Danish NemID

About Danish NemID

NemID is a collaboration between the Danish banks and the Danish public sector. This alliance forms a countrywide solution and is set to be the new, secure login mechanism for internet sites wanting to utilize the free of charge digital ID for all citizens in Denmark. At January 2011 a total of three million Danish citizens had ordered a NemID.

Establishment

This process description shows the interaction between the Customer, DanID and Signicat Operations when developing and establishing a Web application using Danish NemID. The process contains descriptions of all the players’ tasks.

Signicat will be happy to assist you in ordering and setting up Danish NemID.

The documentation from DanID refereed to in this process description is mainly in Danish. However, a complete documentation-package in English on NemID, is available from this page (external link).

Read this page on DanID’s website on how to become a NemID merchant (external link).

Process overview

  1. Customer signs agreement with Signicat AS
  2. Customer signs agreements with DanID
  3. Customer develops technical integration with Id.signicat
  4. Customer orders VOCES and access to test environment
  5. DanID establishes service provider in test environment
  6. Signicat configures customer integration in test environment
  7. Customer performs acceptance test in test environment
  8. Customer orders VOCES and access to production environment
  9. Signicat configures customer integration in production environment
  10. Customer performs the acceptance test in production environment

1. Customer signs agreement with Signicat AS

The Customer signs an agreement with Signicat AS. This agreement specifies:

  • the Service Level (SLA) between the Customer and Signicat AS
  • the number of ID-methods (authentication, signing, verification, etc)
  • the number of ID-solutions (NemID, Net-ID, BankID, etc)
  • the number of graphical profiles the Customer needs
  • etc

2. Customer signs agreements with DanID

The Customer signs the following agreements with DanID:

  • A NemID service provider agreement.
  • If the Customer needs to receive CPR numbers (Danish national identification numbers) of the end-users, an agreement to use the PID/CPR-service must also be signed. There are two different modes of PID-CPR access:
    • Match: This mode requires the end-user to type his or hers CPR-number in your web application, and also requires the users explicit consent. The CPR-number and PID-number (retrieved from the users NemID login) is transmitted to and matched in the PID/CPR-service. A simple true/false is returned to the web application.
    • Lookup: From the end-users NemID login the PID-number is retrieved and transmitted to the PID/CPR-service. The PID/CPR-service is returning the corresponding CPR-number to the web application. The user is not involved in the retrieval in any way.
      NB! This option is only available for public enterprises and authorities.

Select this page to get detailed information about the agreements, and to download and fill in the agreement forms.

3. Customer develops technical integration with Id.signicat

NB! This step only applies to new customers of Signicat or existing customers without integration to Id.signicat.

When the relevant agreements with Signicat and DanID are signed, the Customer should begin developing a standard technical integration with Id.signicat. This includes:

  • A technical development with one of the Signicat client kits
  • Establishing one or more graphical profiles
  • Testing the integration

4. Customer orders access to the test environment and VOCES

4.1 Customer orders access to DanID test environment

Important tasks in this step:

  • Get permission to access DanIDs test environment for NemID. Fill out the order form on this page (external link).
  • If the Customer wants DanID to provide a VOCES test certificate to access the test system, be sure to select this option in the order form.
  • The Customer receives a confirmation email from DanID containing
    • a link for obtaining a VOCES test certificate for the test environment,
    • link to a form (TestTool) for ordering test users.
4.2 Customer orders test users

This step is performed after 4.1. Important tasks in this step:

  • For each test user, the Customer must enter a series of information (e.g. CPR number, name, address etc.) in the order form. Please refer to the documentation “Vejledning I brug af test tools” (Guidelines on the use of test tools) on this page (external link) on how to use the TestTool.

5. DanID establishes service provider in the test environment

This step takes place normally 14 days after 4.2. Important tasks in this step:

  • DanID establishes a service provider configuration for the Customers in their test environment.
  • DanID sends an email with an activation link for the VOCES certificate to the technical responsible (according to Customer’s contract with DanID).
  • DanID sends an email containing the test users with OTP codes to the technically responsible.

