NemID

Technical documentation coming soon

If you want to integrate with NemID, contact us for more information and technical documentation:

Page contents

• About NemID
  • NemID for citizens
  • NemID for business
• Get started with the integration
  • Initial preparations
  • Add NemID
• Certificates
  • Merchant certificate
  • Employee certificate
  • Personal certificate
  • VOCES merchant certificate for production
• Test information
  • NemID test environment
  • Service provider package
  • Creating test users
• Other sources
• Support

About NemID

NemID is a collaboration between the Danish banks and the Danish public sector. This alliance forms a countrywide solution and provides a secure login mechanism for websites wanting to use the free-of-charge digital ID for all citizens in Denmark. NemID is run by Nets DanID.

NemID will soon be replaced by MitID

MitID is a new electronic ID in Denmark, replacing NemID. NemID is scheduled to be phased out at the end of June 2023. For information on how to get started with MitID, see the MitID (opens new window) page.

NemID for citizens

This section shows an example of a typical login session for a private user. The actual screens may have a different graphical profile in your setup.

1. The user provides their user ID and secret code. The user ID may be the user’s CPR number, a unique NemID number or username chosen by the user themselves. Such a username may be created on the first use of NemID.
2. The user provides a one-time code from their code device.
3. NemID processes the input data from the user.

4. Provide a CPR number (optional step): You can retrieve the user's CPR number to be matched against Nets DanID's PID-to-CPR service. The PID-to-CPR service has two different modes:

• Lookup mode: The CPR number will be extracted by the service using the PID as the key (requires no user interaction). Only public service providers are allowed to use the PID-to-CPR service in this mode. Private service providers must use the match mode.
• Match mode: The end-user has to enter their CPR number. The number entered by the user will be matched against the CPR number that is extracted by the PID-to-CPR service. If the CPR numbers are equal, the user can continue.

The user can in match mode ask the system to remember their CPR number. The CPR number will then be stored in Signicat's system and they will not see the CPR step in the future. Signicat stores the CPR numbers as long as the user is active, but if the user stops using the service for a while, the CPR number will be deleted after a certain time. A batch job runs every night and deletes all CPR numbers that have been unused for 3 months or more. The limit of 3 months is consistent with the Norwegian legislation.

NemID for business

NemID Employee signature targets private enterprises as well as government agencies and authorities. NemID Employee signature is available to all Danish enterprises having a Danish CVR number. Though the first 3 NemID Employee Signatures are free of charge, adding more options and complexity will result in a fee to Nets DanID.

NemID Employee signature is a personal signature, and it identifies you as an employee in a specific enterprise.

To be able to use this infrastructure (e.g. verifying a login or checking the validity of email signing/encryption) an agreement/contract must be made between you, the customer and Nets DanID.

Using your private NemID to log in to business portals

This is a special use case where a private person can use their private NemID to log in to business portals representing their company. This means the person does not need to create a separate employee certificate and negotiate roles with the service provider. This login mostly applies to one-person businesses (enkeltmandsviksomheder).

To avoid confusion, we recommend that you set up separate menu options to log in as a private person, as an employee or as a business owner. In the below example, a person has logged in with their private NemID. They have the option to continue either as a private person (Tajs Jensen) or as a business owner (here indicated with the CVR number):

If they have no role in any business, the login will fail.

Get started with the integration

Integration with NemID is done similarly to other Signicat's eID methods. This section describes how to get started with setting up NemID.

If you need more general information on how to integrate with Signicat using the OpenID Connect (OIDC) or SAML 2.0 protocols, see the Authentication quick start guide.

Initial preparations

• Register in the Signicat Dashboard (opens new window).
• In the Signicat Dashboard, set up an organisation, an account and a domain.

Sandbox account

We recommend you to create a Sandbox account to test our services before implementing them in production.

In order to go into production with NemID, your company will need the following:

• A service provider agreement with Nets DanID
• An agreement to use the PID-CPR service (optional, but necessary if you need to receive CPR numbers from the users).
• Agreement to use their production environment.
• A VOCES merchant certificate for production.

Add NemID

Once your Dashboard account is configured, you must add NemID to the list of supported ID methods.

Note:

Before you can add NemID to the Dashboard, you need to configure NemID access with an onboarding manager. To get help with this, please contact us (opens new window).

To add NemID:

• In the Signicat Dashboard, go to Authentication > ID Methods.
• Click Add new.
• Choose NemID and click Save.

