About Norwegian BankID
Signicat is the leading provider of Norwegian BankID in Norway with over 75% of the total BankID traffic. Signicat is delivering BankID to banks, consumer finance firms, insurance companies, government services as well as small and medium business segments.
Norwegian BankID (as well as Norwegian BankID on Mobile) is an electronic identity scheme in Norway that can be used for digital onboarding (Assure), authentication (Connect) and electronic signing (Sign) of documents. BankID is based on a coordinated infrastructure that is developed by the banks through the Norwegian BankID Cooperation, under the direction of the “Finansnæringens Hovedorganisasjon” and “Sparebankforeningen”.
More than 68% of the total Norwegian population has a Norwegian BankID.
Integrating with Norwegian BankID through Signicat
Signicat has an integration with Norwegian BankID and delivers this, as well as a vast amount of other integrated methods through a single point of integration. For our customers, this means a shorter amount of time to production and time saved integrating and maintaining the integrations with one or several identity-providers. Through the single point of integration, one will get access to Signicat’s wide portfolio of integrated ID methods, not only Norwegian BankID, as well as other services like identity paper verification, lookups, and video assurance.
Norwegian BankID can be used for digital onboarding of a user, through user identification. The ID method can be used as a stand-alone method or in combination with other services provided by Signicat to assure an identity, like identity paper verification, lookups, and video assurance.
To be able to apply for a loan in Norwegian banks you first have to register and become a customer of a bank. During this digital onboarding process, you can choose to use Norwegian BankID, among others, as an ID method to register as a user for the first time.
When the user has completed the digital onboarding process, as mentioned above, Norwegian BankID can be used for authentication to connect by verifying an existing user’s identity. Getting started guides for authentication with the different authentication protocols can be found here.
As a registered customer in a bank, you will be able to apply for a loan. To be able to log in to your bank you have to authenticate to prove your identity. Norwegian BankID can be used for authentication, in the same way as it can be used for registering as a new customer.
An example of an OpenID Connect response when Norwegian BankID is used for authentication can be found here.
An example of a SAML 1.1 response when Norwegian BankID is used for authentication can be found here.
BankID includes an API toolkit called BankID AML, whose main aim is to help merchants counter money laundering and terror financing, as well as comply with AML legislation. This API can also be used if you integrate with Signicat’s identity hub. Bear in mind, however, that if you are accessing the API through Signicat it can only be used to gather information about individual persons, not organizations.
When using Signicat, BankID AML works like this:
- Signicat gathers the following information from the BankID authentication process: national identification number, name and nationality.
- Signicat passes the name and national identification number to the AML service. The AML service uses two different endpoints: one for address and one for pep-sanctions from the EU and the UN. The source for the address information is usually Bisnode, unless the merchant has been onboarded with the Norwegian national population register (Folkeregisteret).
- The AML service sends a response containing the following information:
- The home address of that person, if there are any matches.
- PEP sanctions, if applicable.
- Signicat takes the response from the AML service and returns all the received information as an attribute in its response.
It is important to point out that BankID AML is only conceived as part of the BankID authentication process, not as an independent API or microservice. If the merchant requests the activation of the BankID AML service, the service will be provided for every BankID authentication that is carried out.
The first alternative, authentication-based signing, is Signicat’s own signing solution, which supports the use of any type of authentication method provided by Signicat. Norwegian BankID as an authentication method is used for this alternative, where the authentication result is reused for signing. It will ensure a unified output format in accordance with EU specifications, as well as a scalable, responsive flow supporting about any modern device standards and window sizes.
The second alternative is to perform native signing with Norwegian BankID as a third-party method. Here, Norwegian BankID’s native signing support is used for signing. It will not follow the same output formats and cannot be guaranteed to support responsive flows, nor necessarily support all of the same signing functionality as the authentication-based alternative.
The signing result will, in either of the alternatives chosen for signing, result in a PAdES (PDF Advanced Electronic Signature) consisting of one or more signed documents (XAdES, implemented as LTV-SDO). See the Result section for signing result examples.
With Signicat Signature you can sign (as well as view or upload) one ore more documents, for example loan applications, contracts etc with Norwegian BankID. Signing with authentication-based signing will allow you to sign all the documents at once, while the third-party signing will require you to sign the documents one at the time. See the Screenshots section below for an example.
The screenshots illustrate the flow when Norwegian BankID is used for authentication-based signing. There are two documents for signing, “Letter of intent” and “Contract details”, and one document for view only, “Information about Signicat”.
For an example of a LTV-SDO, as a signing result with authentication-based signing and Norwegian BankID as authentication method, please see here.
For an example of a PAdES, as a signing result with authentication-based signing and Norwegian BankID as authentication method, please see here.
How to get started with Norwegian BankID
To get started with Norwegian BankID you have to obtain a Merchant Certificate for Norwegian BankID (or use the Shared merchant certificate for Norwegian BankID).
- Obtain Merchant Certificate. Information needed from the merchant:
- Organization number
- Contact information of a contact person at the merchant – name, mail and mobile
- Contact information of the signer at the merchant – name, mail and mobile. This must be someone with procuration and be able to electronically sign with Norwegian BankID, if not an Authorization must be provided.