6. Signicat configures customer integration in the test environment

Important tasks in this step:

  • Signicat receives the email containing the activation link for the VOCES certificate from DanID or the Customer (according to Customer’s contract with DanID). If the Customer is the recipient of the e-mail, then it must be forwarded to Signicat.
  • Signicat downloads and activates the VOCES certificate for test, using the activation link.
  • Signicat establishes a NemID configuration for the Customers integration in Signicat’s test environment.

7. Customer performs acceptance test in the test environment

The test should cover all aspects of the Customer NemID integration in Signicat’s test environment, i.e.:

  • Authentication/signature with valid test certificates
  • Authentication/signature with revoked test certificates
  • Authentication/signature with locked test certificates

An extensive guide on testing your NemID integration can be found on this page (external link).

8. Customer orders VOCES and access to the production environment

8.1 Customer orders VOCES for production

NB! This step only applies to customers that don’t have VOCES certificate for production.

Important tasks in this step:

  1. The Customer or Signicat orders a VOCES certificate for the production environment. This is done by filling out the order form on this page (external link).
  2. The technical responsible person receives an email with the activation link to the VOCES certificate. A letter containing a PIN code which is required for activating the VOCES certificate will also be sent from DanID.
  3. The technical responsible (if he/she is not a person on Signicat) must forward the email to support@signicat.com. The PIN code (from the letter) must also be sent to Signicat, via SMS or mail.
8.2 Customer orders access to DanID production environment

This step requires that the Customer has a VOCES certificate for production.

  • The Customer sends a request to DanID to get permission to the NemID’s production environment. This is done by filling out the order form on this page (external link).
  • When the production date approaches (according to Customer’s contract with DanID), access to the production environment will be opened.

9. Signicat configures the Customer’s integration in the production environment

Important tasks in this step:

  • Signicat receives the email containing the activation link and the activation PIN code for the VOCES certificate for production, from DanID or the Customer (according to Customer’s contract with DanID)
  • Signicat downloads and activates the VOCES certificate for production, using the activation link and PIN code.
  • Signicat establishes the Customer configuration for the NemID integration in Signicat’s production environment, and installs the VOCES certificate.

10. Customer performs the acceptance test in the production environment

The test should cover all aspects of the NemID integration for the Customer in Signicat’s production environment.

Certificates

Merchant certificate

A merchant certificate (signature) represents your business, and is used by the web application to communicate securely on your behalf. Merchant certificates for NemID are called VOCES (“Virksomheds OCES” or “Virksomhedssignatur”). There are different merchant certificates for the preproduction and production environment.

Merchant certificates for the preproduction environment are free while there is a fee for production merchant certificate.

This page (external link) contains an order form for ordering a NemID merchant certificate.

Employee certificate

An employee signature is a personal certificate, but it is associated with your company. With an employee signature, you may sign on behalf of your company.

This page (external link) contains an order form for ordering a NemID employee certificate.

Personal certificate

NemID is the new Danish eID solution for use on both public and private services on the web.

End users may order their personal digital signature on this page (external link).

Product environment

In order to go into production with NemID, your company will need the following:

  • A service provider agreement with DanID
  • An agreement to use the PID-CPR service (optional, but necessary if you need to receive CPR-numbers from the users).
  • Agreement to use their production environment.
  • A VOCES merchant certificate for production.

VOCES merchant certificate for production

Click this link to access the VOCES order form.

You need to specify:

  • CPR-number of the merchant
  • Name/friendly name of the application (service name, department name, etc)
  • Technical contact person (name and email address)
  • Granted person (name and email address)
  • Email address associated with the VOCES certificate (merchant, department, etc email address )
  • Comments

Typical login and signature screenshots

This page contains screenshots of a typical login session and signature session. The actual screens may have a different graphical profile in your setup.

The graphical interface in Signicat’s NemID product consists of the standard NemID applet as it is delivered from DanID, plus a “CPR step” that Signicat has developed. The standard NemID steps are shown in paragraphs 1-3 on this page, while the CPR-step is described in paragraph 4.

Login session

The pictures below illustrate the login/authentication process with NemID.