Certificates

Merchant certificate

A merchant certificate (signature) represents your business and is used by the web application to communicate securely on your behalf. Merchant certificates for NemID are called VOCES (“Virksomheds OCES” or “Virksomhedssignatur”). There are different merchant certificates for the sandbox and production environment.

Merchant certificates for the sandbox environment are free while there is a fee for the production merchant certificate.

For an order form, see NemID customer certificate (opens new window).

Employee certificate

An employee signature is a personal certificate, but it is associated with your company. With an employee signature, you may sign on behalf of your company.

To order a NemID employee certificate, see NemID Medarbejdersignatur (opens new window).

Personal certificate

NemID can be used on both public and private services on the web.

End-users may order their personal digital signature on the NemID page (opens new window).

VOCES merchant certificate for production

For a VOCES order form, see NemID medarbejdersignatur (opens new window).

You need to specify:

• CVR number of the merchant
• Name/friendly name of the application (service name, department name, etc.)
• Technical contact person (name and email address)
• Granted person (name and email address)
• Email address associated with the VOCES certificate (merchant, department, email address)
• Comments

Test information

NemID test environment

Regardless of whether you have already signed a service provider agreement with Nets DanID or are considering becoming a NemID service provider, Nets DanID will need some information about your company in order to give you access to the NemID test environment.

It is a prerequisite for accessing the NemID test environment that you have a test company signature (test VOCES), since a production company signature cannot be used in the test environment. If you already have a test Corporate Signature, you can use it. Alternatively, you may order one from Nets DanID.

Friendly Name

The Friendly Name field will be displayed in the NemID applet to identify the service provider that the user tries to access. The user would, for example, be able to read, “You are now logging on as Acme Corp” where Acme Corp constitutes the Friendly name. Nets DanID makes a concrete assessment of whether the Friendly name is correct.

CVR/UID from the test VOCES certificate to test system

You can find information about CVR/UID in the test VOCES certificate in the certificate details. The certificate has a Subject field that contains a Serial Number where you can see the values of CVR and UID.

Service provider package

Once agreements are signed, you must fill in a form for establishing the service provider so that you receive access to the right systems at Nets DanID. You can find this form together with your service provider package, which also provides information and software for use in the testing phase.

Creating test users

Nets DanID has developed a tool that enables service providers themselves to create the test users they want. With this tool you can create a new test user with a code device and password. You can also see transaction logs for a specific test user. Below you can see the step-by-step process of how to create a test user.

1. Gain access to Nets DanID's developer environment

Allow IP address

Access to Nets DanID's developer environment (opens new window) requires that Nets DaniD adds your company’s IP address(es) to an allowlist.

If you have an existing provider agreement (tjenesteudbyderaftale) with Nets DanID and you can’t access the page mentioned above, contact NemID Service Provider Support (opens new window) to have your IPs added (max. 10 per company).

If you do not have an existing provider agreement (tjenesteudbyderaftale) with Nets DanID, you may apply and fill in your IP’s on the Nets DanID website (opens new window) (Danish).

2. Create a NemID test user

Go to the Nets DanID developer environment (opens new window).

• Click “Autofill” to fill all fields with valid test data
• Change alias (username) and password to whatever you’d like
• Click “Create new identity” and wait

3. Get an overview of the user

After clicking Submit, you’re redirected to the overview page. You should bookmark this page. From here you can issue new OTP cards and find other, useful data about your test user. The username (alias) you created will allow you to look up this page again. The CPR number here will be important for authentication with CPR/PID checks, so make sure you save it.

4. Save the link to the OTP card

Now click the OTP card link. This will send you to this users’ OTP card page. You should bookmark this page for future use, as the codes here are necessary for the NemID authentications.

The registration process is now complete! You may now use your new NemID for NemID authentication. Again — remember to save your password, user ID, CPR number and OTP card link. Signicat will not be able to help you recover any data or user, so store the information safely. To reiterate, this is the order in which you will need your test user information when authenticating with NemID:

• Fill in username and password
• Refer to your OTP card link to find the serial which corresponds with the number presented in the NemID window
• Fill in your CPR number if/when prompted

See also Nets DanID’s recommended test procedures (opens new window).

Other sources

• Information to Danish citizens about NemID (opens new window) (in Danish language)
• A full guide and information on NemID from Nets DanID (opens new window) (in English language)

Support

Are there any features you think are missing? Anything you'd like to see on our site? You can share your thoughts on our community pages:

If you have questions, please contact Signicat Support:

See also our support page.