Order MitID for production

Prerequisites for setting up an agreement

To use MitID in production, your company must be registered in the EU and have an EU VAT Id.

MitID terms of service

In addition to the general Criipto terms of service you must also accept the MitID specific terms

UX requirements

With MitID you will be using a hosted MitID page at Criipto. The page may be styled to your liking, but some requirements must be observed.

Please see the UX reqirements to make sure you comply.

Steps to take in Criipto Verify

Apply for production access

  1. Go to the management dashboard and set the environment toggle at the top center to “PRODUCTION”.
  2. In the “Identity sources” section, expand the “DK MitID” section
  3. Submit the details for your company. Note the following:
    • The name to show in the MitID login box is the name entered in the “Company alias” box
    • The “Domain prefix” is typically your company or brand name, e.g. acme-corp. Once this registration is completed this will be used to set up your MitID domain, in this case acme-corp.mitid.dk.
  4. Criipto will verify the identity of you and your organization. If successful, we then send the information to Nets where the domain is up as explained in the previous step. Once the domain has been set up, it will appear in the “Domains” section.

Expect this process to take 5-7 workdays.

Complete the onboarding process

  1. Once you receive a confirmation from Criipto (via email), go back to the “Identity sources” section and open “DK MitID”. Once Criipto has processed your registration and Nets has set up the mitid.dk domain, the Complete button will become active for you to click
  2. Configure the various options that appear after the onboarding completes.
    • If you use our service for NemID as well, select a NemID fallback domain. Note this is only relevant if you, for some reason, send requests directly to your mitid.dk domain.
    • If you need access to the end-user’s CPR number, make sure the Add CPR for MitID logins toggle is enabled.
    • In contrast to NemID, not all MitID users have a CPR number. If your application can handle the case of a missing CPR, you may enable the CPR Optional toggle. This will let MitID users without a CPR number log in to your service.
    • If you want to use our side-by-side feature for showing both MitID and NemID login options, make sure the Also offer MitID login when NemID is requested-toggle is enabled.

Set up an application on your MitID domain

  1. Register your application, just as you would for all other integrations.
  2. IMPORTANT: If you want to use NemID and MitID side-by-side, you must create a “shadow” application with the same Client ID/Realm and Callback URLs as the application you currently use for NemID. This is necessary to make the switching back and forth between MitID and NemID function.

Validating token signatures for MitID

MitID comes with a new approach to storing and using token signing keys. There will be a distinct token signing key in use for MitID, in addition to the one you use for other types of e-ID, such as NemID. Criipto Verify announces all of these signing keys in the metadata documents for your domains (see work with metadata for a primer on this subject).

Most modern OIDC libraries have built-in support for dynamic metadata retrieval, so all this should be handled for you behind the scenes.

Dynamic metadata retrieval is also necessary to achieve minimal disruption for your applications in an ordinary key rollover as well as disaster recovery scenarios.