1. Provide user-id and secret code

The user provides his/her user-id and secret code. The user-id may be the users CPR-number, a unique NemID number, or a username chosen by the user him-/herself. Such a username may be created on the first use of NemID.

2. Provide one-time key

The user provides a one-time code from his/hers code card.

3. Process users input data

NemID processes the input data from the user.

4. Provide CPR-number

The standard NemID applet returns only a number called PID to the merchant, and not the CPR-number, which is needed in most cases. The PID is a number that identifies the end user uniquely, and is internal and specific to the NemID systems.

In order to retrieve the users CPR-number, DanID’s PID-to-CPR-service must be used. The PID-to-CPR-service has two different modes: lookup and match:

  • Lookup mode, the CPR-number will be extracted by the service using the PID as key (requires no user interaction).
  • Match mode, the end user has to enter his/hers CPR-number. The number entered by the user will be matched against the CPR-number that is extracted by the PID-to-CPR-service. If the CPR-numbers are equal, the user can continue.

Danish legislation has determined that only public merchants are allowed to use the PID-to-CPR service in lookup mode. Private merchants have to use the PID-to-CPR service in match mode.

Signicat’s graphical interface to the PID-to-CPR service is shown in the picture below.

It enables the user to enter the CPR-number, then matches it against the PID-to-CPR service. This step is invisible if PID-to-CPR service is configured to run in lookup mode.

Ultimately, the user is allowed to store the CPR-number in Signicat’s system. If the user chooses to store the CPR, he/she will avoid this step in the future.

Signicat stores the CPR numbers as long as the user is active, but if the user stops using the service for a while, the CPR number will be deleted after a certain time. A batch job runs every night and deletes all CPR-numbers that have been unused for 3 months or more. The limit of 3 months is consistent with the Norwegian legislation.

Signature session

The process below illustrates a very basic process of how to sign a PDF-document with NemID. With Id.Signicat, the graphical design can be customized so that the signature process appears to be a part of the merchant’s web application. The process contains the following steps:

  1. Select the PDF-document that should be signed. This depends on how the application is designed.
  2. Open and read the PDF-document, select “Fortsæt” (Continue).
  3. Confirm that you have read and understood the contents of the document, using your NemID userid and password.
  4. Confirm the signature with the requested one-time code from your code card.
  5. Provide your CPR-number

The PDF-document is now signed.

Step 1: Select PDF-document

Step 2: Open and read the PDF-document

Step 3: Confirm that you have read the document

Step 4: Enter the requested OTP code

Step 5: Provide your CPR-number

Creating a simple document order with one subject

The C# example has been updated for compatibility with DocumentService-v3.