- Contact information of receivers of operations related information from BankID Norway – name, mail and mobile (up to 2 persons)
- Contact information for those who have the permit to revoke/block the certificate – name, mail and mobile (up to 2 persons)
- “Firmaattest”. The merchant with procuration can get this document from Altinn.no.
- Legal basis for getting the fødselsnummer (national identification number), if the merchant is going to obtain the fødselsnummer
- The merchant name that will be visible in the BankID client
- Production URL
- Signicat will fill in the rest of the needed information for the agreement and send it to the merchant
- The agreement will be signed electronically
BrukerstedsBankID is a business certificate that can represent a company or an organization. A business certificate is intended to ensure communication to and from companies and organizations. It is not stored any personal information or personal identification in a business certificate.
The BrukerstedsBankID certificate will be stored in your system, or in the system of a service provider like Signicat AS. A BrukerstedsBankID can be copied to other computers that you want to use.
|BrukerstedsBankID certificate for preproduction will usually Signicat’s test merchant certificate for use in Signicat test environments. It may only be used to authenticate test users (not real live persons).|
|BrukerstedsBankID certificate for production represents your business in the BankID and Signicat production environments. This certificate will be issued by your bank, after you have performed the Merchant test, and sent a signed test declaration to the bank. It may only be used to authenticate real live persons (not test persons).|
User certificate types
User certificates are “Banklagret”, which means that they are stored centrally in the bank. It is possible to use a “Banklagret” BankID from any computer. PersonBankID is defined by BankID as a type of a client certificate. It is a personal BankID which can be used both for authentication and signature.
An issued certificate contains a reference to a certificate policy used when issuing the certificate. The reference is in the form of an OID located in the certificate policies extension. BankID has defined different policies for different types of subscribers:
|Reference (OID)||Certificate type|
|2.16.5126.96.36.199.9.1||Bank-stored end-user PERSONAL certificate|
|2.16.5188.8.131.52.11.2.1||Bank-stored end-user EMPLOYEE certificate|
|2.16.5184.108.40.206.12.1.1||Bank-stored end-user Qualified PERSONAL certificate|
|2.16.5220.127.116.11.13.1.1||Bank-stored end-user Qualified EMPLOYEE certificate|
|2.16.518.104.22.168.12.2.1||BankID on Mobile end-user Qualified PERSONAL certificate|
|2.16.522.214.171.124.6.1.1||Merchant soft certificate|
|2.16.5126.96.36.199.6.2.1||Merchant HSM certificate|
The user information available after a successful authentication may differ slightly between different issuers. Important parameters are:
- Name, full name or plain-name
- Birth date
- Valid from
- Valid to
- Issued by
- PID, unique ID specific for Norwegian BankID
The user information available after a digital signature is the same as for an authentication. You will also be able to download the signed document. The signed document contains the digital signature produced by the user when he signed the document. This is sufficient for proving that the user actually signed the document.
The signed documents are represented in a SEID format, which is a Norwegian standard.
Signicat’s test environment preprod.signicat.com is available 24×7, and may be used during your development and test phase. All use of this environment is free.
Test BankID for merchants (BrukerstedsBankID)
Test BankID for merchants (BrukerstedsBankID) will be issued by your bank after you have signed the “Avtale om BrukerstedsBankID” (merchant BankID agreement).
Normally, a person at Signicat Operations will have the role as technical responsible in the BankID agreement. This person will receive instructions from the bank of how to activate the BrukerstedsBankID. When it is activated, it will be installed into the certificate store in Signicat’s system, and made available for you from your unique customer specific configuration. When the configuration is set up in test, you may verify your merchant certificate by sending calls to the BankID authentication or signature service, using test users.
Test BankID for end users
There are two types of BankID for end users: PersonBankID and AnsattBankID. Both types are stored in the banking system, which means that there is no need for any certificate installation on the client. Access only requires that you have the fødselsnummer, security code (sikkerhetskode) and a secret password.
You may order your own BankID testusers by sending an e-mail to firstname.lastname@example.org, and specify name and fødselsnummer for each test user. Signicat will forward this order to BankID Norway, and return the testusers to you as soon as they are available.
The file must be in text format as below:
<valid personal identification number>, Signicat, LastName, FirstName
11113306361, Signicat, Johnson, John
29090816894, Signicat, Williams, Ellie
18047728521, Signicat, Adams, Douglas
The fødselsnummer must follow a valid syntax. It is possible to use an online generator to ensure validity, like the following site (click “vis liste”). One-time password and Password is the same for all users in pre-production:
One-time password: otp
Support for Norwegian BankID are determined by several parameters. The most significant are:
- Operating system
- Support for Java and Java-version in the browser
For complete list of supported browsers, please visit this page on www.bankid.no (NB! In Norwegian language.).
How to integrate Consent Signature with Norwegian BankID from a native app
If you are building your own browserless native app and want to utilize mobile text-only signing, or Consent Signature, via Signicat, you can do this using our OpenID Connect (OIDC) API as a mediator. Please refer to our documentation on Consent Signature for detailed information on how to integrate Consent Signature.
Frequently asked questions (FAQ)