow you to look up this page again. The CPR number here will be important for authentication with CPR/PID checks, so make sure you save it.

4. Save the link to the OTP card

Now click the OTP card link — this will send you to this users’ OTP card page. You’ll want to bookmark this for future use, as the codes here are necessary for NemID authentications.

5. Congratulations

Congratulations, the registration process is now complete! You may now use your new NemID for NemID authentication. Again — please remember to save your password, user ID, CPR number and OTP card link. Signicat will not be able to help you recover any data or user, so store the information safely. To reiterate, this is the order in which you will need your test user information when authenticating with NemID:

  • Fill in username and password
  • Refer to your OTP card link to find the serial which corresponds with the number presented in the NemID window
  • Fill in your CPR number if/when prompted

Recommended test procedures

See Nets DanID’s recommended test procedures.

Error codes

nemid errorcodes.xlsx contains an overview of the error codes from NemID.

Browser/platform support

For a complete list of supported browsers, please visit this page on www.nemid.nu (in Danish).

External sources

Frequently asked questions (FAQ)