// Use the DocumentService to create a document order request.
// A document order may contain several documents, tasks and subjects (people).
// This is a simple example where one subject must sign one document
// and where the result is a plain NemID SDO (Signed Document Object)
[TestMethod]
public void How_to_create_a_simple_document_order_with_one_subject_and_one_document_using_Danish_NemID()
{
    // The document id is what you get in response when uploading a document to the SDS
    string documentId = "04092013551868wie4tdlw9n8e6s834f3iwm92yq5i8d3gkgqit3vpm6ed";
    var request = new createrequestrequest
    {
        password = "Bond007",
        service = "demo",
        request = new request[]
         {
             new request
             {
                 clientreference = "cliref1",
                 language = "da",
                 profile = "demo",
                 document = new document[]
                 {
                     new sdsdocument
                     {
                         id = "doc_1",
                         refsdsid = documentId,
                         description = "Terms and conditions"
                     }
                 },
                 subject = new subject[]
                 {
                     new subject
                     {
                         id = "subj_1",
                         nationalid = "1909740939"
                     }
                 },
                 task = new task[]
                 {
                     new task
                     {
                         id = "task_1",
                         subjectref = "subj_1",
                         bundleSpecified = true,
                         bundle = false,
                         documentaction = new documentaction[]
                         {
                              new documentaction
                              {
                                  type = documentactiontype.sign,
                                  documentref = "doc_1"
                              }
                         },
                         signature = new signature[]
                         {
                             new signature
                             {
                                 responsiveSpecified=true,
                                 responsive = true,
                                 method = new method[]
                                 {
                                     new method
                                         {
                                            value = "nemid-sign"
                                         }
                                 }
                             }
                         }
                     }
                 }
             }
         }
    };
    createrequestresponse response;
    using (var client = new DocumentEndPointClient())
    {
        response = client.createRequest(request);
    }
    String signHereUrl =
        String.Format("https://preprod.signicat.com/std/docaction/demo?request_id={0}&task_id={1}", response.requestid[0], request.request[0].task[0].id);
    Console.WriteLine(signHereUrl);
    Assert.IsNotNull(response);
    Assert.IsNull(response.artifact);
    Assert.IsNotNull(response.requestid);
}
// Use the DocumentService to create a document order request.
// A document order may contain several documents, tasks and subjects (people).
// This is a simple example where one subject must sign one document
// and where the result is a plain NemID SDO (Signed Document Object)
[TestMethod]
public void How_to_create_a_simple_document_order_with_one_subject_and_one_document_using_Danish_NemID()
{
    // The document id is what you get in response when uploading a document to the SDS
    string documentId = "04092013551868wie4tdlw9n8e6s834f3iwm92yq5i8d3gkgqit3vpm6ed";
    var request = new createrequestrequest
    {
        password = "Bond007",
        service = "demo",
        request = new request[]
         {
             new request
             {
                 clientreference = "cliref1",
                 language = "da",
                 profile = "demo",
                 document = new document[]
                 {
                     new sdsdocument
                     {
                         id = "doc_1",
                         refsdsid = documentId,
                         description = "Terms and conditions"
                     }
                 },
                 subject = new subject[]
                 {
                     new subject
                     {
                         id = "subj_1",
                         nationalid = "1909740939"
                     }
                 },
                 task = new task[]
                 {
                     new task
                     {
                         id = "task_1",
                         subjectref = "subj_1",
                         bundleSpecified = true,
                         bundle = false,
                         documentaction = new documentaction[]
                         {
                              new documentaction
                              {
                                  type = documentactiontype.sign,
                                  documentref = "doc_1"
                              }
                         },
                         signature = new signature[]
                         {
                             new signature
                             {
                                 responsiveSpecified=true,
                                 responsive = true,
                                 method = new method[]
                                 {
                                     new method
                                         {
                                            value = "nemid-sign"
                                         }
                                 }
                             }
                         }
                     }
                 }
             }
         }
    };
    createrequestresponse response;
    using (var client = new DocumentEndPointClient())
    {
        response = client.createRequest(request);
    }
    String signHereUrl =
        String.Format("https://preprod.signicat.com/std/docaction/demo?request_id={0}&task_id={1}", response.requestid[0], request.request[0].task[0].id);
    Console.WriteLine(signHereUrl);
    Assert.IsNotNull(response);
    Assert.IsNull(response.artifact);
    Assert.IsNotNull(response.requestid);
}

 

NemID for citizens

NemID offers a free-of-charge secure identification of all Danish citizens, but with a transaction-fee for the merchant. NemID has already to a large extent, replaced the older Danish Digital Signature for citizens and will continue to do so.

The NemID ID solution guarantees the identification of sender and receiver of information, and ensures secure encryption of personal internet transactions and e-mails. NemID can be used from any computer regardless of where in the world the user is, as long as the as long as the user has the code card.

The Signicat integration can include a lookup in the “PID/CPR-service”, which returns the CPR number of the end-user. Please contact Signicat for establishing an agreement for the use of NemID.

NemID Employee signature

The NemID Employee signature is expected to be launched by DanID late 2011. It targets private enterprises as well as government agencies and authorities.

The NemID Employee signature is available to all Danish enterprises having a Danish CVR number. Though the first 3 NemID Employee Signatures are free of charge, adding more options and complexity will result in a fee to DanID.

The NemID Employee signature is a personal signature and it identifies you as an employee in a specific enterprise.

To be able to use this infrastructure (e.g. verifying a login or checking the validity of e-mail signing/encryption) an agreement/contract must be made between you, the customer, and DanID.

Signicat’s NemID integration

The technical integration with Id.signicat will be the same as with the other ID-solutions. If you already have an integration with Id.signicat, you may also integrate with NemID without any changes, except for the URL your application sends to Id.signicat.

This assumes that there is no eID-specific management in your web application.

Test information

NemID test environment

Regardless of whether you have already signed a service provider agreement with DanID or are considering becoming a NemID service provider, DanID will need some information about your company in order to give you access to the NemID test environment.

It is a prerequisite for accessing the NemID test environment that you have a test company signature (test VOCES), since a production company signature cannot be used in the test environment. If you already have a test Corporate Signature, you can use it, alternatively, you may order one at DanID.

Friendly Name

The Friendly Name field will be displayed in the NemID applet to identify the service provider that the user tries to access. The user would, for example, be able to read, “You are now logging on as Acme Corp” where Acme Corp constitutes the Friendly name. Note: DanID makes a concrete assessment of whether the Friendly name is correct.

CVR/UID from the test VOCES certificate to test system

Information about CVR/UID in the test VOCES certificate may be found in the certificate details. It contains the field “Subject”, under properties, serial number (serialNumber) and the value for CVR/UID can be read here.

Service provider package

Once agreements are signed, you must fill out a form for establishing service provider so that you receive access to the right systems in DanID. You can find this form together with your service provider package, which also provides information and software for use in the testing phase.

Creating test users

DanID have developed a tool that enables service providers themselves to create the test users they want. With this tool you can create a new test user with key card and temporary password, see transaction logs for a specific test user as well as the tool automatically ensures that new key cards are granted when there are only 20 keys left on the key card. Below you can see the step-by-step process of how to create a test user.

1. Gain access to DanID’s developer environment – https://appletk.danid.dk/developers/

To obtain test-users, it’s a requirement that your company’s IP address(es) are whitelisted by Nets/DanID.

Access requires a provider agreement (tjenesteudbyderaftale) with Nets/DanID. If you don’t have this, you may apply and fill in your IP’s here: https://www.nets.eu/dk-da/l%C3%B8sninger/nemid/nemid-tjenesteudbyder/Pages/bestil.aspx (Danish).

If you have an existing provider agreement (tjenesteudbyderaftale) with Nets/DanID and you can’t access the page mentioned above, please contact TU-support to have your IP’s added (max 10 per company). https://www.nets.eu/dk-da/kundeservice/nemid-tjenesteudbyder/Pages/Contact-NemID-serviceprovider-support.aspx

2. Create a NemID test user

Go to https://appletk.danid.dk/developers/

  • Click “Autofill” to fill all fields with valid test data
  • Change alias (username) and password to whatever you’d like
  • Click “Create new identity” and wait

 

3. Get an overview of the user

After clicking Submit, you’re redirected to the overview page — this page should be bookmarked. From here you can issue new OTP cards and find other, useful data about your test user. The username (alias) you created will allow you to look up this page again. The CPR number here will be important for authentication with CPR/PID checks, so make sure you save it.

4. Save the link to the OTP card

Now click the OTP card link — this will send you to this users’ OTP card page. You’ll want to bookmark this for future use, as the codes here are necessary for NemID authentications.

5. Congratulations

Congratulations, the registration process is now complete! You may now use your new NemID for NemID authentication. Again — please remember to save your password, user ID, CPR number and OTP card link. Signicat will not be able to help you recover any data or user, so store the information safely. To reiterate, this is the order in which you will need your test user information when authenticating with NemID:

  • Fill in username and password
  • Refer to your OTP card link to find the serial which corresponds with the number presented in the NemID window
  • Fill in your CPR number if/when prompted

Recommended test procedures

http://www.nets.eu/dk-da/Produkter/Sikkerhed/NemID-tjenesteudbyder/Documents/Nyheder/Recommended%20test%20procedures.pdf (in Danish) contains DanID’s recommended test procedures.

Error codes

nemid errorcodes.xlsx contains an overview of the error codes from NemID.

Browser/platform support

For complete list of supported browsers, please visit this page on www.nemid.nu (NB! In Danish language.).

External sources

Frequently asked questions (FAQ)